In the realm of cybersecurity, the State of Pentesting Report 2025 sheds light on the reality of organizational security practices. This report delves into the discrepancy between how organizations perceive their cybersecurity posture and the actual vulnerabilities present, emphasizing the need for programmatic approaches to pentesting.
The report paints a stark contrast between organizations’ self-assessment of their cybersecurity posture and the findings from actual pentesting. While 81% of organizations believe their cybersecurity is strong, the data tells a different story. Less than half of all vulnerabilities uncovered during tests are ever addressed, with only 69% of high-risk vulnerabilities being resolved. This leaves glaring gaps in enterprise defenses, leaving systems vulnerable to exploitation by cyber attackers.
Furthermore, despite the existence of service-level agreements mandating swift resolution of vulnerabilities, the median time to resolve pentest findings is alarmingly high at 67 days – almost five times the target of 14 days. This delay in addressing vulnerabilities exposes organizations to potential cyber threats and compromises their security posture.
One of the key insights from the report is the rapid integration of generative AI technologies into products and workflows without adequate security oversight. While 98% of companies are incorporating genAI technologies, only 66% are actively assessing their security through pentesting. This oversight is particularly concerning as large language models (LLMs) showed the highest rate of serious vulnerabilities, with only 21% of these issues being remediated.
The report also highlights the importance of programmatic pentesting strategies in enhancing cybersecurity defenses. While 94% of firms view pentesting as essential, there is a persistent lack of follow-through in resolving vulnerabilities. Ad hoc testing may meet compliance requirements, but it falls short of driving continuous risk reduction. The report emphasizes the effectiveness of structured and programmatic pentesting strategies over sporadic efforts.
Organizational size also plays a role in vulnerability management, with small businesses outperforming larger enterprises in resolving serious findings. The challenges of managing risk increase as organizations grow, underscoring the need for scalable and integrated security practices.
Critical sectors such as utilities, healthcare, and manufacturing are highlighted as lagging in vulnerability resolution, facing exposure due to slow response times and unresolved findings. Even financial services firms, despite encountering fewer serious vulnerabilities, struggle with timely remediation, taking an average of 61 days to resolve issues.
Ultimately, the report underscores the importance of treating pentesting as a strategic and continuous tool for cybersecurity, rather than just a checkbox exercise. As organizations continue to adopt AI and digital transformation, proactive security measures are crucial to mitigating hidden risks and ensuring real risk reduction. Closing the gap between detection and resolution is essential for enhancing cybersecurity defenses and protecting against evolving cyber threats.