State of Pentesting Report 2026 | Cobalt

Platform

Cobalt Platform

Modern offensive security platform and pioneers in penetration testing as a service (PTaaS)

Offensive Security Program

Go beyond one-off pentests with a continuous program of testing, fix validation, and strategic guidance.

PTaaS

On-demand penetration testing as a service platform. Start a pentest in as little as 24 hours

Artificial Intelligence

Leverage over a decade of proprietary exploit intelligence to automate recon and isolate high-risk vulnerabilities faster with AI.

Cobalt Core

Meet the community of skilled and highly-vetted penetration testing experts

Why Cobalt

Explore why customers love working with Cobalt for their offensive security service needs

Integrations

Automate workflows to identify and remediate vulnerabilities faster

Pricing

Explore the flexible Cobalt credit model for all your penetration testing needs

State of Pentesting Report

The definitive benchmark for offensive security and remediation performance

Download now
Services
Pentest Services

Proactively identify and mitigate risks with penetration testing services
Application Security

Modern penetration testing services for fast-moving product development teams
- Secure Code Review
- Dynamic Application Security Testing
Network & Cloud Security

Penetration testing across your perimeter and into the cloud
InfoSec & SOC Services

Test your system defenses against real-world attacks
Services Overview

Secure your organization with our expert security services

Learn more
Solutions
Continuous Pentesting Solutions

Go beyond one-off pentests with a continuous program of testing, fix validation, and strategic guidance
By Use Case

Go beyond one-off pentests with a continuous program of testing, fix validation, and strategic guidance
Solutions Overview

Explore cybersecurity solutions to meet your specific needs

Learn more
Resources

Resource Library

Essential reading and toolkits for modern cybersecurity professionals

Demo Center

Explore the features, insights, and automation that help teams deliver high-impact pentests.

Blogs

Sharpen your skills with expert commentary and practical security advice

Learning Center

Learn the fundamentals of offensive security and strengthen your cyber defenses

Events and Webinars

Live and on-demand training for today's most pressing security challenges

Case Studies

Explore real customer stories and see their delight straight from the source

The Responsible AI Imperative

Discover the security challenges of AI adoption and how to address them.

Download now
About

Leadership

Meet the executive leadership team driving our mission

Partners

Explore the Cobalt partnership network and apply to become a partner today

Newsroom

Read the latest news stories and press coverage

Trust Center

Transparency is important. See our approach to data privacy, security, and compliance

About Us

Learn how Cobalt infuses manual security testing with speed, simplicity, and transparency

Careers

Join Cobalt to help us redefine and reimagine offensive security

Contact Us

Get in touch with a member of our team

Pentesting Pulse Report

How speed, AI, and quality are driving change in modern security testing

Download now
Get A Demo
Login

Platform

Cobalt Platform

Modern offensive security platform and pioneers in penetration testing as a service (PTaaS)

Offensive Security Program

Go beyond one-off pentests with a continuous program of testing, fix validation, and strategic guidance.

PTaaS

On-demand penetration testing as a service platform. Start a pentest in as little as 24 hours

Artificial Intelligence

Leverage over a decade of proprietary exploit intelligence to automate recon and isolate high-risk vulnerabilities faster with AI.

Cobalt Core

Meet the community of skilled and highly-vetted penetration testing experts

Why Cobalt

Explore why customers love working with Cobalt for their offensive security service needs

Integrations

Automate workflows to identify and remediate vulnerabilities faster

Pricing

Explore the flexible Cobalt credit model for all your penetration testing needs

State of Pentesting Report

The definitive benchmark for offensive security and remediation performance

Download now
Services
Pentest Services

Proactively identify and mitigate risks with penetration testing services
Application Security

Modern penetration testing services for fast-moving product development teams
- Secure Code Review
- Dynamic Application Security Testing
Network & Cloud Security

Penetration testing across your perimeter and into the cloud
InfoSec & SOC Services

Test your system defenses against real-world attacks
Services Overview

Secure your organization with our expert security services

Learn more
Solutions
Continuous Pentesting Solutions

Go beyond one-off pentests with a continuous program of testing, fix validation, and strategic guidance
By Use Case

Go beyond one-off pentests with a continuous program of testing, fix validation, and strategic guidance
Solutions Overview

Explore cybersecurity solutions to meet your specific needs

Learn more
Resources

Resource Library

Essential reading and toolkits for modern cybersecurity professionals

Demo Center

Explore the features, insights, and automation that help teams deliver high-impact pentests.

Blogs

Sharpen your skills with expert commentary and practical security advice

Learning Center

Learn the fundamentals of offensive security and strengthen your cyber defenses

Events and Webinars

Live and on-demand training for today's most pressing security challenges

Case Studies

Explore real customer stories and see their delight straight from the source

The Responsible AI Imperative

Discover the security challenges of AI adoption and how to address them.

Download now
About

Leadership

Meet the executive leadership team driving our mission

Partners

Explore the Cobalt partnership network and apply to become a partner today

Newsroom

Read the latest news stories and press coverage

Trust Center

Transparency is important. See our approach to data privacy, security, and compliance

About Us

Learn how Cobalt infuses manual security testing with speed, simplicity, and transparency

Careers

Join Cobalt to help us redefine and reimagine offensive security

Contact Us

Get in touch with a member of our team

Pentesting Pulse Report

How speed, AI, and quality are driving change in modern security testing

Download now
Get A Demo
Login

Key Findings

The 25x remediation gap

A massive gap exists between leading organizations that integrate security and the laggard organizations that treat it as a periodic hurdle.

10 days: The half-life—how long vulnerabilities remain exploitable—of high-risk findings for top-performing teams.

249 days: The half-life—how long vulnerabilities remain exploitable—of high-risk findings for the bottom tier.

AI risks outpace defensive reality

Innovation is outstripping defense as organizations rush to deploy LLM-backed features without a matching security strategy.

32%: Percentage of all AI/LLM findings rated as High Risk.

38%: The resolution rate for AI vulnerabilities—the lowest of any category in our report.

Programmatic advantage graphic

The programmatic advantage leads to better outcomes

Strategic process maturity is the single greatest predictor of remediation success.

45% vs. 10%: Organizations that take a programmatic approach to security testing resolve 4.5x more critical findings in under three days than compliance-driven teams.

What is the State of Pentesting Report?

The 2026 State of Pentesting Report is an annual research publication by Cobalt that provides deep insights into the offensive security landscape. Now in its eighth year, the report combines data from thousands of real-world penetration tests with a qualitative survey of 450 security leaders and practitioners, to identify why vulnerabilities persist and how leading teams resolve them.

How does Cobalt collect data for the State of Pentesting Report?

The report draws from two primary datasets:

Pentest Data: Results from over 16,500 pentests conducted on nearly 3,000 organizations over a five-year period. This data is sanitized and analyzed by the Cyentia Institute.
Survey Data: A double-blind survey of 450 validated information security professionals (50% leaders, 50% practitioners) across various industries.

What are security Leaders and Laggards?

While multiple factors can be considered, this analysis is based on remediation of high-risk pentest findings—specifically the half-life of vulnerabilities (the number of days to remediate 50% of findings, including those that are still unfixed).

Leaders (Top 10%): Organizations that treat pentesting as a continuous program, achieving a high-risk finding half-life of just 10 days.
Laggards (Bottom 10%): Organizations that often view pentesting as a one-time compliance task, with high-risk vulnerabilities remaining open for a half-life of 249 days.

Does the State of Pentesting Report include security recommendations?

Yes, the State of Pentesting Report includes security recommendations based on best practices of top-performing organizations in the research. Key recommendations include:

Transitioning from ad hoc testing to a programmatic, continuous approach.
Aligning offensive security objectives with business strategy to gain board-level support.
Prioritizing remediation based on potential business impact rather than ease-of-fix.