Cobalt, the pioneer in pentesting as a service (PTaaS) and a leader in continuous offensive security services, today announced the findings of its second annual Cobalt AI and Pentesting Pulse Report 2026. The research, which evaluated 455 cybersecurity professionals, revealed that the percentage of organizations that rely entirely on AI automation for testing needs plummeted from 29% to 9% from last year, with 47% now preferring a hybrid testing model. The 22 point surge in support for the hybrid model stems directly from the 78% of organizations that experienced fully automated scanning tools missing critical vulnerabilities and returning false negatives.
78% of organizations experienced automated tools missing critical vulnerabilities.
Reliance on fully automated testing plummeted from 29% to 9% in one year.
47% now prefer hybrid testing model combining human expertise with AI.
AI/LLM applications produce high-risk findings at 2.7x the overall rate.
Only 38% of LLM vulnerabilities have been fixed; 62% remain open.
MTTR for AI/LLM issues rose to 36 days, up from 19 days in 2025.
The 22 point surge in support for the hybrid model, where human expertise supports AI testing, stems directly from the 78% of organizations that experienced fully automated scanning tools missing critical vulnerabilities and returning false negatives. Despite these gaps, security teams show an increasing willingness to automate testing for non-critical assets, with the share favoring automation for low-risk environments rising 22 points to 47%. This steep decline in automation trust directly reflects the unique complexity of securing the AI attack surface itself. Traditional scanners struggle because AI and LLM applications produce high-risk findings at nearly triple the rate of conventional software.
According to the Cobalt State of Pentesting Report 2026 released earlier this year, teams classified 32% of all AI-related pentest findings as high risk, compared to just 12% overall. At the time of analysis, only 38% of LLM vulnerabilities have been fixed, while 62% remain open. This is the lowest resolution rate overall. The meantime to resolve (MTTR) for AI/LLM security issues rose to 36 days, up from 19 days in 2025, demonstrating that security teams are now tackling significantly harder vulnerabilities rather than just surface-level flaws.
Among organizations that experienced confirmed AI-related security incidents, data shows a diverse range of attack vectors. Shadow AI topped the list, contributing to 44% of incidents, followed closely by data or model poisoning (41%) and improper output handling (41%). Supply chain vulnerabilities (35%) and prompt injection (34%) completed the top five vectors. To combat these threats, 60% of security professionals state they require stronger LLM testing capabilities, yet only 42% plan to increase human-led red team operations—the practice best positioned to bridge this gap. 82% of security professionals report that their teams are dedicating significantly more effort into AI security initiatives, and 77% of organizations now conduct regular security assessments and pentests for AI-powered products, marking an 11-point increase from last year.
Andrew Obadiaru, CISO of Cobalt, stated: "While the industry is rightfully excited about the potential of Mythos-class tools, unguided algorithms are inherently prone to returning even more false positives and costly false negatives than the automated scanners we have today. LLM vulnerabilities are deeply context-dependent and invisible to tools that lack an architectural understanding of the application. To close the validation gap, automation should be deployed exactly where it excels, but elite human expertise remains foundational to uncovering and remediating the most complex business logic risks."
About Cobalt
Cobalt is the pioneer in pentesting as a service (PTaaS) and a leader in human-led, AI-powered offensive security services™. We are focused on combining talent and technology with speed, scalability, and expertise. Thousands of customers and hundreds of partners rely on the Cobalt Offensive Security Platform, along with 500+ trusted security experts, to find and fix vulnerabilities across their environments. By enabling faster pentest launches, real-time collaboration with pentesters, and seamless integration with remediation workflows, we help organizations identify critical issues and accelerate risk mitigation so they can operate fearlessly and innovate securely. Cobalt maintains an outstanding NPS of 9, reflecting its dedication to customer satisfaction.
TechIntelPro empowers B2B technology decision-makers with the latest industry trends, deep insights, leadership perspectives and actionable intelligence to drive both organizational and professional milestones—and thrive on the tech pulse.