Organizations Found to Address Only 21% of GenAI-Related Flaws

Posted on by

Organizations remediate only 48% of all vulnerabilities with detected exploits, according to a new study by Pentesting-as-a-Service (PTaaS) firm Cobalt.

This number is even more concerning for generative AI (GenAI) applications and tools, with only 21% of flaws discovered being resolved.

These findings come from Cobalt’s latest State of Pentesting Report, published on April 14.

However, a silver lining is that the number of vulnerabilities addressed significantly improves, to 69%, for vulnerabilities with severity ratings of high or critical.

AI Attacks, Main Concern for Security Leaders

Most firms (95%) have performed pentesting on GenAI Large Language Model (LLM) web apps in the last year, with a third (32%) of tests finding vulnerabilities warranting a serious rating. 

Of those findings, only 21% of vulnerabilities were fixed. Risks included prompt injection, model manipulation and data leakage issues.

Overall, security leaders show an over-confidence in dealing with vulnerabilities as 81% of respondents said they were “confident” in their firm’s security posture, despite 31% of the serious findings discovered having not been resolved.

Almost three-quarters (72%) ranked AI attacks as their number one concern, ahead of risks associated with third-party software, exploited vulnerabilities, insider threats and nation-state actors. 

Just half (50%) fully trust that they can identify and prevent a vulnerability from their software supplier – a particular concern given that 82% are required by customers/regulators to provide software security assurance.

Organization Complexity Means Longer Remediation Times

The report reveals notable differences in vulnerability remediation across organizations and sectors:

  • Small companies lead with 81% of serious findings resolved, significantly outperforming large organizations, which resolve only 60%
  • Larger organizations take over a month longer than smaller ones to resolve serious issues (61 days to 27 days)
  • Critical infrastructure sectors, including utilities, healthcare and manufacturing have the highest rates of unresolved findings and are slowest to address vulnerabilities
  • Financial companies, despite their lower rate of serious findings (11%), take among the longest to resolve issues (61 days)

Gunter Ollman, CTO of Cobalt, commented: “Organizations that do take an offensive security approach are taking a huge step to strengthening defenses against cybercriminals who typically attack opportunistically. In doing so, they’re getting ahead of any compliance requirements and reassuring their customers that they’re safe to do business with.”

The State of Pentesting Report results from two datasets: data from over 2700 Cobalt pentests and survey insights from Emerald Research. Pentest metadata was exported from the Cobalt Offensive Security Platform, sanitized for sensitive details, and independently analyzed by the Cyentia Institute.