Full Report
The State of Pentesting Report 2025 pulls back the curtain on how organizations are really doing when it comes to cybersecurity. The report offers a candid look at the gap between perception and reality, especially around vulnerability management, AI risks, and the growing need for programmatic approaches to pentesting. The State of Pentesting Report 2025 begins with a telling contradiction. A striking 81% of organizations rate their cybersecurity posture as strong. Yet, real-world pentesting tells a different story—less than half (48%) of all vulnerabilities uncovered during tests are ever resolved. Even when those vulnerabilities are deemed high-risk, only 69% are addressed, leaving several gaps in enterprise defenses. What’s more, while three-quarters of companies claim to have service-level agreements (SLAs) in place mandating that vulnerabilities be resolved within 14 days, the median time to resolve all pentest findings is a whopping 67 days—almost five times the target. This issue isn’t just theoretical; these are actionable vulnerabilities that could be exploited by attackers, and the lag in resolution leaves systems exposed. AI Adoption Is Surging—But Security Is Struggling to Keep Up One of the most urgent issues outlined in this year’s pentest report is the rapid integration of generative AI into products and workflows, without a proportional increase in security oversight. While 98% of companies are incorporating genAI technologies, only 66% are actively assessing their security, including through pentesting. This oversight is particularly troubling because large language models (LLMs) showed the highest rate of serious vulnerabilities across all asset types tested. In fact, 32% of LLM-related pentest findings were labeled as high-risk—more than double the average rate of 13%. Even more alarming is that only 21% of these serious LLM vulnerabilities are being remediated, reflecting the growing AI security gap. "AI is moving faster than our ability to secure it," the report notes, summarizing a concern echoed by 72% of cybersecurity professionals who now view genAI threats as more pressing than risks from third-party software, insider threats, or even nation-state actors. A Long Road Toward Programmatic Pentesting Despite widespread acknowledgment of pentesting’s importance—94% of firms view it as essential to their cybersecurity strategy—the data reveals a persistent lack of follow-through. The report emphasizes that while ad hoc testing may satisfy compliance checks, it falls short of driving continuous risk reduction. In 2017, only 27% of serious pentest findings were resolved. That number eventually doubled to 55%, but progress has stalled since then. The same percentage of serious vulnerabilities were fixed in 2024, suggesting a plateau in effectiveness. Encouragingly, the time it takes to resolve those issues has improved—falling from 112 days in 2017 to just 37 days in 2024, a 75-day reduction. However, this improvement in speed hasn’t translated into higher resolution rates. Some organizations are leading the charge. The State of Pentesting Report 2025 by Cobalt found that 57% of companies resolve at least 90% of their serious findings, while 15% resolve 10% or less. The clear takeaway? Structured, programmatic pentesting strategies are far more effective than sporadic efforts. Size Matters: Why Bigger Isn't Always Better in Cybersecurity Another insight from the pentest report is the impact of organizational size on vulnerability management. Small businesses outperformed their larger counterparts, resolving 81% of serious findings compared to just 60% for large enterprises. Moreover, big companies take more than twice as long—61 days versus 27 days—to resolve serious issues. This may be due to complexity, stretched resources, and cross-functional misalignment. As organizations grow, so too does the challenge of managing risk, emphasizing the need for scalable, integrated security practices. Sector Struggles and Infrastructure Risks The report also shines a light on critical sectors like utilities, healthcare, and manufacturing, which are lagging behind in vulnerability resolution. These industries face heightened exposure due to slow response times and a high number of unresolved findings. Financial services firms, while encountering fewer serious vulnerabilities (11%), still struggle with remediation timelines, taking an average of 61 days to resolve issues. This trend highlights that even mature security environments are not immune to the remediation gap. Bridging the Confidence Gap Ultimately, the State of Pentesting Report 2025 makes one message clear: pentesting is not just a box to check—it’s a vital tool that requires strategic, continuous application. The confidence many organizations have in their cybersecurity defenses doesn’t align with the outcomes revealed in pentesting data. Until more companies adopt programmatic approaches, these gaps will persist. For organizations racing to adopt AI and digital transformation, the need to secure systems proactively is more urgent than ever. Pentesting offers a critical lens into hidden risks—but only if the insights are acted upon. Cybersecurity leaders must close the gap between detection and resolution to ensure real risk reduction, not just perceived protection.
Analysis Summary
# Best Practices: Closing Pentesting Gaps and Improving Remediation Efficiency
## Overview
These practices are derived from the State of Pentesting Report 2025, focusing on how organizations—particularly large enterprises and critical infrastructure sectors—can bridge the gap between vulnerability identification (via pentesting) and effective, timely resolution, enhancing overall cybersecurity readiness.
## Key Recommendations
### Immediate Actions
1. **Prioritize Critical Findings Triage:** Immediately review all severe findings from recent penetration tests. For high-risk items, establish cross-functional teams dedicated to rapid remediation planning within 48 hours of disclosure.
2. **Establish Firm Service Level Objectives (SLOs) for Remediation:** Mandate strict timeframes for fixing vulnerabilities categorized as "serious." Initial SLOs should target resolution within 30 days for critical findings.
3. **Immediate Patch Deployment for Known Exploits:** For vulnerabilities actively cited in the threat landscape (e.g., Fortinet vulnerabilities, public exploits mentioned in threat reports), bypass standard patching queues and deploy emergency patches immediately.
### Short-term Improvements (1-3 months)
1. **Implement Risk-Based Vulnerability Management (RBVM):** Shift vulnerability management from simple severity scores to a risk-based approach that incorporates exploitability, asset criticality, and potential impact, mirroring the efficiency shown by smaller organizations.
2. **Streamline Cross-Functional Alignment:** Implement mandatory integration points (e.g., shared ticketing systems, joint weekly syncs) between security, IT operations, and development teams to eliminate misalignment contributing to slow remediation times in larger environments.
3. **Conduct Targeted Sector Reviews:** For lagging sectors (Utilities, Healthcare, Manufacturing), mandate a focused review of infrastructure security posture based on recent pentest results, treating any high-severity, open finding as a top operational risk.
### Long-term Strategy (3+ months)
1. **Adopt Programmatic Pentesting:** Transition from conducting pentests purely as a compliance "box check" to integrating security testing as a continuous, strategic feedback loop within the wider security program.
2. **Develop Scalable Governance for Risk Management:** Design and implement formalized governance structures specifically tailored to manage the complexity of risk across large enterprise environments to reduce remediation times (currently >61 days for large firms).
3. **Integrate Security into Digital Transformation Pipelines:** Ensure that security control implementation and vulnerability resolution standards are baked directly into development and deployment pipelines (DevSecOps) to prevent the creation of new risks during digital transformation efforts.
## Implementation Guidance
### For Small Organizations
- **Leverage Simplicity:** Focus intensely on the remediation of the 19% of serious findings you have, aiming for the 81% resolution rate seen in top performers. Use straightforward, documented patching procedures.
- **Centralize Ownership:** Due to limited resources, assign clear, singular ownership for every security finding to ensure rapid decision-making without organizational complexity delays.
### For Medium Organizations
- **Introduce Initial RBVM:** Begin the process of categorizing findings by business impact rather than pure technical score to better allocate limited resources and address the organizational complexity starting to emerge.
- **Formalize Security Champions:** Identify personnel within IT and Development teams to act as security liaisons, helping bridge communication gaps with the core security function responsible for pentest findings.
### For Large Enterprises
- **Mandate Executive Visibility and Accountability:** Establish executive steering committees responsible for tracking the remediation gap metric (Mean Time to Remediate - MTTR) for serious findings, specifically addressing the average 61-day resolution time.
- **Deconstruct Complexity via Segmentation:** Where remediation is delayed due to system complexity, implement immediate compensating controls (e.g., stricter micro-segmentation, enhanced monitoring via Zero Trust principles) around high-risk, long-standing vulnerabilities while comprehensive fixes are developed.
## Configuration Examples
*No specific technical configurations were provided in the source material, only strategic observations.* If addressing specific vulnerabilities like those cited (e.g., Fortinet, WordPress plugins), the configuration best practice is:
1. **Use Vendor-Supplied Security Patches:** Apply vendor-provided patches immediately upon release for any actively exploited device or software (e.g., Fortinet firmware updates).
2. **Implement Configuration Hardening:** For CMS environments (like WordPress), enforce least privilege configurations and restrict plugin installations exclusively to those validated and approved via a formal change control process.
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF):** Focused heavily on the **Identify** (Asset Management, Risk Assessment) and **Respond/Recover** (Incident Response Planning, Improvements) functions. The core issue addresses the breakdown between identification and effective response/recovery timelines.
- **CIS Critical Security Controls:** Directly aligns with **Control 1: Inventory and Control of Software Assets** and **Control 2: Inventory and Control of Hardware Assets**, emphasizing the need to manage and secure all identified assets efficiently.
## Common Pitfalls to Avoid
- **Treating Pentests as Check-the-Box Compliance:** Do not rely solely on the existence of a pentest report; focus must be on the **action taken** based on the report's findings.
- **Allowing Remediation Delays Due to Complexity:** In large organizations, avoiding complex fixes by treating the vulnerability as "managed" until a perfect, long-term solution is ready. This leads to long MTTR figures (like the 61-day average).
- **Ignoring Sector-Specific Lag:** Do not assume mature sectors (like Finance) are exempt from remediation gaps. Even low-vulnerability counts must be remediated quickly (61 days is too long).
## Resources
- **Security Governance Documentation:** Develop clear documentation, aligned with Cybersecurity Governance best practices, outlining roles, responsibilities, and SLAs for vulnerability resolution across departments.
- **Process Review Framework:** Utilize structured post-mortem or gap analysis frameworks after each pentest to diagnose why the remediation timeline was missed or delayed.