Cobalt today released its State of Pentesting in Financial Services 2025 Report with new insights into how the financial services industry identifies and resolves serious security vulnerabilities. Cobalt pentesting data shows that the financial services sector is accruing security debt and a backlog of serious vulnerabilities. Although financial services firms have one of the lowest rates of serious vulnerability findings, they are among the slowest industries to remediate them.
Financial Services Findings: Strengths and Backlogs
- Low rate of serious findings: Financial services organizations rank near the top for preventing serious vulnerabilities from appearing at all.
- Moderate resolution rates: The industry resolves about two-thirds (66.7%) of serious findings, ranking 10 out of the 13 industries Cobalt researched.
- Slow median time to remediation (MTTR): At 61 days, financial services ranks 11th of 13 industries, well behind hospitality, which resolves serious findings in 20 days.
- Backlogs reflected in half-life: Financial services has a half-life of 147 days for serious findings, placing ninth overall, out of the thirteen industries measured. Half-life, unlike MTTR, accounts for unresolved vulnerabilities and provides a fuller picture of backlog and risk.
Vulnerability Profile: Automation Strengths, Human Testing Gaps
The financial services sector excels at addressing straightforward, code-level vulnerabilities, thanks to mature AppSec programs, automated scanning (SAST/DAST), and strong secure coding standards. This results in significantly lower rates of cross-site scripting (5.0% vs. 9.7%) and server-side injection (4.2% vs. 5.3%) in web applications and APIs, compared to other industries.
However, pentests reveal blind spots where automation falls short. The industry struggles with:
- Sensitive data exposure: 10.5% vs. 8.0% average in other industries.
- Business logic flaws: 2.9% vs. 2.3% average in other industries.
- Server security misconfigurations: 34.9% vs. 27.9% average in other industries.
- Components with known vulnerabilities: 6.1% vs. 5.5% average in other industries.
These vulnerabilities often require human-led pentests to uncover because they involve complex data flows, legacy systems, and application-specific logic that scanners cannot interpret.
Pentesting Practices and Pressures
While financial services firms struggle to resolve most serious issues (61 day MTTR, 147 day half-life, and one-third of serious issues never resolved), they do maintain a solid track record in meeting strict internal service level agreements (SLAs) for the remediation of serious vulnerabilities. Deeper operational data reveals significant systemic bottlenecks, and major backlogs of vulnerabilities that expose financial organizations to risks of data loss and breaches.
The industry’s exposure due to slow remediation speed is amplified by external threats and internal challenges—ranging from scheduling delays to the escalating risks posed by third-party software vulnerabilities, genAI complexity, and insider threats.
- SLAs narrowly met: Despite their 61-day MTTR for serious issues overall, 78% of financial services firms report fixing critical vulnerabilities in business-critical assets within 14 days, in line with SLA requirements.
- Scheduling challenges: 70% report that pentest scheduling delays sometimes impact compliance or business timelines, meaning potential security risks remain unaddressed for a longer period.
- Top risks: Financial services leaders highlight third-party software (76%), genAI-related risks (68%), and insider threats (46%) among their greatest concerns.
Additional Resources:
Methodology
The findings in the State of Pentesting in Financial Services 2025 is based on 10 years of Cobalt pentesting data, and data from Emerald Research, an independent third-party research firm, sponsored by Cobalt. The survey included 500 respondents, consisting of security leaders, defined as a mix of C-level and VP-level security professionals, and security practitioners, representing organizations with 500 to 10,000 employees.
Majority of Security Leaders Say Traditional Pentesting Can’t Keep Pace with Modern Threats, Omdia Research Finds
Posted in Commentary with tags Cobalt on June 10, 2026 by itnerdCobalt today announced findings from new research conducted by Omdia that reveal a significant shift in how organizations approach offensive security. As AI accelerates both attack and defense capabilities, security leaders are moving away from static, point-in-time assessments in favor of continuous, intelligence-driven security validation that combines human expertise with automation.
The survey of 400 cybersecurity professionals found that 94% of organizations see the importance of keeping humans in the loop for offensive security programs, while 60% expect analysts to shift from executing offensive security tasks to supervising autonomous workflows. At the same time, 53% of respondents said traditional offensive security approaches, such as manual penetration testing, provide a static view that is obsolete by the time reports are delivered.
The findings highlight a broader transformation in offensive security. Organizations increasingly recognize that point-in-time testing cannot keep pace with rapidly changing attack surfaces, AI-powered threats, and accelerated software development cycles.
The research also found that 58% of organizations now utilize PTaaS, making it the most widely adopted offensive security model surveyed. Additionally, 88% of respondents expect to increase spending on offensive security technologies over the next 12 months, including 23% planning significant increases.
Among the key findings:
The findings underscore growing demand for offensive security programs that provide continuous visibility, integrate with existing security and engineering workflows, and help organizations reduce measurable risk rather than simply identify vulnerabilities. Furthermore, respondents emphasized that shifting toward continuous validation turns security into a business accelerator, whereby development teams can bring secure products to market faster.
The research, Next-generation Offensive Security Strategies Give Defenders the AI Advantage, was conducted by Omdia and surveyed 400 IT and cybersecurity professionals across North America responsible for developing and managing offensive security strategies.
The full report is available here.
Source: Omdia Research Survey, Next-generation Offensive Security Strategies Give Defenders the AI Advantage, May 2026.
Leave a comment »