68% of CISOs see supply chain risk and generative AI security as top concerns—intertwined challenges that redefine the attack surface
Cobalt, the pioneer of penetration testing as a service (PTaaS) and leader in offensive security services, announced the release of its CISO Perspectives Report 2025: AI and Digital Supply Chain Risks. This report examines the results of surveyed security leaders who were asked questions regarding topics such as third-party software risks, concerns on AI, insider threats and the current mindset on offensive security strategies.
Also Read: CIO Influence Interview with Josh Kindiger, President and COO at Grokstream
Findings in this report include:
- 68% of security leaders are concerned about the risks of third-party software tools and components introduced across their tech stacks.
- 73% reported receiving at least one notification of a software supply chain vulnerability or incident in the past year.
- 60% believe attackers are evolving too quickly to maintain a truly resilient security posture
- 46% are uneasy about AI-driven features and large language models.
- 68% say their boards now view the secure deployment of genAI as a critical priority.
- 55% of security leaders say they’re constantly worried one employee mistake could put the whole organization at risk.
As organizations embrace digital transformation and AI, security teams face mounting pressure to defend an ever-expanding attack surface. The report reveals that traditional reactive security measures cannot keep pace with modern threats, particularly when adversaries leverage automation and AI to scale their attacks. Third-party software components, open-source dependencies, and emerging AI-driven capabilities introduce unseen vulnerabilities that can have cascading effects across the enterprise. These risks underscore the urgent need for proactive offensive testing and continuous visibility across the digital supply chain.
“Security leaders understand that attackers are evolving at an unprecedented pace, and defensive strategies alone won’t cut it,” said Andrew Obadiaru, CISO at Cobalt. “Our research shows a growing demand for offensive security to complement traditional controls. This isn’t just about finding gaps—it’s about building a culture of continuous resilience where security is tested as rigorously as the threats we face.”
The CISO Perspectives report also highlights the growing role of penetration testing in security strategies. Nearly nine in 10 security leaders (88%) view pentesting as an essential component of their overall program. Far beyond a compliance checkbox, it is a proactive measure to identify and remediate vulnerabilities before exploitation occurs. Pentesting is also being embedded into software development to provide assurance to regulators and customers concerned about third-party risk. More than half (58%) of respondents require third-party pentest reports to validate software security, while 55% conduct independent code reviews and 53% supplement these efforts with internal testing. These practices reflect a deep commitment to building resilience across the digital supply chain.
The findings serve as a wake-up call for enterprises to rethink their approach to resilience. A single employee misstep or overlooked vulnerability in a software library can trigger a breach with far-reaching business impact. Offensive security practices, such as penetration testing and red teaming, are becoming indispensable for validating defenses in real-world conditions. By adopting a continuous, threat-informed testing strategy, organizations can stay ahead of evolving attacker tactics, reduce uncertainty, and build board-level confidence in their security posture.
Also Read: Containerized Network Functions (CNFs) for Agile WAN Deployment at the Enterprise Edge
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com
