The IT Nerd

Cobalt has today released new research that shows how organizations are struggling to keep pace with a rapidly evolving threat landscape shaped by nation-state activity, AI-driven attacks, and expanding supply chain risk. The 2026 State of Pentesting Report reveals that 75% of organizations rank third-party software as a top risk, yet 86% deploy vendor tools without proof of security testing, while AI vulnerabilities are emerging as significantly higher risk and harder to remediate. A new blog from Director of Offensive Security Research, Joe Brinkley, connects these findings to real-world attack scenarios, including the weaponization of trusted third-party tools.

A few highlights:

• Nation-state threats are rising fast, with 20% of all respondents and 40% of financial services organizations ranking them as a top risk
• 93% have observed attackers using AI to enhance sophistication, while 32% of AI/LLM vulnerabilities are rated high risk, nearly 2.5x higher than average
• One in five organizations has already experienced an LLM-related security incident
• Organizations using continuous, programmatic pentesting are 4.5x more likely to remediate critical issues within three days

The research also digs into a real-world case study involving the weaponization of third-party tools in a destructive supply chain attack, underscoring why “paper trust” models like SOC 2 and annual pentests are no longer sufficient in a threat environment moving at machine speed.

While the report requires a sign up to get it, it’s worth reading and can be found here: State of Pentesting Report 2026 | Cobalt

Cobalt today announced new AI capabilities for continuous pentesting. Delivered through the Cobalt Offensive Security Platform, these next-generation components integrate AI with elite human pentesters and more than a decade of proprietary pentesting intelligence to accelerate the speed, scale, and depth of modern offensive security programs. Attendees of the RSA Conference can learn more by visiting the Cobalt team at Booth #N4519 at the Moscone Conference Center.

Offensive security is entering a new era. Attackers are increasingly using AI to automate reconnaissance, vulnerability discovery, and exploitation. At the same time, modern development practices are accelerating release velocity and dramatically expanding the attack surface across APIs, microservices, cloud infrastructure, and AI-powered applications. Security teams can no longer rely on periodic testing to understand their exposure—they must validate real-world risk continuously.

The Cobalt Platform enables organizations to move beyond point-in-time testing and adopt a programmatic approach to offensive security that continuously adapts to evolving environments. Using the largest dataset of real-world pentesting intelligence in the industry, it applies historical exploit intelligence to refine testing logic and ensure every engagement is smarter than the last. Cobalt integrates and exposes the industry’s most capable hacker tools—constantly updated to reflect current threat actor tactics.

New features and functionality include:

• Automated Reconnaissance: The AI-powered platform autonomously maps the entire attack surface—from complex JavaScript routes to hidden shadow APIs and forgotten subdomains. This identifies every potential entry point and provides human testers with a high-fidelity roadmap from the start of every engagement. 
• AI-Powered Vulnerability Discovery: By combining automated scanning with AI-driven credential validation, the Cobalt Platform ensures exhaustive coverage of all form fields and CVEs, including critical vulnerabilities like those in Log4j and WordPress. This autonomously validates access and surface-level flaws to provide an immediate baseline of enterprise risk.
• Proprietary Data Enrichment: Every finding is enriched with context from public exploit feeds and over a decade of proprietary historical intelligence. By merging global threat data with a unique offensive security dataset, the Cobalt Platform provides the critical context needed to frame findings based on actual adversarial behavior.
• AI-Driven Deduplication and Triage: An AI-driven triage engine automatically normalizes and deduplicates findings across all scanner outputs into a single, cohesive view. By distilling high-volume data into verified findings, the platform ensures pentesters are focused on creative attack scenarios that present the real risk to the business.

These enhancements build on additional AI capabilities released in Q4 2025, including AI-Powered Reporting and Insights. AI reporting automates vulnerability documentation, benchmark results against aggregated security data, and provide natural-language access to product guidance. By combining an AI report writer, insights and benchmarking capabilities, and an AI documentation assistant, the Cobalt Platform accelerates report delivery, contextualizes findings with industry data, and helps security teams quickly understand and remediate risk.

With only a few clicks to scope and set up a pentest, the Cobalt Platform initiates testing automatically to ensure depth and quality before human experts engage. Because reconnaissance and scanning are now fully automated, pentesters spend 0% of their time on basic discovery and 100% of their time on high-value exploitation. 

The Cobalt Platform also introduces compatibility with the Model Context Protocol (MCP), enabling AI assistants to securely interface with pentest data so security teams can query testing results, triage findings, and correlate risk through natural-language workflows. 

Additional Resources: 

• Landing page
• Blog: How Cobalt Is Harnessing a Decade of Pentest Data for Hyper-Automation

Cobalt today announced the launch of its Security Program Manager service, designed to help enterprises operationalize and scale offensive security programs. Attendees of the RSA Conference can learn more about these new capabilities by visiting the Cobalt team at Booth #N4519 at the Moscone Conference Center.

As organizations expand their security testing efforts across applications, APIs, cloud infrastructure, and emerging technologies, many security teams struggle with a growing gap between strategic security objectives and day-to-day execution. Fragmented oversight, engineering silos, and the challenge of translating technical vulnerability data into business-level insights can slow remediation efforts and reduce the effectiveness of offensive security programs.

The Cobalt Security Program Manager addresses this challenge by providing organizations with a dedicated expert who acts as an extension of the internal security team. Security Program Managers oversee the logistics of enterprise-scale pentesting programs, coordinate testing schedules across development teams, and ensure remediation workflows align with broader business and security goals.

Security Program Managers help organizations streamline pentesting operations and ensure testing results translate into actionable improvements across the business. Key benefits of the service include:

• Reclaim Your Team’s Time: Security Program Managers coordinate with development and engineering teams to schedule pentests, manage administrative logistics, and track remediation progress, reducing the operational burden on internal security teams.
• Eliminate Security Blind Spots: By maintaining a comprehensive inventory of assets and aligning testing cadences with corporate security objectives, Security Program Managers ensure continuous visibility into the organization’s security posture.
• Secure Executive Buy-In: Security Program Managers translate technical findings into strategic intelligence and performance metrics, helping security leaders demonstrate ROI and communicate risk reduction to executive stakeholders.
• Accelerate Innovation Cycles: Cobalt integrates pentesting workflows with common development tools such as Jira, GitHub, and Slack, enabling organizations to embed security into development pipelines without disrupting engineering velocity.

The Security Program Manager builds on the broader Cobalt Offensive Security Platform, which combines automation, AI-driven intelligence, and expert-led testing to deliver offensive security at enterprise scale. By integrating automated reconnaissance, vulnerability discovery, and intelligence-driven triage with human-led testing, Cobalt enables organizations to run continuous security programs that evolve alongside their environments.

Cobalt offensive security services span application, network, API, cloud, and emerging AI systems, and include capabilities such as web application pentesting, mobile testing, cloud configuration reviews, attack surface management, red teaming, and AI and LLM application testing. These services are delivered by the Cobalt Core, a global community of more than 500 vetted ethical hackers who average over 11 years of pentesting experience.

Cobalt today released the Cobalt Pentester Profile Report 2026. The findings provide an unfiltered look at the offensive security landscape from a diverse pool of elite practitioners within the Cobalt Core—the company’s vetted community of professional pentesters.

The report highlights a significant gap in testing efficacy: 58% of respondents rank PTaaS as the most effective model for uncovering complex vulnerabilities—nearly four times higher than public bug bounties (15%). Conversely, only 1% of professional pentesters believe AI-only scanning is effective for uncovering high-impact, exploitable vulnerabilities. Human-led testing remains critical, as evidenced by the caliber of the workforce: 54% of surveyed pentesters report having discovered a Zero-Day or N-Day vulnerability that had no existing public patch or advisory.

Additional Findings Include:

• Overwhelming Preference: 98% of professional testers prefer the PTaaS model over bug bounties, citing a combination of work-life balance, collaborative culture, and the ability to drive higher-impact security outcomes.
• The Noise Problem: Pentesters report that 30% of all bug bounty submissions are invalid or low-value “noise,” creating a significant administrative burden for security teams and distracting from critical remediation.
• Career-Critical Discoveries: 65% of the most significant, career-defining vulnerabilities discovered by these professionals were found during structured PTaaS engagements, rather than bounty hunts.
• The “First-to-File” Frustration: 51% of respondents cite the pressure to be the first to submit a finding as their primary frustration with bug bounty programs, a dynamic that often incentivizes speed over thoroughness.

Together, the data suggests that as security leaders scrutinize return on investment, the structure of the testing model and the supporting technology platform directly influence the depth and actionability of findings. Traditional pentesting and bounty models often operate in silos—lacking shared context, workflow alignment, or integration into remediation systems.

In contrast, a programmatic approach to continuous pentesting transforms security from a series of disconnected events into a continuous cycle of improvement. By providing pentesters with a purpose-built platform and visibility into past findings, PTaaS enables them to bypass known issues and go deeper into complex application logic. This collaborative, real-time environment doesn’t just produce deeper exploit chaining; it ensures that every engagement builds on the last, resulting in validated, trackable risk reduction that translates into measurable security outcomes.

Methodology

The Cobalt Pentester Pulse Report 2026 is based on an anonymous survey conducted by Emerald Research Group of 198 elite offensive security professionals within the Cobalt Core. This group represents a highly specialized workforce encompassing in-house security professionals, full-time security consultants, and self-employed offensive security researchers. To ensure a vendor-agnostic perspective, 50% of respondents currently provide testing services for both pentesting and bug bounty programs, ensuring the data reflects broad practitioner sentiment across the entire security ecosystem.

Cobalt has undergone a large-scale expansion of its Cobalt Offensive Security Platform to transform offensive security from ad-hoc tests into a continuous, centrally managed program. The human led, AI-powered platform provides the visibility, control, and efficiency needed to secure organizations—from code to company—at scale.

According to the 2025 Gartner® Innovation Insight: Penetration Testing as a Service report, “by 2029, organizations adopting PTaaS will perform penetration testing up to five times more frequently than those relying solely on traditional methods.” 1

Traditional pentesting is fundamentally slow and inflexible, relying on fixed scopes and delivering findings via static PDFs long after testing concludes. This leaves development teams operating in the dark and provides only a point-in-time snapshot, lacking the scale and strategic value modern enterprises demand. This limitation is precisely why Cobalt built the Cobalt Platform: to replace the legacy model with a unified, strategic, and continuous offensive security program.

Cobalt helps organizations transform their pentesting program from a series of manual, disconnected tests into a single, optimized program. It provides the enterprise-grade controls, automation, and visibility businesses need to centralize their offensive security, from initial setup to final reporting. It includes:

• Pentest Planning and Calendar View: Efficiently schedules pentests to align with each company’s needs, providing the ability to plan the assets they want to test and when.
• Integrations: Seamlessly integrates with existing workflows. The native integrations or workflow builder automatically connects with 50+ tools.
• Ability to Create and Manage In-House Pentests: Organizations can launch and manage in-house pentests within the Cobalt Platform. They can set up a pentest, invite their own pentesters, and analyze results in one place.
• Insights and Benchmarks: Tracks progress over time, benchmarks against peers, and identifies actionable steps to strengthen security posture.

Cobalt today announced new human-led, AI-powered enhancements to its Cobalt Offensive Security Platform, designed to enrich capabilities for both the Cobalt Core pentesting community and its customers. These advancements merge the efficiency of automated intelligence with the creativity and expertise of skilled security professionals. This strategic approach enables organizations to maintain their defensive edge against evolving and complex threats. 

The future of Cobalt encompasses a human-led, AI-powered approach to optimize traditional pentesting workflows. These AI-powered solutions provide streamlined data enrichment, remediation guidance, and improve overall efficiency and output. The new capabilities include:

• AI-Powered Scoping: Prioritizes the right assets and accurately identifies the environment and pentest needs.
• AI Pentest Assistant: Summarizes prior findings and pentest-related content, and suggests potential actions based on findings
• AI-Powered Reconnaissance (available Q4 2025): Streamlines the reconnaissance phase so pentests can start faster and testers can focus on finding exploits. 
• AI Assistant for Findings and Reports: Suggests draft text for certain findings and reports sections.
• AI-Driven Insights and Benchmarking: Provides industry peer comparisons with key metrics and recommendations.

The first iteration of Cobalt AI enhancements address a critical challenge in modern cybersecurity: the overwhelming volume of data that can obscure genuine threats. Cobalt AI models are trained on over a decade of real pentesting data, versus synthetic data or bug bounties, resulting in one the richest datasets in the industry. By eliminating tedious reconnaissance tasks and filtering signals from noise, Cobalt empowers penetration testers to focus on what they do best—identifying sophisticated attack vectors and developing innovative exploits that strengthen customer defenses.

Cobalt today released its State of Pentesting in Financial Services 2025 Report with new insights into how the financial services industry identifies and resolves serious security vulnerabilities. Cobalt pentesting data shows that the financial services sector is accruing security debt and a backlog of serious vulnerabilities. Although financial services firms have one of the lowest rates of serious vulnerability findings, they are among the slowest industries to remediate them.

Financial Services Findings: Strengths and Backlogs

• Low rate of serious findings: Financial services organizations rank near the top for preventing serious vulnerabilities from appearing at all.
• Moderate resolution rates: The industry resolves about two-thirds (66.7%) of serious findings, ranking 10 out of the 13 industries Cobalt researched. 
• Slow median time to remediation (MTTR): At 61 days, financial services ranks 11th of 13 industries, well behind hospitality, which resolves serious findings in 20 days.
• Backlogs reflected in half-life: Financial services has a half-life of 147 days for serious findings, placing ninth overall, out of the thirteen industries measured. Half-life, unlike MTTR, accounts for unresolved vulnerabilities and provides a fuller picture of backlog and risk.
  

Vulnerability Profile: Automation Strengths, Human Testing Gaps

The financial services sector excels at addressing straightforward, code-level vulnerabilities, thanks to mature AppSec programs, automated scanning (SAST/DAST), and strong secure coding standards. This results in significantly lower rates of cross-site scripting (5.0% vs. 9.7%) and server-side injection (4.2% vs. 5.3%) in web applications and APIs, compared to other industries.

However, pentests reveal blind spots where automation falls short. The industry struggles with:

• Sensitive data exposure: 10.5% vs. 8.0% average in other industries.
• Business logic flaws: 2.9% vs. 2.3% average in other industries.
• Server security misconfigurations: 34.9% vs. 27.9% average in other industries.
• Components with known vulnerabilities: 6.1% vs. 5.5% average in other industries.

These vulnerabilities often require human-led pentests to uncover because they involve complex data flows, legacy systems, and application-specific logic that scanners cannot interpret.

Pentesting Practices and Pressures

While financial services firms struggle to resolve most serious issues (61 day MTTR, 147 day half-life, and one-third of serious issues never resolved), they do maintain a solid track record in meeting strict internal service level agreements (SLAs) for the remediation of serious vulnerabilities. Deeper operational data reveals significant systemic bottlenecks, and major backlogs of vulnerabilities that expose financial organizations to risks of data loss and breaches. 

The industry’s exposure due to slow remediation speed is amplified by external threats and internal challenges—ranging from scheduling delays to the escalating risks posed by third-party software vulnerabilities, genAI complexity, and insider threats.

• SLAs narrowly met: Despite their 61-day MTTR for serious issues overall, 78% of financial services firms report fixing critical vulnerabilities in business-critical assets within 14 days, in line with SLA requirements.
• Scheduling challenges: 70% report that pentest scheduling delays sometimes impact compliance or business timelines, meaning potential security risks remain unaddressed for a longer period.
• Top risks: Financial services leaders highlight third-party software (76%), genAI-related risks (68%), and insider threats (46%) among their greatest concerns.

Additional Resources:

• Read the State of Pentesting in Financial Services 2025 
• Read the State of Pentesting in Financial Services 2025 blog

Methodology

The findings in the State of Pentesting in Financial Services 2025 is based on 10 years of Cobalt pentesting data, and data from Emerald Research, an independent third-party research firm, sponsored by Cobalt. The survey included 500 respondents, consisting of security leaders, defined as a mix of C-level and VP-level security professionals, and security practitioners, representing organizations with 500 to 10,000 employees.

 Cobalt today announced the release of its State of LLM Security Report 2025. This new research reveals a widening readiness gap in enterprise security as the rapid adoption of generative AI (genAI) outpaces defenders’ ability to secure it. A staggering 36% of security leaders and practitioners admit that genAI is moving faster than their teams can manage, a sobering reality as organizations continue to embed AI deep into core business operations.

Despite growing concern, many are calling for a timeout: 48% of respondents believe a “strategic pause” is needed to recalibrate defenses against genAI-driven threats. But that pause isn’t coming.

Key findings from the report include:

• 72% of respondents cite genAI-related attacks as their top IT risk, but 33% are still not conducting regular security assessments, including penetration testing, for their LLM deployments.
• 50% of respondents want more transparency from software suppliers about how they detect and prevent vulnerabilities, signaling a growing trust gap in the AI supply chain.
• Security leaders (C-suite and VP level) are more concerned about long-term genAI threats like adversarial attacks (76%) versus the 68% of practitioners which expressed the same concern. However when it came to near-term operational risks such as inaccurate outputs, 45% of practitioners expressed concern versus 36% of security leaders.
• Top concerns among all survey respondents include sensitive information disclosure (46%), model poisoning or theft (42%), and training data leakage (37%), all pointing to an urgent need to protect the integrity of data pipelines.
• Overall, 69% of serious findings across all pentest categories are resolved but this falls to just  21% of the high-severity vulnerabilities found in LLM pentests. This is a concern given that 32% of LLM pentest findings are serious and is the lowest resolution rate across all test types conducted by Cobalt.

Methodology

The report analyzes two different datasets. The majority of analysis is based on data collected during Cobalt pentests. This is supplemented by insights collected via a survey by a third-party research firm, Emerald Research. All penetration testing data analyzed in this report was collected through Cobalt pentests. This spans more than 2,700 organizations. Metadata from these pentests was exported from the Cobalt Offensive Security Platform, sanitized to remove client-identifying and other sensitive details, and provided to Cyentia Institute for independent analysis. 

Additional Resources:

• Read Key Takeaways from the Cobalt State of LLM Pentesting Report
• Read the Cobalt State of Pentesting Report 2025
• Read Key takeaways from the Cobalt State of Pentesting Report
• Watch the Cobalt State of Pentesting Report webinar

 Cobalt today announced a set of powerful product enhancements within the Cobalt Offensive Security Platform aimed at helping customers scale security testing with greater clarity, automation, and control. These innovations further the company’s commitment to deliver expert-driven, fast-to-launch pentesting, now with even richer data and streamlined workflows.

The Cobalt Platform centralizes access to security services from a team of expert pentesters, making it easier to find and fix vulnerabilities across an organization’s environments. By enabling faster pentest launches, real-time collaboration with testers, continuous scanning, and seamless integration with remediation workflows, Cobalt helps security teams of all sizes identify their critical issues and accelerate risk mitigation. With these new enhancements, pentesters can:

• Gain clearer risk prioritization. By having standardized CVSS v3.1 scores alongside OWASP ratings for every finding, users get a clear, objective understanding of vulnerability severity. This allows users to focus their remediation efforts on the most critical issues first, saving time and resources while strengthening their security posture. CVSS data will also be readily accessible via reports, CSV exports, the public API, and integrations.
• Achieve deeper insight and trust in their pentest results. Final pentest reports will now feature a detailed Coverage Checklist with associated findings. This enhancement increases transparency by providing a holistic overview of testing scope and methodology, while linking findings directly to test activities—making it easier for users to analyze results and take action.
• Simplify recurring vulnerability workflows. A new configuration option will streamline workflows for recurring or retested vulnerabilities. Users can choose to automatically associate carried-over findings with existing tickets or generate new ones for separate tracking—saving time and reducing confusion in vulnerability management workflows.
• Launch pentests with unprecedented ease and speed. Launching a pentest is as simple for pentesters as ordering a pizza. With an intuitive new flow, users can select from a full menu of pentest options, customize requirements, such as requesting a debrief call, and place their order in minutes—improving usability and accelerating test launches.

Cobalt continues to lead the offensive security market by making pentesting more actionable, transparent, and scalable. Whether launching a test within 24 hours, integrating insights directly into development pipelines, or enabling compliance reporting with precision, the Cobalt Platform is purpose-built for today’s security and DevOps teams.

Cobalt today announced the appointment of Christopher (Tophs) Elisan as its new Director of Offensive Security Research and Community. In this role, Elisan will spearhead continuous innovation in offensive security practices and lead the Cobalt Core community of 450+ of the world’s best pentesters. 

Elisan is a seasoned cybersecurity professional with specialized expertise in both offensive and defensive technologies. A premier Advanced Persistent Threat (APT) researcher, he has a proven track record in researching threat actor tooling, malware, deployment vectors, and attack infrastructure. His deep understanding of attacker behavior and the human elements behind cyberattacks enables him to bring a nuanced, strategic approach to threat intelligence.

Elisan’s career spans high-profile positions at organizations including RSA NetWitness, Polyswarm, Flashpoint, F-Secure, and Trend Micro, where he led global security teams through complex investigations, vulnerability management, and the deployment of advanced security solutions. In addition to his leadership expertise, Elisan has authored three books, including Hacking Exposed: Malware and Rootkits, and Malware, Rootkits & Botnets: A Beginner’s Guide. His thought leadership extends to international conferences, where he shares his expert opinions on the latest in cybersecurity threats and incidents.

At Cobalt, Elisan will oversee the company’s focus on evolving pentesting from an art into a science, combining offensive security testing with deep threat intelligence analysis to enhance the company’s PTaaS offerings. His work will focus on identifying emerging vulnerabilities, analyzing adversary tactics, techniques, and procedures (TTPs), and providing actionable insights to help businesses stay secure.

Elisan’s appointment underscores the company’s commitment to proactive cybersecurity, blending the power of offensive security with advanced research to deliver real-time insights that enable organizations to strengthen their defenses and stay ahead of attackers.