Cyberstats

Nearly nine in 10 security leaders (88%) view penetration testing as an essential component of their overall security programme.

Cobalt•7/31/2025•

32% of LLM pentest findings are serious

33% of respondents are still not conducting regular security assessments, including penetration testing, for their Large Language Model (LLM) deployments.

Overall, 69% of serious findings across all pentest categories are resolved.

The resolution rate for high-severity vulnerabilities found in LLM pentests falls to just 21%.

50% of CISOs identify software-based testing as a primary method for uncovering exploitable security gaps within their organizations.

The average total IT security budget for U.S. enterprises is $1.77 million.

U.S. enterprises allocate an average of $187,000 annually to pentesting.

Pentesting accounts for 11% of the total IT security budgets of U.S. enterprises.

Exposure management Pen testing

Almost two-thirds (approximately 66%) of security leaders say that missing exposures due to manual pen testing is an issue.

Cymulate•4/23/2025•

67% say infrequent pen testing has left concerning gaps in security assessments.

Cymulate•4/23/2025

94% of security leaders agree that pentesting is foundational to security.

Larger organisations take over a month longer (61 days) than smaller ones (27 days) to resolve serious findings in pentests.

The rate for serious findings in pentests being resolved in each calendar year remains stuck at just 55%.

15% of organisations resolve 10% or less of their serious findings in pentests.

Only 66% of organisations are conducting regular security assessments like pentesting on their AI products.