Built in the trenches. Backed by data. For the boardroom.

State of continuous pentesting report 2026

Expert insights on 2026’s top cybersecurity trends, AI-driven
threats, and why continuous pentesting is key to staying ahead
in a fast-changing threat landscape.

Why do you need the report? 
A critical vulnerability was found every 48 seconds in 2025. In 2024, it was every 12 minutes. That’s one critical vulnerability for every reel you watch. So if 2024 was buffering, 2025 just hit autoplay. And 2026 isn’t getting any slower. Risk is moving continuously, and so should pentesting. 

Download report

What’s inside?

This pentest report is backed by data from 6.8M findings (across web app, cloud, APIs, network,
Android, and iOS), 150K+ scans, 8K+ engagements, 1,000+ organizations, and 70 countries.

14.6x

Faster growth in Critical vulnerabilities vs all other severity classes

44x

Increase in Cloud vulnerability growth in one year, but cloud testing coverage grew just 1.23x

80%

Of tracked AWS credential exposure found during mobile tests, not cloud scans

$1.1M

Financial exposure from IDOR is present on all 6 tested surfaces simultaneously.

91%

Of critical findings have no CVE, no vendor patch, and no remediation playbook

1.8M

Vulnerabilities found in December alone are more than all of 2024 combined.

Total vulnerability count looks useful until it hides what really changed: severity. In 2025, 1 in 10 findings was Critical. In 2024, it was 1 in 40. Though numbers may have looked fine, risk was out here doing parkour.

Scan activity this month predicts next month’s findings, not today’s risk. November looked quiet, but December showed up with 1.8M vulnerabilities. While a clean dashboard can be reassuring, know that it is just the calm before the storm. This pentest report surfaces the lag your tools miss.

Cloud overtook web as the primary attack surface three times in 2025. Meanwhile, Many teams still plan testing budgets around web security spend, even though the cloud is now driving more risk.

IDOR appeared across all 6 tested surfaces simultaneously. It regenerates with every new feature. Fix it on the web, and the pattern can still reappear in the next API, mobile flow, or product release.

Download full report

Voices from the frontlines of security

Astra

"The uncomfortable truth, as we looked at this data, is that most organisations are under-secured because they are mis-measured."

COO, Rattle

Shikhil and Ananda

Co-Founders, Astra Security

COO, Rattle
Astra

"Autonomous pentesting tools are making real-time exploitation decisions on production systems. The question is not whether they work, it's whether you can prove they stayed within the boundaries you set. APTS gives organizations a way to answer that before an incident forces the question."

Ankur Rawal

Jinson Varghese Behanan

Pentest Lead, Astra Security

CTO, LutherOne
Astra

"The real risk is the blast radius created by identity and permission chains, not just misconfiguration."

COO, Rattle

Abhinandan Khurana

Security Engineer, MoveInSync

COO, Rattle
Astra

"AI now handles 70% of traditional SOC functions... One platform replaces five vendors."

Ankur Rawal

Kaustubha N K

CTO, Lab To Market Innovations Private Limited

CTO, LutherOne

Ready to Elevate Your Security Offerings?

Schedule Discovery Call

Try Astra First

Does the State of Continuous Pentesting Report include security recommendations?

Yes. Every finding in the report is paired with a specific, actionable recommendation. We don’t provide generic best-practice advice. These recommendations are extracted directly from the data. Some practical implementation recommendations include which surface to prioritize based on the findings, whether you need to move from total-count dashboards to severity-weighted reporting, and what a cross-surface testing scope should cover to close the credential exposure gap. The report also includes the OWASP APTS governance framework for organizations evaluating autonomous pentesting tools in 2026, co-authored by Astra Security.

What is the State of Continuous Pentesting Report?

The State of Continuous Pentesting Report is Astra Security's annual data analysis of the risk profile and vulnerabilities from real-world security programs. The aim of the report is to help security leaders understand what the programs are measuring wrong and what that gap is costing them. The 2026 edition is built on 6.8 million findings from 150,000+ scans and 8,000+ engagements across 1,000+ organizations in 70 countries. In contrast to generic, survey-based industry reports, this year’s report is based on actual penetration tests conducted across web, API, cloud, mobile, and network environments over the past year.

How does Astra Security collect data for the State of Pentesting Report?

The entire data in the report comes directly from penetration tests conducted by Astra Security in 2025. This includes automated scans, manual pentests, and continuous testing engagements spanning across six attack surfaces: web applications, APIs, cloud infrastructure, iOS, Android, and network. We have not used any modeled estimates, nor have we used third-party data sets.

I have a specific scope, can you tailor the pricing?

Absolutely, you can schedule a call with our sales engineers. In the call they review the scope, show our platform and are happy share a tailored pricing specific to your needs.
Click here to update your cookies settings