04-15-2025, 11:10 PM
News What the State of Pentesting Report 2025 Reveals About Cybersecurity Readiness
<p><img width="1280" height="837" src="https://thecyberexpress.com/wp-content/uploads/State-of-Pentesting-Report-2025.webp" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="State of Pentesting Report 2025" decoding="async" srcset="https://thecyberexpress.com/wp-content/uploads/State-of-Pentesting-Report-2025.webp 1280w, https://thecyberexpress.com/wp-content/u...0x196.webp 300w, https://thecyberexpress.com/wp-content/u...4x670.webp 1024w, https://thecyberexpress.com/wp-content/u...8x502.webp 768w, https://thecyberexpress.com/wp-content/u...0x392.webp 600w, https://thecyberexpress.com/wp-content/u...50x98.webp 150w, https://thecyberexpress.com/wp-content/u...0x490.webp 750w, https://thecyberexpress.com/wp-content/u...0x745.webp 1140w" sizes="(max-width: 1280px) 100vw, 1280px" title="What the State of Pentesting Report 2025 Reveals About Cybersecurity Readiness 5"></p><span data-contrast="auto">The State of Pentesting Report 2025 </span><span data-contrast="auto">pulls back the curtain on how organizations are really doing when it comes to cybersecurity. The report offers a candid look at the gap between perception and reality, especially around vulnerability management, AI risks, and the growing need for programmatic approaches to pentesting.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<span data-contrast="auto">The State of Pentesting Report 2025 begins with a telling contradiction. A striking 81% of organizations rate their <a class="wpil_keyword_link" href="https://cyble.com/knowledge-hub/what-is-cybersecurity/" target="_blank" rel="noopener" title="cybersecurity" data-wpil-keyword-link="linked" data-wpil-monitor-id="21800">cybersecurity</a> posture as strong. Yet, real-world <a href="https://thecyberexpress.com/fin7-gang-elude-edr-and-automate-attacks/" target="_blank" rel="noopener">pentesting</a> tells a different story—less than half (48%) of all vulnerabilities uncovered during tests are ever resolved. Even when those <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-are-vulnerabilities/" title="vulnerabilities" data-wpil-keyword-link="linked" data-wpil-monitor-id="21803">vulnerabilities</a> are deemed high-risk, only 69% are addressed, leaving several gaps in enterprise defenses.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<span data-contrast="auto">What’s more, while three-quarters of companies claim to have service-level agreements (SLAs) in place mandating that vulnerabilities be resolved within 14 days, the median time to resolve all pentest findings is a whopping 67 days—almost five times the target. This issue isn’t just theoretical; these are actionable vulnerabilities that could be exploited by attackers, and the lag in resolution leaves systems exposed.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<h3 aria-level="3"><b><span data-contrast="none">AI Adoption Is Surging—But Security Is Struggling to Keep Up</span></b><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"335551550":0,"335551620":0,"335559738":281,"335559739":281}"> </span></h3>
<span data-contrast="auto">One of the most urgent issues outlined in this year’s pentest report is the rapid integration of <a href="https://thecyberexpress.com/vimal-mani-generative-ai-challenges/" target="_blank" rel="noopener">generative AI</a> into products and workflows, without a proportional increase in security oversight. While 98% of companies are incorporating genAI technologies, only 66% are actively assessing their <a class="wpil_keyword_link" href="https://thecyberexpress.com/" title="security" data-wpil-keyword-link="linked" data-wpil-monitor-id="21802">security</a>, including through pentesting.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<span data-contrast="auto">This oversight is particularly troubling because large language models (LLMs) showed the highest rate of serious vulnerabilities across all asset types tested. In fact, 32% of LLM-related pentest findings were labeled as high-risk—more than double the average rate of 13%. Even more alarming is that only 21% of these serious LLM vulnerabilities are being remediated, reflecting the growing AI security gap.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<span data-contrast="auto">"AI is moving faster than our ability to secure it," the report notes, summarizing a concern echoed by 72% of cybersecurity professionals who now view genAI threats as more pressing than risks from <a href="https://thecyberexpress.com/cfo-strategies-for-third-party-risk-management/" target="_blank" rel="noopener">third-party software</a>, <a href="https://thecyberexpress.com/2024-us-election-new-guidance-for-officials/" target="_blank" rel="noopener">insider threats</a>, or even <a href="https://thecyberexpress.com/cloudflare-cyberattack-decoded/" target="_blank" rel="noopener">nation-state actors</a>.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<h3 aria-level="3"><b><span data-contrast="none">A Long Road Toward Programmatic Pentesting</span></b><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"335551550":0,"335551620":0,"335559738":281,"335559739":281}"> </span></h3>
<span data-contrast="auto">Despite widespread acknowledgment of pentesting’s importance—94% of firms view it as essential to their cybersecurity strategy—the <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-is-data/" title="data" data-wpil-keyword-link="linked" data-wpil-monitor-id="21799">data</a> reveals a persistent lack of follow-through. The report emphasizes that while ad hoc testing may satisfy compliance checks, it falls short of driving continuous <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-are-risks-in-cybersecurity/" title="risk" data-wpil-keyword-link="linked" data-wpil-monitor-id="21801">risk</a> reduction.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<span data-contrast="auto">In 2017, only 27% of serious pentest findings were resolved. That number eventually doubled to 55%, but progress has stalled since then. The same percentage of serious vulnerabilities were fixed in 2024, suggesting a plateau in effectiveness. Encouragingly, the time it takes to resolve those issues has improved—falling from 112 days in 2017 to just 37 days in 2024, a 75-day reduction. However, this improvement in speed hasn’t translated into higher resolution rates.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<span data-contrast="auto">Some organizations are leading the charge. The <a href="https://www.cobalt.io/blog/key-takeaways-state-of-pentesting-report-2025" target="_blank" rel="nofollow noopener">State of Pentesting Report 2025</a> by Cobalt found that 57% of companies resolve at least 90% of their serious findings, while 15% resolve 10% or less. The clear takeaway? Structured, programmatic <a href="https://thecyberexpress.com/top-10-cybersecurity-jobs-in-demand-for-2023/" target="_blank" rel="noopener">pentesting strategies</a> are far more effective than sporadic efforts.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<h3 aria-level="3"><b><span data-contrast="none">Size Matters: Why Bigger Isn't Always Better in Cybersecurity</span></b><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"335551550":0,"335551620":0,"335559738":281,"335559739":281}"> </span></h3>
<span data-contrast="auto">Another insight from the pentest report is the impact of organizational size on <a class="wpil_keyword_link" href="https://thecyberexpress.com/firewall-daily/vulnerabilities/" title="vulnerability" data-wpil-keyword-link="linked" data-wpil-monitor-id="21798">vulnerability</a> management. Small businesses outperformed their larger counterparts, resolving 81% of serious findings compared to just 60% for large enterprises. Moreover, big companies take more than twice as long—61 days versus 27 days—to resolve serious issues.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<span data-contrast="auto">This may be due to complexity, stretched resources, and cross-functional misalignment. As organizations grow, so too does the challenge of managing risk, emphasizing the need for scalable, integrated security practices.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<h3 aria-level="3"><b><span data-contrast="none">Sector Struggles and Infrastructure Risks</span></b><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"335551550":0,"335551620":0,"335559738":281,"335559739":281}"> </span></h3>
<span data-contrast="auto">The report also shines a light on critical sectors like utilities, <a href="https://thecyberexpress.com/radiant-dicom-viewer-vulnerability/" target="_blank" rel="noopener">healthcare</a>, and manufacturing, which are lagging behind in vulnerability resolution. These industries face heightened exposure due to slow response times and a high number of unresolved findings.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<span data-contrast="auto">Financial services firms, while encountering fewer serious vulnerabilities (11%), still struggle with remediation timelines, taking an average of 61 days to resolve issues. This trend highlights that even mature security environments are not immune to the remediation gap.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<h3 aria-level="3"><b><span data-contrast="none">Bridging the Confidence Gap</span></b><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"335551550":0,"335551620":0,"335559738":281,"335559739":281}"> </span></h3>
<span data-contrast="auto">Ultimately, the State of Pentesting Report 2025 makes one message clear: pentesting is not just a box to check—it’s a vital tool that requires strategic, continuous application. The confidence many organizations have in their cybersecurity defenses doesn’t align with the outcomes revealed in pentesting data. Until more companies adopt programmatic approaches, these gaps will persist.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<span data-contrast="auto">For organizations racing to adopt AI and <a href="https://thecyberexpress.com/cisco-networking-academy/" target="_blank" rel="noopener">digital transformation</a>, the need to secure systems proactively is more urgent than ever. Pentesting offers a critical lens into hidden risks—but only if the insights are acted upon. Cybersecurity leaders must close the gap between detection and resolution to ensure real risk reduction, not just perceived protection.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
https://thecyberexpress.com/state-of-pen...port-2025/
<p><img width="1280" height="837" src="https://thecyberexpress.com/wp-content/uploads/State-of-Pentesting-Report-2025.webp" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="State of Pentesting Report 2025" decoding="async" srcset="https://thecyberexpress.com/wp-content/uploads/State-of-Pentesting-Report-2025.webp 1280w, https://thecyberexpress.com/wp-content/u...0x196.webp 300w, https://thecyberexpress.com/wp-content/u...4x670.webp 1024w, https://thecyberexpress.com/wp-content/u...8x502.webp 768w, https://thecyberexpress.com/wp-content/u...0x392.webp 600w, https://thecyberexpress.com/wp-content/u...50x98.webp 150w, https://thecyberexpress.com/wp-content/u...0x490.webp 750w, https://thecyberexpress.com/wp-content/u...0x745.webp 1140w" sizes="(max-width: 1280px) 100vw, 1280px" title="What the State of Pentesting Report 2025 Reveals About Cybersecurity Readiness 5"></p><span data-contrast="auto">The State of Pentesting Report 2025 </span><span data-contrast="auto">pulls back the curtain on how organizations are really doing when it comes to cybersecurity. The report offers a candid look at the gap between perception and reality, especially around vulnerability management, AI risks, and the growing need for programmatic approaches to pentesting.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<span data-contrast="auto">The State of Pentesting Report 2025 begins with a telling contradiction. A striking 81% of organizations rate their <a class="wpil_keyword_link" href="https://cyble.com/knowledge-hub/what-is-cybersecurity/" target="_blank" rel="noopener" title="cybersecurity" data-wpil-keyword-link="linked" data-wpil-monitor-id="21800">cybersecurity</a> posture as strong. Yet, real-world <a href="https://thecyberexpress.com/fin7-gang-elude-edr-and-automate-attacks/" target="_blank" rel="noopener">pentesting</a> tells a different story—less than half (48%) of all vulnerabilities uncovered during tests are ever resolved. Even when those <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-are-vulnerabilities/" title="vulnerabilities" data-wpil-keyword-link="linked" data-wpil-monitor-id="21803">vulnerabilities</a> are deemed high-risk, only 69% are addressed, leaving several gaps in enterprise defenses.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<span data-contrast="auto">What’s more, while three-quarters of companies claim to have service-level agreements (SLAs) in place mandating that vulnerabilities be resolved within 14 days, the median time to resolve all pentest findings is a whopping 67 days—almost five times the target. This issue isn’t just theoretical; these are actionable vulnerabilities that could be exploited by attackers, and the lag in resolution leaves systems exposed.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<h3 aria-level="3"><b><span data-contrast="none">AI Adoption Is Surging—But Security Is Struggling to Keep Up</span></b><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"335551550":0,"335551620":0,"335559738":281,"335559739":281}"> </span></h3>
<span data-contrast="auto">One of the most urgent issues outlined in this year’s pentest report is the rapid integration of <a href="https://thecyberexpress.com/vimal-mani-generative-ai-challenges/" target="_blank" rel="noopener">generative AI</a> into products and workflows, without a proportional increase in security oversight. While 98% of companies are incorporating genAI technologies, only 66% are actively assessing their <a class="wpil_keyword_link" href="https://thecyberexpress.com/" title="security" data-wpil-keyword-link="linked" data-wpil-monitor-id="21802">security</a>, including through pentesting.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<span data-contrast="auto">This oversight is particularly troubling because large language models (LLMs) showed the highest rate of serious vulnerabilities across all asset types tested. In fact, 32% of LLM-related pentest findings were labeled as high-risk—more than double the average rate of 13%. Even more alarming is that only 21% of these serious LLM vulnerabilities are being remediated, reflecting the growing AI security gap.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<span data-contrast="auto">"AI is moving faster than our ability to secure it," the report notes, summarizing a concern echoed by 72% of cybersecurity professionals who now view genAI threats as more pressing than risks from <a href="https://thecyberexpress.com/cfo-strategies-for-third-party-risk-management/" target="_blank" rel="noopener">third-party software</a>, <a href="https://thecyberexpress.com/2024-us-election-new-guidance-for-officials/" target="_blank" rel="noopener">insider threats</a>, or even <a href="https://thecyberexpress.com/cloudflare-cyberattack-decoded/" target="_blank" rel="noopener">nation-state actors</a>.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<h3 aria-level="3"><b><span data-contrast="none">A Long Road Toward Programmatic Pentesting</span></b><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"335551550":0,"335551620":0,"335559738":281,"335559739":281}"> </span></h3>
<span data-contrast="auto">Despite widespread acknowledgment of pentesting’s importance—94% of firms view it as essential to their cybersecurity strategy—the <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-is-data/" title="data" data-wpil-keyword-link="linked" data-wpil-monitor-id="21799">data</a> reveals a persistent lack of follow-through. The report emphasizes that while ad hoc testing may satisfy compliance checks, it falls short of driving continuous <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-are-risks-in-cybersecurity/" title="risk" data-wpil-keyword-link="linked" data-wpil-monitor-id="21801">risk</a> reduction.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<span data-contrast="auto">In 2017, only 27% of serious pentest findings were resolved. That number eventually doubled to 55%, but progress has stalled since then. The same percentage of serious vulnerabilities were fixed in 2024, suggesting a plateau in effectiveness. Encouragingly, the time it takes to resolve those issues has improved—falling from 112 days in 2017 to just 37 days in 2024, a 75-day reduction. However, this improvement in speed hasn’t translated into higher resolution rates.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<span data-contrast="auto">Some organizations are leading the charge. The <a href="https://www.cobalt.io/blog/key-takeaways-state-of-pentesting-report-2025" target="_blank" rel="nofollow noopener">State of Pentesting Report 2025</a> by Cobalt found that 57% of companies resolve at least 90% of their serious findings, while 15% resolve 10% or less. The clear takeaway? Structured, programmatic <a href="https://thecyberexpress.com/top-10-cybersecurity-jobs-in-demand-for-2023/" target="_blank" rel="noopener">pentesting strategies</a> are far more effective than sporadic efforts.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<h3 aria-level="3"><b><span data-contrast="none">Size Matters: Why Bigger Isn't Always Better in Cybersecurity</span></b><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"335551550":0,"335551620":0,"335559738":281,"335559739":281}"> </span></h3>
<span data-contrast="auto">Another insight from the pentest report is the impact of organizational size on <a class="wpil_keyword_link" href="https://thecyberexpress.com/firewall-daily/vulnerabilities/" title="vulnerability" data-wpil-keyword-link="linked" data-wpil-monitor-id="21798">vulnerability</a> management. Small businesses outperformed their larger counterparts, resolving 81% of serious findings compared to just 60% for large enterprises. Moreover, big companies take more than twice as long—61 days versus 27 days—to resolve serious issues.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<span data-contrast="auto">This may be due to complexity, stretched resources, and cross-functional misalignment. As organizations grow, so too does the challenge of managing risk, emphasizing the need for scalable, integrated security practices.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<h3 aria-level="3"><b><span data-contrast="none">Sector Struggles and Infrastructure Risks</span></b><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"335551550":0,"335551620":0,"335559738":281,"335559739":281}"> </span></h3>
<span data-contrast="auto">The report also shines a light on critical sectors like utilities, <a href="https://thecyberexpress.com/radiant-dicom-viewer-vulnerability/" target="_blank" rel="noopener">healthcare</a>, and manufacturing, which are lagging behind in vulnerability resolution. These industries face heightened exposure due to slow response times and a high number of unresolved findings.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<span data-contrast="auto">Financial services firms, while encountering fewer serious vulnerabilities (11%), still struggle with remediation timelines, taking an average of 61 days to resolve issues. This trend highlights that even mature security environments are not immune to the remediation gap.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<h3 aria-level="3"><b><span data-contrast="none">Bridging the Confidence Gap</span></b><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"335551550":0,"335551620":0,"335559738":281,"335559739":281}"> </span></h3>
<span data-contrast="auto">Ultimately, the State of Pentesting Report 2025 makes one message clear: pentesting is not just a box to check—it’s a vital tool that requires strategic, continuous application. The confidence many organizations have in their cybersecurity defenses doesn’t align with the outcomes revealed in pentesting data. Until more companies adopt programmatic approaches, these gaps will persist.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
<span data-contrast="auto">For organizations racing to adopt AI and <a href="https://thecyberexpress.com/cisco-networking-academy/" target="_blank" rel="noopener">digital transformation</a>, the need to secure systems proactively is more urgent than ever. Pentesting offers a critical lens into hidden risks—but only if the insights are acted upon. Cybersecurity leaders must close the gap between detection and resolution to ensure real risk reduction, not just perceived protection.</span><span data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>
https://thecyberexpress.com/state-of-pen...port-2025/