SAN FRANCISCO—A recent report by Cobalt, the leader in penetration testing as a service, has revealed a troubling trend in cybersecurity: organizations are remediating less than half of identified vulnerabilities. The State of Pentesting Report 2025 indicates that only 48% of all pentest results are addressed, and worrying statistics emerge regarding more serious vulnerabilities, particularly within generative AI applications.
The analysis shows that while 81% of security leaders express confidence in their organization’s cybersecurity stance, 31% of serious vulnerabilities identified during assessments remain unresolved. Among findings related to generative AI, only 21% of vulnerabilities were rectified, raising concerns among security professionals. In fact, a significant 72% identified AI-related attacks as their primary worry, outpacing concerns regarding insider threats and third-party software risks.
Gunter Ollman, CTO of Cobalt, emphasized the urgency of regular penetration testing in light of the rapid adoption of AI technologies. “It’s a concern that 31% of serious vulnerabilities are not being fixed,” Ollman stated, suggesting that companies must develop strategies to mitigate these risks. He also pointed out that organizations adopting offensive security measures are better positioned to fortify their defenses against potential cybercriminal activities.
The report further highlights a lack of trust in software security. Only half of the security leaders surveyed believed they could rely on their suppliers to identify and prevent vulnerabilities, exacerbated by the fact that 82% are mandated by clients and regulators to provide assurance on software security. The findings underscore a significant gap that organizations must address to enhance their cybersecurity posture and reassure their stakeholders.