State of Pentesting Report 2026

Every organization running a security program has a theory about how exposed they are to risk, but this report is about what the data actually shows. Drawing on results from thousands of penetration tests and a qualitative survey of 450 security leaders and practitioners, it reveals a stark divide between leading security teams and everyone else. This eighth annual report provides practitioners with actionable benchmarks while offering strategic value for executives and boards grounded in evidence rather than assumptions.

The analysis highlights a widening performance chasm where the half-life of high-risk findings—the time to resolve half of all findings—ranges from just 10 days for top performers to 249 days for those in the bottom tier. This 25x remediation gap is often a strategic choice rather than a resource constraint, determined by whether an organization treats pentesting as a static report or the foundation of a continuous offensive security program.

AI and Large Language Model (LLM) applications are emerging as a significant new risk layer, harboring high-risk findings at nearly 2.7 times the rate of traditional software. As organizations sprint to embed generative AI, security practices are lagging behind; confidence in AI security plummeted from 64% in 2025 to 51% this year. This report rewards the click by detailing the specific vulnerabilities seen in these novel attack surfaces and providing a roadmap for maturing programmatic defenses.

Key Findings

• The 239-Day Exposure Divide: While top-performing organizations achieve a high-risk finding half-life of 10 days, vulnerabilities in the bottom tier languish for 249 days, creating eight extra months of risk exposure.
• AI Risk Concentration: 32% of all AI/LLM findings are rated as high risk—nearly 2.7x the rate found in the overall dataset (12%).
• The Resolution Gap: While typical organizations resolve 86% of its high-risk findings, the total resolution rate across the entire five-year longitudinal dataset is stuck at just 52%.
• C-Suite vs. Practitioner Disconnect: 57% of C-suite executives believe their organization consistently meets remediation SLAs, yet only 15% of the security practitioners who perform the work agree.
• Programmatic Efficiency: Organizations that adopt a programmatic approach to offensive security are 4.5x more likely to resolve critical findings in three days or less compared to those using ad hoc or compliance-driven models.
• Initial Access Dominance: Compromised credentials and valid accounts remain the most reliable entry point for attackers, identified in 41% of successful pentest engagements.