AI security drives demand for faster pentesting models

Cobalt has published new survey findings that point to low satisfaction with penetration testing providers, as security teams place more emphasis on AI-related risks and faster testing cycles.

The company's Pentesting Pulse Report draws on responses from 150 senior security leaders. It found that 36% said they were fully satisfied with their current penetration testing provider. The report also found that 40% would consider switching vendors for higher quality testing and 37% would move for AI-specific penetration testing expertise.

Penetration testing remains a staple of many security programmes. The report said 85% of respondents view it as either a core compliance requirement or an important way to validate defences. It also said regulatory requirements such as SOC 2 and HIPAA remain critical for 63% of respondents.

At the same time, many security leaders reported pressure from growing vulnerability volumes and new software development patterns. The report said 76% of respondents cite staying ahead of threats and vulnerabilities as a high-priority security goal. It said 50% identify securing AI adoption as a key strategic focus.

Vendor dissatisfaction

The survey results highlight what the report describes as a widening gap between the importance of penetration testing and the experience security teams have with traditional providers. Alongside low overall satisfaction, respondents flagged operational and delivery issues. Vendor rotation came through as a challenge for 28% of respondents, according to the report. It also said 23% cited a lack of pentester expertise as a top challenge.

Speed and scheduling surfaced as another point of friction. The report said 35% of respondents would be motivated to change providers if they could schedule testing in days rather than weeks.

The report also pointed to quality concerns. It said one in five respondents reported that penetration testing reports lack the depth required to understand risk or prioritise remediation effectively.

AI security focus

AI adoption and AI-generated code featured prominently in the survey's findings on security priorities. The report said 53% of respondents have concerns about vulnerabilities introduced by insecure code written by AI. It linked that concern to the growing use of AI coding agents.

Even with heightened attention, the report indicated uneven preparedness. It said only one-third of organisations conduct regular security assessments of their AI or LLM deployments.

The report listed sensitive information disclosure as the most commonly cited AI-related fear, at more than 85% of respondents. It also cited concerns about vulnerabilities from insecure AI-generated code, prompt injection, and insecure plugins.

Testing cadence

The report describes a shift in expectations around how penetration testing fits into development and release schedules. It said 41% of respondents view incorporation of testing AI into their regular cadence as the most important strategic shift. It said 32% are focused on increasing testing speed overall.

The survey findings also suggest security leaders want closer alignment between offensive security work and engineering workflows. The report referenced demand for continuous testing models, deeper integration with development processes, and collaboration with testers during an engagement rather than relying on a report at the end.

Cobalt positions its approach around penetration testing as a service, which blends human testing with AI tools. It also said it focuses on faster test launches and collaboration between customers and testers.

One issue highlighted in the report concerns access to specialists for modern environments. The report said 23% of respondents cited a lack of the specialised knowledge needed for modern stacks. It said the expertise gap is especially apparent in small teams in boutique consultancies.

Security leaders also reported that the pace of product development changes the role of security testing. The report said that for 40% of leaders, releasing safe products at the speed of business requires a fundamental shift in how security testing is delivered.

Andrew Obadiaru, CISO, Cobalt, linked the findings to frustrations about traditional penetration testing delivery models.

"Our survey confirms what many security leaders are experiencing firsthand. The era of the slow, shallow, check-the-box pentest is over," said Andrew Obadiaru, CISO, Cobalt. "Teams are building AI-driven products at the speed of business, but traditional testing models cannot keep up. Low satisfaction with vendors isn't a complaint, it's a market signal. Security leaders need high-quality expertise, faster turnaround, and a model that integrates directly into the development lifecycle. That is exactly why the PTaaS model exists."

Cobalt said it works with a network of more than 500 security experts and provides an offensive security platform for customers and partners. It also said it expects demand to grow for penetration testing models that fit faster development cycles and cover AI and LLM deployments as organisations expand their use of AI-driven systems.