Pen test
Cybersecurity statistics about pen test
Related Topics
Top Vendors
Showing 1-20 of 25 results
70% of financial services firms report that delays in scheduling pentests sometimes impact compliance or business timelines.
76% of financial services leaders highlight third-party software vulnerabilities as a top concern.
68% of financial services leaders highlight GenAI-related risks as a top concern.
The half-life for serious findings is 147 days in the financial services industry. This metric, which accounts for unresolved vulnerabilities, places FS ninth overall out of the thirteen measured industries.
Cross-site scripting (Web/API): 5.0% in the financial services industry (versus 9.7% average in other industries).
Server security misconfigurations: 34.9% in the financial services industry (versus 27.9% average in other industries).
Business logic flaws: 2.9% in the financial services industry (versus 2.3% average in other industries).
Server-side injection (Web/API): 4.2% in the financial services industry (versus 5.3% average in other industries).
Industries like hospitality resolve serious findings significantly faster than the financial services industry (61 days vs 20 days).
46% of financial services leaders highlight insider threats as a top concern.
Sensitive data exposure: 10.5% in the financial services industry (versus 8.0% average in other industries).
Components with known vulnerabilities: 6.1% in the financial services industry (versus 5.5% average in other industries).
The Median Time to Remediation (MTTR) for serious findings is 61 days in the financial services industry. This ranks financial services 11th of 13 industries measured.
Approximately one-third of serious issues are never resolved by the organizations in the financial services industry, contributing to backlog and systemic risk.
The financial services industry resolves about two-thirds (66.7%) of serious findings. This ranks the industry 10 out of the 13 industries Cobalt researched.
Financial services firms demonstrate strengths in avoiding common, code-level flaws due to mature security programs and automated scanning (SAST/DAST). However, they struggle with vulnerabilities that require human-led testing.
78% of financial services firms report fixing critical vulnerabilities in business-critical assets within 14 days, indicating they narrowly meet strict internal SLA requirements.
Nearly 40% of healthcare SLAs require serious findings in business-critical assets to be fixed within three days. Another 40% require resolution within four to 14 days.
Healthcare resolved only 57.4% of serious pen test findings. This ranks healthcare 11th of 13 industries. By comparison, transportation led with 80.2%.
Just 13.3% of healthcare pentest findings qualify as “serious”. This ranks healthcare 6th-best out of 13 industries.