Recent findings from Cobalt reveal that organizations are addressing less than half of all exploitable vulnerabilities, with a concerningly low 21% of flaws in Generative AI (GenAI) applications being resolved. A substantial 94% of firms recognize the importance of penetration testing (pentesting), highlighting its critical role in enhancing security programs. Pentesting serves not only as a defensive measure but also reflects the inadequacies of existing security measures, as breaches frequently occur despite established safeguards.
Compliance emerges as a significant motivator for pentesting, with 91% of respondents citing it as a key reason for conducting these tests. Notably, 92% of firms assert that pentests are vital to their organizational strategy and have the backing of senior leadership. However, while the rate of fixing serious pentest findings surged from 27% in 2017 to 55% in 2021, this figure has plateaued. Currently, serious vulnerabilities are resolved in a third of the time it took in 2017, cutting the exposure window from 112 to just 37 days.
Large organizations face notable delays, taking over a month longer than smaller firms to address serious vulnerabilities (61 days versus 27 days). Despite three-quarters of organizations establishing Service Level Agreements (SLAs) promising fixes within two weeks, the average median time to resolution stands at a staggering 67 days, five times longer than the stipulated SLA. Alarmingly, 81% of security leaders express confidence in their organizations’ security posture, even as 31% of serious findings remain unresolved.
A crucial area of concern is the security of GenAI LLM web applications, with 95% of firms having conducted pentests on these systems in the past year. Unfortunately, 32% of tests identified serious vulnerabilities, yet a mere 21% of these were remedied. This issue raises significant concerns about risks such as prompt injection, model manipulation, and data leakage. With 72% of organizations ranking AI-related attacks as their top security threat, it is evident that there are inadequacies in preparedness against potential exploits.
OWASP has acknowledged these vulnerabilities, updating the 2025 edition of its Top 10 for LLM and GenAI to address new threats like Denial of Wallet (DoW), which exploit the cost-per-use model of AI services. As organizations strive to keep pace with technological advancements, they increasingly experience pressure from leadership to prioritize speed over thorough security measures. Nearly half of security leaders report that they are being urged to compromise security to achieve faster deployment timelines, significantly jeopardizing their overall security landscape.
In light of these findings, Gunter Ollman, CTO of Cobalt, emphasizes the critical importance of regular pentesting, especially amidst the rapid adoption of AI technologies and the associated vulnerabilities that emerge. He points out that the persistent issue of unresolved vulnerabilities signals a need for heightened awareness and proactive mitigation strategies. Organizations adopting an offensive security approach not only strengthen their defenses but also position themselves favorably in meeting compliance obligations and reassuring customers of their commitment to safety in business transactions. Source