Claude 3.7 Sonnet scored 6/10 secure code result using naive prompts.

OpenAI’s GPT-4o had the lowest performance, scoring a 1/10 secure code result using "naive" prompts.

Claude 3.7 Sonnet scored 10/10 with security-focused prompts.

Over 700 issues in Agentic AI repositories remain unaddressed.

There was a 34% surge globally in vulnerability exploitation as an initial attack vector.

The number of vulnerabilities has increased rapidly over the past eight years and grown threefold.

Nearly a quarter of all vulnerabilities in the IBM X-Force Vulnerability Database have an associated weaponized exploit.

60% of the top 10 vulnerabilities had been actively exploited or had a publicly available exploit from less than two weeks after disclosure to a zero day.

4 out of top 10 vulnerabilities most mentioned on the dark web are linked to sophisticated threat actors.

The Veeam vulnerability (CVE-2024-40711) and similar documented vulnerabilities played a role in nearly 15 percent of the cases Sophos MDR tracked involving malicious intrusions in 2024.

Obsolete and unpatched hardware and software constitute an ever-growing source of security vulnerabilities.

69% of the highest-risk (serious) vulnerabilities are resolved.

Median time to resolve issues of all criticalities stretches to 67 days.

Less than half (48%) of vulnerabilities are remediated.

46% of companies commit to fix critical vulnerabilities within just three days.

LLM pentests yield the highest proportion of serious vulnerabilities (32%) than any other asset type tested.

Since 2017, the median time to resolve serious vulnerabilities has decreased dramatically—from 112 days down to 37 days last year.

Most companies set ambitious service-level agreements (SLA) requiring vulnerabilities to be fixed within 14 days.

Only 21% of serious vulnerabilities discovered in LLM tests are being resolved.

This represents a cut of 75 days, or two-thirds.