78% of financial services firms report fixing critical vulnerabilities in business-critical assets within 14 days, indicating they narrowly meet strict internal SLA requirements.

76% of financial services leaders highlight third-party software vulnerabilities as a top concern.

The half-life for serious findings is 147 days in the financial services industry. This metric, which accounts for unresolved vulnerabilities, places FS ninth overall out of the thirteen measured industries.

Cross-site scripting (Web/API): 5.0% in the financial services industry (versus 9.7% average in other industries).

The financial services industry resolves about two-thirds (66.7%) of serious findings. This ranks the industry 10 out of the 13 industries Cobalt researched.

In 49.2% of large ransomware claims, attackers gained access by exploiting system vulnerabilities.

Healthcare resolved only 57.4% of serious pen test findings. This ranks healthcare 11th of 13 industries. By comparison, transportation led with 80.2%.

14% of healthcare organizations resolve critical findings in business-critical within eight to 14 days.

Just 13.3% of healthcare pentest findings qualify as “serious”. This ranks healthcare 6th-best out of 13 industries.

43% of healthcare organizations resolve critical findings in business-critical assets in one to three days.

Healthcare’s half-life for serious pen test findings was 244 days. This ranks healthcare 11th of 13 industries. Transportation had a half-life of 43 days.

Healthcare’s median time to resolve serious pen test findings was 58 days. This ranks healthcare 10th of 13 industries. Hospitality led with 20 days.

Nearly 40% of healthcare SLAs require serious findings in business-critical assets to be fixed within three days. Another 40% require resolution within four to 14 days.

37% of healthcare organizations resolve critical findings in business-critical assets within four to seven days.

APIs in technology & SaaS providers' environments saw a 400% spike in critical vulnerabilities.

70% of vulnerabilities detected in healthcare systems were categorised as Medium and High severity issues.

47% of newly exploited vulnerabilities were originally published before 2025.

Published vulnerabilities rose 15% in H1 2025.

45% of published vulnerabilities in H1 2025 were rated high or critical.

Attacker activity precedes the public disclosure of a new vulnerability in edge devices and its Common Vulnerabilities and Exposures (CVE) number in 80% of cases. This pre-disclosure activity can precede the CVE disclosure by up to six weeks.