AI flaws and supply chain risks lead latest pentesting insights

AI and LLM systems pose escalating, high-risk security challenges

Artificial intelligence and large language models are driving massive operational efficiency and innovation. Yet, the same power that enables automation, scale, and intelligent decision-making is also introducing severe, hard-to-control security risks. According to Cobalt’s State of Pentesting Report, 32% of all AI and LLM-related vulnerabilities are classified as high risk, almost triple the rate seen across other software applications. More concerning, only 38% of these high-risk issues are resolved, a sign that security teams often find these systems too complex to fix quickly.

The problem lies in the nature of AI itself. These models are built on layers of data, algorithms, and learning frameworks that are often created by third parties or open-source communities. Many of these systems behave unpredictably when exposed to new prompts, data inputs, or integration points. Traditional security methods built for standard applications no longer apply here. The result is that organisations face exposure not just from their own systems, but also from vulnerabilities embedded deep within external AI supply chains.

Executives need to see this as a strategic shift, not a technical inconvenience. Security doesn’t just mean protecting data; it means protecting the organisation’s ability to execute without disruption. As AI adoption accelerates, 97% of surveyed companies are already adding AI features, the speed of deployment far outpaces the maturity of current defensive systems. The decline in security team confidence, from 64% last year to 51% today, signals that even skilled teams are struggling to keep up. Leadership must prioritise investment in adaptive security frameworks that evolve as fast as the technology itself.

This is not about slowing progress but managing it intelligently. The companies that will thrive with AI are the ones that combine rapid innovation with proactive defence, treating security as an integral part of product development, not a separate checkpoint at the end.

Organisations remain overly dependent on third-party software despite recognising its associated risks

It’s clear from Cobalt’s findings that business leaders understand the danger yet continue to overlook it. Seventy-five percent of organisations see third-party software as a top security risk. Still, 86% deploy external vendor tools without verifying if they’ve been properly tested. This gap between awareness and action is a growing weakness across industries. The convenience of relying on established vendors often masks unseen exposure points throughout the supply chain.

The problem becomes more critical as organisations integrate AI-driven and cloud-based systems into their core functions. When your software ecosystem depends on tools built and maintained elsewhere, you’re effectively trusting thousands of unknown developers and system updates to meet your security standards. A single overlooked patch or untested component can expose customer data, disrupt operations, and erode trust with regulators and clients alike.

For executives, this is a governance issue as much as it is a security one. Vendor transparency should no longer be optional. Your teams need a structured, ongoing process for evaluating and validating third-party tools, especially those tied to customer data and AI models. Tools and suppliers must be proven secure before any deployment. It’s not enough to rely on a vendor’s certification or compliance report; those are static assurances in a constantly shifting environment.

Empowered leadership means owning this risk directly. The organisations that move beyond passive vendor trust and adopt active verification processes are the ones that safeguard their autonomy. In simple terms, every third-party product must meet the same security standards you set for your in-house development. It’s the only way to protect innovation without compromising resilience.

Nation-state and AI-powered threats are reshaping the cybersecurity landscape

Cybersecurity is undergoing a major shift. Traditional criminal groups are no longer the only concern, nation-states and AI-driven threat actors are now driving much of the activity. Cobalt’s report shows that 20% of surveyed organisations rank nation-state threats as one of their primary risks. In financial services, that number rises to 40%, confirming that these sectors are high-value targets for targeted, well-funded operations.

At the same time, attackers are using AI to scale and refine their methods. The report states that 93% of security professionals have observed adversaries leveraging AI to make their attacks more advanced and efficient. These threats are not only evolving faster but are also becoming more precise. AI enables adversaries to probe systems continuously, identify weaknesses faster than humans can, and automate exploitation across systems and geographies.

For executive teams, this means the threat environment is no longer predictable or easily contained. The interplay between geopolitics and technology creates risk scenarios that can directly disrupt operations, financial systems, and supply networks. Security strategy must expand beyond technical containment to include strategic resilience, anticipation, coordination, and continuity planning.

Leaders should treat this as a systemic business risk rather than an isolated IT issue. Investments in intelligence-sharing partnerships, rapid-response capabilities, and AI-driven defensive tools can help maintain an advantage. The speed and sophistication of AI-based threats call for equal or greater innovation in defence. The organisations that adapt fastest will be the ones that maintain stability and command real trust during future disruptions.

A disconnect exists between senior management’s perceptions and operational realities of vulnerability remediation

Cobalt’s data reveals a critical misalignment between executive perception and the frontline experience of cybersecurity teams. While 57% of C-suite leaders believe their organisations meet security remediation targets consistently, only 15% of security practitioners agree. In practice, top-performing organisations close high-risk vulnerabilities in around 10 days, but at the lower end, it can take 249 days. This performance gap represents more than a procedural problem, it reflects miscommunication, misplaced metrics, and a lack of unified accountability.

For executives, this disconnect can lead to false confidence and delayed responses when issues arise. Security teams often face constraints in resources, tooling, and prioritisation that leadership undervalues or misunderstands. When those realities are masked by optimistic reporting, organisations build a fragile sense of safety that collapses under pressure.

Closing this gap requires changes in culture as well as process. Security must be integrated directly into business performance reviews, not treated as a separate operational concern. Progress should be measured through verified outcomes, number of vulnerabilities closed, response times achieved, and internal collaboration effectiveness, not just budget allocation or reported compliance. Real security maturity comes from transparency across all levels of the organisation.

Leaders who insist on alignment between boardroom expectations and field results will build stronger, more accountable systems. That alignment fosters faster decision-making, more accurate risk assessment, and a culture that treats cyber defence as a shared responsibility, not a delegated burden.

Continuous, programmatic penetration testing yields faster vulnerability resolution and stronger security outcomes

Cobalt’s research makes it clear: organisations that use continuous, programmatic penetration testing are far ahead in addressing critical vulnerabilities. They are 4.5 times more likely to fix high-risk findings within three days compared to teams relying on periodic or compliance-based testing. This approach transforms security from a reactive function into an active and ongoing process, one that constantly measures, verifies, and improves resilience.

Traditional compliance testing creates long intervals between assessments, allowing threats to accumulate unnoticed. Continuous testing, by contrast, provides a real-time view of risk exposure. It equips security teams with accurate, current information that can guide immediate decision-making. For executives, this translates directly into fewer system disruptions, reduced remediation costs, and greater stakeholder confidence in the company’s ability to manage threats.

A continuous testing model also introduces operational discipline. It ensures that security findings don’t sit unresolved, and that accountability extends from technical teams to management oversight. This level of consistency drives long-term efficiency, as recurring issues are detected earlier and resolved faster. Over time, it builds a cycle of measurable improvement that strengthens both defensive capability and trust.

For business leaders, the message is straightforward: Treat continuous testing as a strategic investment, not a technical upgrade. The ability to identify and remediate vulnerabilities swiftly protects not only data integrity but also the company’s agility in competitive markets. The most secure organisations maintain this momentum, testing, validating, and improving without waiting for external triggers.

Increased security spending alone does not address the limits of traditional assessment methods

Cobalt’s data shows that spending is trending upward across industries. About 33% of organisations reported major increases in their security budgets, while 50% saw moderate growth. However, this increase in capital allocation has not delivered results strong enough to counter modern threats. The issue is not how much is spent but where and how those resources are focused. Conventional annual assessments and certifications cannot keep pace with continuously evolving attack methods, especially those powered by AI or driven through supply-chain vulnerabilities.

For executives responsible for budget allocation, this calls for a reassessment of priorities. Investment needs to shift away from static security audits toward ongoing, intelligence-led strategies. That means real-time threat detection, continuous testing, and adaptive defence platforms that adjust as new attack surfaces emerge. Conventional audits and certifications may help with compliance, but they provide limited protection against threats that evolve daily.

This is also a matter of confidence and accountability. Many boards and investors equate higher budgets with higher protection. The data no longer supports this assumption. Security spending must now demonstrate measurable impact, faster response times, higher remediation rates, and improved resilience indicators. Without direct performance tracking, increased expenditure can mask inefficiencies rather than resolve them.

Leadership should view rising budgets as opportunities to modernise their security models. The future of cybersecurity depends on dynamic, integrated systems capable of defending at speed. Money alone cannot deliver that outcome, strategic focus and continuous adaptation will.

Inherent weaknesses in underlying AI models demand proactive testing and vendor accountability

Cobalt’s State of Pentesting Report highlights a difficult truth about artificial intelligence risks: many vulnerabilities come from the core models themselves, not from user-developed systems. Gunter Ollmann, Chief Technology Officer at Cobalt, explained that the poor resolution rate of AI flaws largely results from design weaknesses within large language models, areas most organisations cannot directly modify or repair. This means that waiting for vendors to release patches leaves businesses exposed for extended periods, often long after a weakness is known.

For executives, this presents a strategic problem that extends beyond standard cybersecurity operations. Vendors and technology providers often control the underlying models powering AI features, but the responsibility for securing the resulting applications remains with the organisation that deploys them. That disconnect calls for a more assertive form of risk management. Continuous penetration testing allows organisations to detect exploit paths before attackers do. It ensures that even if model-level vulnerabilities exist, the surrounding systems, interfaces, integrations, and access controls, remain protected.

Decision-makers should recognise that AI vendor accountability must become a critical part of procurement and operational strategy. Companies cannot depend solely on external security assurances or vendor transparency to shield them from threats. Internal teams need the capability to test and validate systems under real-world conditions, continuously and independently. This proactive approach reduces exposure and strengthens negotiation power with suppliers, reinforcing expectations for higher security standards across the entire AI ecosystem.

Ollmann noted that last year’s data underscored how exposed supply chains have become and urged organisations to act rather than wait. His recommendation is direct: adopt an offensive security strategy that identifies vulnerabilities early and limits vendor access to sensitive data until proper safeguards are proven. For leaders, following that guidance means embracing accountability and resilience as part of the organisation’s innovation strategy, not just its security framework.

Final thoughts

Cybersecurity is now about pace and precision. The data from Cobalt’s report confirms that threats are advancing faster than the systems built to contain them. AI and LLM vulnerabilities, third‑party dependencies, and weak remediation cycles have turned from technical challenges into boardroom imperatives.

For executives, this isn’t just a call to improve defences, it’s a reminder that security must evolve at the same speed as innovation. The organisations that succeed will be those that treat continuous testing as a fundamental process, not an optional safeguard. They will demand real accountability from vendors, measure outcomes through verified data, and strike a balance between innovation and control.

The future belongs to companies that integrate security into every decision they make. It’s not about stopping progress, it’s about ensuring every step forward is built on something stable enough to last.