2025 State of Pentesting Report

Knowledge is power, and in security, that power must be derived from actionable insights rather than assumptions. This 2025 edition of the State of Pentesting examines the results of thousands of tests conducted via the Cobalt Offensive Security Platform to transform surface-level confidence into evidence-based clarity. While 81% of security leaders express confidence that their posture meets regulatory requirements, the data reveals that critical vulnerabilities often remain hidden beneath the surface of automated scans and compliance checkboxes.

The research highlights a significant maturity gap in the securing of emerging technologies. While nearly all firms are integrating Generative AI into their products, only 66% are actively conducting security assessments or pentests on these solutions. This is particularly concerning because LLM testing currently finds more vulnerabilities than any other test type, yet only 21% of the highest-risk AI vulnerabilities are successfully resolved.

Remediation timelines continue to be a point of friction between organizational policy and operational reality. Three-quarters of organizations set SLAs requiring fixes within two weeks, but the median time to resolve stands at 67 days—nearly five times longer than the target window. This report rewards the reader with longitudinal data showing that while serious findings are being fixed faster than in previous years, a “stalemate” has been reached where overall resolution rates have remained flat since 2018.

Key Findings

• The 5-X SLA Gap: The median time to resolve (MTTR) for all pentest findings is 67 days, which is five times longer than the 14-day SLA window favored by most organizations.
• AI Risk Concentration: 32% of all AI/LLM pentest findings are rated as high risk—2.5 times higher than the overall proportion of 13% for traditional pentests.
• Low AI Resolution: Only 21% of serious findings identified during LLM pentests are resolved, the lowest rate across all pentest methods.
• Remediation Speed Improvement: Serious findings are currently fixed in roughly one-third of the time required in 2017, dropping from 112 days to just 37 days.
• Unresolved Findings Persistence: Less than half (48%) of all identified pentest findings ever get resolved; this improves to 69% for the riskiest findings.
• The Scale Tax: Large organizations take over a month longer (61 days) to resolve serious findings than smaller firms (27 days), highlighting the complexity of managing risk at scale.