Organizations fix under half of exploitable vulnerabilities

The latest State of Pentesting report from Cobalt reveals that organizations are fixing less than half of all exploitable vulnerabilities, with just 21 percent of GenAI app flaws being resolved.

It also highlights a degree of over-confidence with 81 percent of security leaders saying they are 'confident' in their firm's security posture, despite 31 percent of the serious findings discovered having not been resolved.

Organizations are particularly struggling with vulnerabilities within their GenAI Large Language Model (LLM) web apps. Most (95 percent) firms have performed pentesting on these apps in the last year with a third (32 percent) of tests finding vulnerabilities warranting a serious rating. Of those findings, a mere 21 percent of vulnerabilities were fixed, with risks including prompt injection, model manipulation, and data leakage.

In addition, 72 percent rank AI attacks as their number one concern -- ahead of risks associated with third-party software, exploited vulnerabilities, insider threats, and nation state actors.
Only 64 percent say they are 'well equipped to address all security implications of GenAI.'

"Regular pentesting has never been so important, particularly given the breakneck speed of AI adoption and the vulnerabilities that are introduced into an organization's security posture," says Gunter Ollman, CTO of Cobalt. "It's a concern that 31 percent of serious vulnerabilities are not being fixed, however at least these firms are aware of the problem and can develop strategies to mitigate the risk. Organizations that do take an offensive security approach are taking a huge step to strengthening defenses against cybercriminals who typically attack opportunistically. In doing so they're getting ahead of any compliance requirements and reassuring their customers that they're safe to do business with."

The full report is available from the Cobalt site.

Image credit: weerapat/depositphotos.com