One number tells you whether your program is built for 2026's threats or quietly optimized for 2019's. Answer four, watch the dial, then get the report that proves it.
Here's where the dial landed — and exactly which gaps moved the needle.
The sections of the 2026 report most relevant to your answers.
Measurement model
Q4 had 63% more findings than Q3. But Q3's findings were far more severe . Making Q3 the more dangerous quarter. Total count made it look calm.
Needs work
Strong
Moderate
Cloud budget share
Cloud overtook web as the primary attack surface in 3 separate quarters of 2025. While cloud testing coverage grew only 1.23× in the same period.
Moderate
Needs work
Strong
Cross-surface scope
In 2025, 80% of AWS credential exposure was found during mobile pentests, not cloud scans.
Needs work
Strong
Moderate
Testing cadence
August–September was the most dangerous period of the year; most annual and quarterly tests had already concluded. December produced 1.8M vulnerabilities, more than all of 2024.
Strong
Needs work
Moderate
The metric you're using wrong
Pages 5–10
Cloud: the trojan horse in your risk mapping
Pages 20–29
Your costliest cloud breach is a 4.2-star app
Pages 20–24
The 30-day blind spot
Pages 11–19
