Only 36% of security leaders are fully satisfied with their pentesting provider as AI adoption accelerates, vulnerabilities surge and specialized knowledge lags
-
Satisfaction Gap: Only 36% of security leaders are fully satisfied with traditional pentesting providers, despite pentesting being viewed as essential for compliance and defense validation.
-
Lack of Pentester Expertise: 23% cited a lack of the specialized knowledge needed for modern stacks. The expertise gap is especially apparent in small teams in boutique consultancies.
-
Speed-of-Business Testing: Security teams are moving toward pentesting models that launch in days, not weeks, to eliminate release bottlenecks, get realtime insights, and quickly retest fixes.
Cobalt, the pioneer of Penetration Testing as a Service (PTaaS) and a leading provider of human-led, AI-powered offensive security solutions, released a new Pentesting Pulse Report, which exposes a growing disconnect in the security testing market. While penetration testing remains essential for both compliance and defense validation, satisfaction with traditional pentesting vendors is alarmingly low. According to the survey of 150 senior security leaders, a mere 36% report being fully satisfied with their current pentesting provider.
Also Read: CIO Influence Interview with Gera Dorfman, Chief Product Officer at Orca
Speed-of-Business Testing: Security teams are moving toward pentesting models that launch in days, not weeks, to eliminate release bottlenecks, get realtime insights, and quickly retest fixes.
The findings arrive at a critical moment. Security teams are under mounting pressure to manage an explosion of vulnerabilities while simultaneously enabling the safe adoption of AI-driven features and AI-generated code. Seventy-six percent of respondents say staying ahead of threats and vulnerabilities is a top priority, while half are actively focused on securing AI within their environments. Yet many teams report that slow scheduling, shallow findings, and lack of expertise are creating bottlenecks that hinder secure development.
Key Findings:
- Only 36% of respondents are fully satisfied with their current pentesting vendor.
- 76% cite staying ahead of threats and vulnerabilities as a high-priority security goal.
- 50% identify securing AI adoption as a key strategic focus.
- 40% are motivated to switch vendors for higher quality testing, while 37% cite the need for AI-specific pentesting expertise.
- Operational friction remains high, with vendor rotation (28%) and lack of pentester expertise (23%) cited as top challenges.
- 35% say the ability to schedule testing in days, not weeks, would motivate them to change providers.
The Evolving Mandate for Security Leaders
Security leaders are fighting a dual-front battle: maintaining baseline security and compliance while enabling rapid innovation driven by AI. Regulatory requirements such as SOC 2 and HIPAA remain critical for 63% of respondents, but AI has introduced a new layer of urgency. Fifty-three percent report concerns about vulnerabilities introduced by insecure code written by AI, particularly as AI coding agents become more prevalent. For 40% of leaders, releasing safe products at the speed of business now requires a fundamental shift in how security testing is delivered.
The State of Pentesting: Essential, but Struggling
Pentesting remains foundational, with 85% of respondents viewing it as either a core compliance requirement or an invaluable method for validating defenses. Despite this, confidence in execution is eroding. Frequent vendor rotation creates onboarding and integration overhead, while generalist testers often lack the specialized expertise needed to assess modern cloud-native and AI-driven systems. One in five respondents say pentest reports lack the depth required to understand true risk or prioritize remediation effectively.
The LLM Risk Paradox: High Anxiety, Low Readiness
The report highlights a stark readiness gap around AI security. While concerns are widespread, only one-third of organizations conduct regular security assessments of their AI or LLM deployments. Sensitive information disclosure tops the list of AI-related fears, cited by more than 85% of respondents, followed by vulnerabilities from insecure AI-generated code, prompt injection, and insecure plugins.
Redefining the Testing Cadence
Security leaders are calling for a faster, more integrated approach to offensive security. Forty-one percent say incorporation of testing AI into their regular cadence is the most important strategic shift, while 32% are focused on increasing testing speed overall. There is growing demand for continuous testing models, deeper integration with development workflows, and real-time collaboration with pentesters instead of static, after-the-fact reports.
“Our survey confirms what many security leaders are experiencing firsthand. The era of the slow, shallow, check-the-box pentest is over,” said Andrew Obadiaru, CISO, Cobalt. “Teams are building AI-driven products at the speed of business, but traditional testing models cannot keep up. Low satisfaction with vendors isn’t a complaint, it’s a market signal. Security leaders need high-quality expertise, faster turnaround, and a model that integrates directly into the development lifecycle. That is exactly why the PTaaS model exists.”
Catch more CIO Insights: Identity is the New Perimeter: The Rise of ITDR
[To share your insights with us, please write to psen@itechseries.com ]
