Every organization running a security program has a theory about how exposed they are to risk, but this report is about what the data actually shows. Drawing on results from thousands of penetration tests and a qualitative survey of 450 security leaders and practitioners, it reveals a stark divide between leading security teams and everyone…
Innovation and risk are inseparable, but the 2026 State of Software Security (SoSS) report illuminates a sobering reality: flaw creation is decisively outstripping remediation capacity. The accumulation of “security debt”—known vulnerabilities left unresolved for more than a year—is now a present reality for 82% of organizations, marking an 11% increase in just one year. This…
Our actions impact those around us, and in cybersecurity, an incident at one organization rarely stops at its perimeter. When one firm’s security failure propagates to impact third parties, we call it a “ripple event”. This 2025 study analyzes more than 1,500 ripple incidents spanning 2008 to 2024 to help organizations understand how these systemic…
Every cybersecurity leader knows that employees represent both their most critical exposure and their most valuable asset. This report meets that challenge head-on by analyzing data from the Human Risk Management (HRM) programs of over 100 organizations. It moves past generic awareness training to leverage over 200 real-time risk signals, offering a nuanced understanding of…
Knowledge is power, and in security, that power must be derived from actionable insights rather than assumptions. This 2025 edition of the State of Pentesting examines the results of thousands of tests conducted via the Cobalt Offensive Security Platform to transform surface-level confidence into evidence-based clarity. While 81% of security leaders express confidence that their…
Companies among the Forbes Global 2000 stand at the forefront of economic output and influence. Collectively accounting for $51.7 trillion in revenue, these corporate giants underscore their critical role in the global economy. However, with great economic power comes great vulnerability, particularly in the realm of third-party risk. This report analyzes the interconnected supply chains…
Realizing progress in software security requires a risk-based perspective that moves beyond traditional patching to focus on exploitable feedback loops. This 15th volume of the State of Software Security (SoSS) analyzes 1.3 million applications to establish a new benchmark for AppSec maturity. While regulatory shifts like the U.S. Secure by Design initiative have improved OWASP…
In our current cybersecurity environment, where threat actors carry snazzy monikers like ‘Volt Typhoon’ and ‘Dark Scorpius’, it’s unfortunate that everyday users often get overlooked or underestimated in cyber risk assessments. But ask security leaders about what keeps them up at night—where they feel the most exposed—and it’s likely they’ll mention threats lurking inside their…
“Exploited in the wild” is a relatively meaningless label if it isn’t accompanied by data on timing, volume, and prevalence. This inaugural study of the Exploit Prediction Scoring System (EPSS) evaluates several years of performance data to determine how accurately a daily probability score can forecast attacker behavior. Our goal is to move beyond innate…
Modern vulnerability management stands at the crossroad of threat-based prioritization and contextual risk management. This report analyzes 36 million detected vulnerabilities to measure how effectively organizations are closing their most critical exposures. The data reveals that while total vulnerability counts are rising, established leaders are successfully whittling down their attack surface through automated remediation and…