U.S. enterprises allocate an average of $187,000 annually to pentesting.

Pentesting accounts for 11% of the total IT security budgets of U.S. enterprises.

50% of CISOs identify software-based testing as a primary method for uncovering exploitable security gaps within their organizations.

The average total IT security budget for U.S. enterprises is $1.77 million.

94% of security leaders agree that pentesting is foundational to security.

Financial companies have a lower rate of serious findings (11%) in pentests.

Large organisations resolve only 60% of serious pentest findings.

Larger organisations take over a month longer (61 days) than smaller ones (27 days) to resolve serious findings in pentests.

LLM pentests yield the highest proportion of serious vulnerabilities (32%) than any other asset type tested.

The rate for serious findings in pentests being resolved in each calendar year remains stuck at just 55%.

15% of organisations resolve 10% or less of their serious findings in pentests.

Only 66% of organisations are conducting regular security assessments like pentesting on their AI products.

Only 21% of serious vulnerabilities discovered in LLM tests are being resolved.

The proportion of serious findings in pentests has also declined by about half (from 20% to 11%) over 10 years.

Small companies lead with 81% of serious findings in pentests resolved.

57% of organisations resolve at least 90% of their serious findings in pentests.