One in Five Experienced an LLM Security Incident in the Last Year With 32% of AI Vulnerabilities Rated ‘High-Risk’

SAN FRANCISCO--(BUSINESS WIRE)--Cobalt, the pioneer of penetration testing as a service (PTaaS) and leading provider of offensive security services, today announced its eighth annual State of Pentesting Report. This year's report reveals that 32% of all AI/LLM findings are rated as high risk—nearly 2.7x the rate found in the overall dataset (12%). LLMs also have the lowest resolution rate of all app types pentested with just 38% of high-risk issues being fixed. Furthermore, one in five organizations stated they have experienced an LLM security incident in the last year, with a further 18% indicating they are ‘unsure’ and 19% preferring not to answer.

A likely consequence of the above is a decline in security teams’ confidence in their ability to keep up with the security implications of AI adoption. Last year 64% answered positively to this question, but this has now declined to just 51%. Additionally 61% of security professionals stated they would like a “strategic pause” to calibrate defenses against AI-driven threats, compared to 48% stating this last year. This wish is unrealistic given the pressures to adopt AI with 97% stating they are ‘adding AI capabilities to our software and services’.

The Cobalt State of Pentesting Report (SOPR) aims to explore the landscape of vulnerabilities organizations battle today and researched the views of 450 security professionals as well as analyzing the results of thousands of pentests spanning 2,700 organizations. It also found that:

• Eight month gap in remediation speeds: While top-performing organizations achieve a high-risk finding half-life of just 10 days, high-risk vulnerabilities in the bottom tier languish for 249 days–a staggering eight month difference in exposure.
• Widening disconnect between leadership and practitioners in meeting SLA targets: 57% of C-suite executives believe their organization consistently meets remediation SLAs, yet only 15% of security practitioners who actually perform the work agree. This perception gap creates friction and hampers the ability to meet targets.
• Total resolution rates remain stagnant at 52%: While the typical organization resolves 86% of its high-risk findings, only 52% are remediated within a 5-year time frame.
• Programmatic pentesting accelerates to three days or less: Organizations taking a continuous, programmatic approach to offensive security are 4.5x more likely to resolve critical findings within three days compared to those operating under a compliance-driven or ad hoc model.
• Security budgets see a robust uptick to counter emerging risks: Nearly one-third (33%) of organizations reported significant budget growth in the past year, while 50% saw incremental increases. Security leadership isn’t just saying pentesting matters; they’re funding it.

“The poor resolution rate of AI is largely attributable to issues within LLM models themselves, which security professionals often cannot fix directly. Instead of waiting on vendors, organizations must take on the initiative through continuous pentesting to proactively enhance security,” said Gunter Ollman, CTO, Cobalt. “By taking an offensive security approach, companies can identify vulnerabilities before vendors do and mitigate risk by blocking their access to data. Last year’s data showed us how exposed supply chains are to attack; the message is simple: take matters into your own hands, because vendor fixes often come too late.”

Methodology

The report analyzes two different datasets. The majority of analysis is based on data collected during Cobalt pentests. This is supplemented by insights collected via a survey by a third-party research firm, Emerald Research. All penetration testing data analyzed in this report was collected through Cobalt pentests. This spans more than 2,700 organizations. Metadata from these pentests was exported from the Cobalt Offensive Security Platform, sanitized to remove client-identifying and other sensitive details, and provided to Cyentia Institute for independent analysis.

Additional Resources:

• Join our upcoming webinar, How Elite Teams Outpace the Average Adversary, on April 29th at 2:00 PM EDT, to learn how elite security teams neutralize high-risk findings.
• Read the blog, Five Key Takeaways from the 2026 State of Pentesting Report

About Cobalt

Cobalt is the pioneer in pentesting as a service (PTaaS) and a leader in human-led, AI-powered offensive security services™. We are focused on combining talent and technology with speed, scalability, and expertise. Thousands of customers and hundreds of partners rely on the Cobalt Offensive Security Platform, along with 500+ trusted security experts, to find and fix vulnerabilities across their environments. By enabling faster pentest launches, real-time collaboration with pentesters, and seamless integration with remediation workflows, we help organizations identify critical issues and accelerate risk mitigation so they can operate fearlessly and innovate securely. Cobalt maintains an outstanding NPS of 9, reflecting its dedication to customer satisfaction. Read our reviews on G2 to see why customers love us. More at https://www.cobalt.io. Follow Cobalt on LinkedIn and X