Introduction
The current state of cybersecurity within organizations reveals a paradox: while there is a high level of confidence among security leaders regarding their defenses, significant vulnerabilities remain unaddressed [3] [4]. This situation underscores the need for improved remediation practices and a balanced approach between speed and security.
Description
Organizations report a strong cybersecurity posture [2], with 81% of security leaders expressing confidence in their defenses. However, a concerning 48% of exploitable vulnerabilities identified during penetration testing remain unresolved [3], as highlighted in Cobalt’s 2025 State of Pentesting Report. This figure rises to 69% for vulnerabilities classified as serious [3], including those rated high or critical, indicating significant gaps in enterprise defenses [2].
Alarmingly, only 21% of identified flaws in generative AI applications are remediated, despite 94% of firms deeming penetration testing essential for their GenAI apps. Additionally, 50% of organizations do not fully trust their ability to identify and prevent vulnerabilities from software suppliers [3].
Gunter Ollman [3], CTO of Cobalt [3], noted that 31% of serious vulnerabilities remain unaddressed [3] [4], although increased awareness allows organizations to develop effective mitigation strategies. Furthermore, 52% of respondents indicated they face pressure to prioritize speed over security [3], complicating their remediation efforts.
Notably, larger organizations tend to take longer to resolve serious issues [1], with a median resolution time of 67 days [1], significantly exceeding the typical two-week service level agreement (SLA) [1]. In contrast, smaller companies have shown better performance in addressing serious vulnerabilities compared to their larger counterparts, highlighting a critical need for improved remediation practices across the board.
Conclusion
The findings highlight a critical need for organizations to enhance their vulnerability management strategies, particularly in the face of increasing pressure to prioritize speed over security. Addressing these gaps is essential to fortify defenses against potential threats. As organizations continue to rely on generative AI and other advanced technologies, the importance of robust and timely remediation practices cannot be overstated. Future efforts should focus on fostering a culture that values both security and efficiency, ensuring that vulnerabilities are addressed promptly to safeguard organizational assets.
References
[1] https://cybermaterial.com/firms-struggle-to-fix-flaws-in-genai/
[2] https://thecyberexpress.com/state-of-pentesting-report-2025/
[3] https://www.itpro.com/security/vulnerability-patching-ai-application-security
[4] https://business.theeveningleader.com/theeveningleader/article/bizwire-2025-4-14-organizations-fix-less-than-half-of-all-exploitable-vulnerabilities-with-just-21-of-genai-app-flaws-resolved
