Cobalt Research: Only 9% of Security Professionals Support Fully Automated Pentesting
Cobalt Research: Only 9% of Security Professionals Support Fully Automated Pentesting
Publish Date: 2026-06-28 06:23:00
Source Domain: www.cybersecurity-insiders.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
This week, Cobalt released the findings of its second annual Cobalt AI and Pentesting Pulse Report 2026. The research evaluated 455 cybersecurity professionals and found that the percentage of organizations that rely entirely on AI automation for testing needs plummeted from 29% to 9% from last year, with 47% now preferring a hybrid testing model, where human expertise supports AI testing.
The 22-point surge in support for the hybrid model stems from the fact that 78% of organizations that experienced fully automated scanning tools missing critical vulnerabilities and returning false negatives. Still, security teams show a strong willingness to automate testing for non-critical assets, with 44% favoring automation for low-risk environments.
The decrease in automation trust reflects the complexity of securing the AI attack surface itself.
Traditional scanners struggle because AI and LLM applications produce high-risk findings at nearly triple the rate of conventional software. According to the Cobalt State of Pentesting Report 2026 released earlier this year, teams classified 32% of all AI-related pentest findings as high risk, compared to just 12% overall. At the time of analysis, only 38% of LLM vulnerabilities have been fixed, while 62% remain open. This is the lowest resolution rate overall.
Among companies that were hit with AI-related security incidents, Shadow AI topped the cause list, contributing to 44% of incidents, followed closely by data or model poisoning (41%) and improper output handling (41%). Supply chain vulnerabilities (35%) and prompt injection (34%) completed the top five vectors.
To manage these risks, 60% noted they require stronger LLM testing capabilities, yet only 42% plan to increase human-led red team operations, which is best positioned to bridge this gap.
“While the industry is rightfully excited about the potential of Mythos-class tools, unguided algorithms are inherently prone to returning even more false positives and costly false negatives than the automated scanners we have today,” said Andrew Obadiaru, CISO of Cobalt. “LLM vulnerabilities are deeply context-dependent and invisible to tools that lack an architectural understanding of the application. To close the validation gap, automation should be deployed exactly where it excels, but elite human expertise remains foundational to uncovering and remediating the most complex business logic risks.”
Additional Resources:
Join our LinkedIn group Information Security Community!
