New Cobalt Research Reveals Only 9% of Security Professionals Support Fully Automated Pentesting
Cobalt, the pioneer in pentesting as a service (PTaaS) and a leader in continuous offensive security services, announced the findings of its second annual Cobalt AI and Pentesting Pulse Report 2026. The research, which evaluated 455 cybersecurity professionals, revealed that the percentage of organizations that rely entirely on AI automation for testing needs plummeted from 29% to 9% from last year, with 47% now preferring a hybrid testing model.
Also Read: CIO Influence Interview with Hugo Dozois-Caouette, CTO and Co-founder at MaintainX
The 22 point surge in support for the hybrid model, where human expertise supports AI testing, stems directly from the 78% of organizations that experienced fully automated scanning tools missing critical vulnerabilities and returning false negatives. Despite these gaps, security teams show an increasing willingness to automate testing for non-critical assets, with the share favoring automation for low-risk environments rising 22 points to 47%.
This steep decline in automation trust directly reflects the unique complexity of securing the AI attack surface itself. Traditional scanners struggle because AI and LLM applications produce high-risk findings at nearly triple the rate of conventional software. According to the Cobalt State of Pentesting Report 2026 released earlier this year, teams classified 32% of all AI-related pentest findings as high risk, compared to just 12% overall. At the time of analysis, only 38% of LLM vulnerabilities have been fixed, while 62% remain open. This is the lowest resolution rate overall.
Among organizations that experienced confirmed AI-related security incidents, data shows a diverse range of attack vectors. Shadow AI topped the list, contributing to 44% of incidents, followed closely by data or model poisoning (41%) and improper output handling (41%). Supply chain vulnerabilities (35%) and prompt injection (34%) completed the top five vectors. To combat these threats, 60% of security professionals state they require stronger LLM testing capabilities, yet only 42% plan to increase human-led red team operations—the practice best positioned to bridge this gap.
The research also found that:
- The meantime to resolve (MTTR) for AI/LLM security issues rose to 36 days, up from 19 days in 2025, demonstrating that security teams are now tackling significantly harder vulnerabilities rather than just surface-level flaws.
- 82% of security professionals report that their teams are dedicating significantly more effort into AI security initiatives.
- 77% of organizations now conduct regular security assessments and pentests for AI-powered products, marking an 11-points increase from last year.
“While the industry is rightfully excited about the potential of Mythos-class tools, unguided algorithms are inherently prone to returning even more false positives and costly false negatives than the automated scanners we have today,” said Andrew Obadiaru, CISO of Cobalt. “LLM vulnerabilities are deeply context-dependent and invisible to tools that lack an architectural understanding of the application. To close the validation gap, automation should be deployed exactly where it excels, but elite human expertise remains foundational to uncovering and remediating the most complex business logic risks.”
Catch more CIO Insights: What Does “Job-Ready” Really Mean in IT and Cybersecurity?
[To share your insights with us, please write to psen@itechseries.com ]
