Majority of Enterprises Prioritize Pentesting Despite Limited Coverage: New Research Highlights Security Gaps

Introduction

In the rapidly evolving landscape of cybersecurity, organizations across the globe are increasingly prioritizing penetration testing (pentesting) as a critical component of their defense strategies. A recent study conducted by Synack, a leading provider of human-led and AI-powered pentesting, along with Omdia, a prominent technology research firm, has unveiled some startling revelations regarding the current state of pentesting practices among enterprises.

Key Findings of the Report

The new report, titled The 2026 State of Agentic AI in Pentesting, reveals that an astounding 95% of surveyed organizations consider pentesting to be a crucial priority for their security protocols. However, the report highlights a glaring discrepancy: only 32% of their attack surfaces are actually being tested. This leaves a staggering 68% of an enterprise's security environment unexamined, creating significant vulnerabilities in the face of increasingly sophisticated cyber threats, particularly those driven by AI.

The Need for Advanced Testing Approaches

As organizations adapt to modern threats that leverage artificial intelligence, traditional pentesting methodologies appear inadequate. The current research points to a critical gap between security priorities and the practical implementation of testing processes. This disconnect has sparked calls for a fundamental shift in how enterprises approach offensive security.

Many security leaders are realizing that traditional pentesting, which typically occurs biannually, cannot keep pace with the dynamic nature of today's digital environments. Instead, the integration of agentic AI into pen testing processes is emerging as a necessary evolution. AI-driven testing not only promises scalability but combines human creativity and strategic oversight—elements crucial for effective cybersecurity.

Expert Insights

Jay Kaplan, Co-Founder and CEO of Synack, emphasizes the need for a paradigm shift in the approach to security testing. He states, "This research proves the industry is ready to move beyond the twice-a-year pentest model. Continuous, agent-led testing with human oversight is how the modern enterprise will stay ahead of today’s sophisticated threats."

Dr. Mark Kuhr, CTO of Synack, adds that while AI enhances coverage and efficiency, “real-world risk still requires human creativity.” The combination of AI capabilities with a knowledgeable team of cybersecurity professionals is essential in understanding how attackers operate, thereby facilitating more effective defenses.

The Transition Toward Continuous Testing

Emerging trends indicate that 87% of organizations are now in the process of adopting or piloting agentic AI for penetration testing. Notably, 95% of those surveyed believe that agentic AI will eventually replace traditional pentesting services—though opinions vary regarding the extent of that displacement. Furthermore, 64% of the participants support the implementation of a hybrid testing model that combines the power of machines with human insights.

Despite the enthusiasm for agentic AI, there are critical considerations for its successful deployment. A majority (93%) of security leaders express that while they trust agentic AI, the establishment of comprehensive guardrails and transparent decision-making processes is vital for safe operation. As the industry transitions to this new phase of cybersecurity, aligning agentic AI usage with robust operational frameworks becomes increasingly important.

Conclusion and Call to Action

The Synack and Omdia report serves as a wake-up call for security teams across industries. It underscores the urgency for enterprises to rethink their offensive security strategies. As cyber threats become more dynamic and persistent, closing the coverage gap in pentesting must be a primary focus. Continuous, agent-driven testing, complemented by human oversight, can fundamentally redefine how businesses approach cybersecurity, transitioning them into an era of resilience and proactive defense.

For further insights and a complete analysis, the full report can be accessed at Synack's Report.