A recent report, the “2025 State of Pentesting Report,” highlights a troubling issue in cybersecurity. It reveals that organizations are only dealing with 69% of their most serious security weaknesses. This means that many critical issues remain unresolved, putting companies at risk of cyberattacks.
The report highlights the widening gap between perceived and actual security postures, particularly as generative AI (GenAI) applications introduce new vulnerabilities.
The report reveals a contrast between security leaders’ confidence levels and the reality of unresolved vulnerabilities. While 81% of security leaders express confidence in their organization’s security, 31% of serious vulnerabilities remain unaddressed.
.png
)
This discrepancy underscores a growing challenge for organizations to align their perceived security readiness with actionable remediation efforts.
Key Findings From the Report
Several critical insights emerged from the analysis of penetration tests (pentests) conducted by Cobalt:
- Incomplete Remediation: Organizations are resolving only 48% of all vulnerabilities identified during pentests. For critical and high-severity issues, this figure improves to 69%, but the remaining unpatched vulnerabilities still pose significant risks.
- GenAI Applications Under Threat: Generative AI applications, particularly those powered by large language models (LLMs), are proving to be especially vulnerable. Of the organizations tested, 95% had conducted pentests on GenAI applications in the past year. Alarmingly, 32% of these tests revealed serious vulnerabilities, yet only 21% of these were resolved. Risks include prompt injection attacks, model manipulation, and data leakage.
- AI Security Concerns: A majority (72%) of security leaders ranked AI-related threats as their top concern, surpassing risks from third-party software, insider threats, and even nation-state actors. However, only 64% felt equipped to address the full spectrum of GenAI security implications.
- Pressure for Speed: Over half (52%) of security leaders reported pressure to prioritize speed over security in product development cycles. This trade-off often exacerbates existing vulnerabilities.
- Software Supply Chain Risks: Just 50% of organizations expressed confidence in their ability to identify vulnerabilities in software supplied by third parties—a critical concern given that 82% are required to provide software security assurance to customers or regulators.
The Challenge of GenAI Vulnerabilities
The rapid adoption of generative AI technologies has introduced unique challenges for cybersecurity teams. Vulnerabilities such as prompt injection attacks allow malicious actors to manipulate LLMs into leaking sensitive data or bypassing guardrails.
Data leakage remains a pressing issue due to insecure training data management and overfitting within models.
Security experts warn that these risks are compounded by limited visibility into how GenAI tools are deployed within organizations. As development teams increasingly rely on AI-generated code, the potential for introducing vulnerabilities into production environments grows significantly.
Gunter Ollman, CTO at Cobalt, emphasized the importance of proactive offensive security measures: “Regular pentesting has never been so important, particularly given the breakneck speed of AI adoption and the vulnerabilities introduced into an organization’s security posture. While it’s concerning that 31% of serious vulnerabilities remain unresolved, awareness is the first step toward mitigation.”
Ollman also highlighted the need for organizations to adopt offensive security strategies to stay ahead of cybercriminals: “Organizations that invest in pentesting are not only strengthening their defenses but also ensuring compliance and reassuring customers about their commitment to cybersecurity.”
The findings in Cobalt’s report are based on data from over 2,700 organizations and insights gathered through surveys conducted by Emerald Research. Cyentia Institute anonymized and independently analyzed the pentest results.
As cybersecurity threats evolve alongside advancements in AI technology, organizations must prioritize both awareness and action. While progress has been made in addressing critical vulnerabilities, the report underscores that much work remains to be done particularly in securing GenAI applications and bridging the gap between perceived and actual security readiness.
Equip your team with real-time threat analysis With ANY.RUN’s interactive cloud sandbox -> Try 14-day Free Trial
