Cobalt report reveals gaps in critical vulnerability fixes

Cobalt's seventh annual State of Pentesting Report 2025 has found a significant discrepancy between security leaders' confidence in their organisations' security and the actual rate at which vulnerabilities are being addressed.

The report, based on the analysis of penetration tests and a survey of security leaders, revealed that while 81% of those leaders express confidence in their organisation's security posture, 31% of serious vulnerabilities discovered during regular pentesting remain unresolved.

According to the findings, organisations are only remediating 48% of all vulnerabilities identified in penetration tests. There is higher remediation for findings labelled as serious, which Cobalt classifies as high and critical severity vulnerabilities, with 69% of such issues being fixed.

A particular area of concern highlighted in the report is the handling of vulnerabilities in generative AI (genAI) applications, including those based on Large Language Models (LLMs). In the past year, 95% of organisations carried out pentesting on these applications, and around a third (32%) of tests found vulnerabilities rated as serious.

The report points out that just 21% of genAI-related vulnerabilities have been remediated by organisations. These unresolved risks include prompt injection, model manipulation, and data leakage.

AI security has become a primary concern for security professionals, with 72% ranking AI attacks as their main worry, surpassing threats linked to third-party software, exploited vulnerabilities, insider threats, and nation-state actors.

Despite this concern, only 64% of surveyed professionals felt that their organisations were "well equipped to address all security implications of genAI."

The State of Pentesting Report also found that a majority of security leaders are under pressure to prioritise speed over security, with 52% acknowledging this challenge. This balancing act between rapid business demands and thorough security is affecting organisations' ability to address vulnerabilities effectively.

Software supply chain risks present another challenge, as only half of respondents expressed full trust in their ability to identify and prevent vulnerabilities from software suppliers. This is notable given that 82% of organisations are required by customers or regulators to provide software security assurance.

Gunter Ollman, Chief Technology Officer at Cobalt, said, "Regular pentesting has never been so important, particularly given the breakneck speed of AI adoption and the vulnerabilities that are introduced into an organisation's security posture. I

"t's a concern that 31% of serious vulnerabilities are not being fixed, however at least these firms are aware of the problem and can develop strategies to mitigate the risk. Organisations that do take an offensive security approach are taking a huge step to strengthening defences against cybercriminals who typically attack opportunistically.

"In doing so they're getting ahead of any compliance requirements and reassuring their customers that they're safe to do business with."

The methodology behind the State of Pentesting Report incorporates data from Cobalt's penetration tests across more than 2,700 organisations, supplemented by survey insights from a third-party firm, Emerald Research. The pentest metadata was sanitised before being provided to Cyentia Institute for independent analysis.