2026

State of AI in Pentesting

Our new report captures the views of 400 security and engineering leaders across Europe and the US. Together, they reveal how AI is accelerating software delivery, why traditional security testing is struggling to keep pace, and what organizations want from the next generation of penetration testing.

This is the state of security testing in the age of AI.

Download now
Featuring insights from:

Key findings

KEY FINDING #1

AI is already causing security problems

0%
Have intervened to stop or restrict AI-driven behavior
0%
Say AI has made security incidents harder to detect, investigate, or fix
KEY FINDING #2

Software changes continuously.
Security validation doesn’t.

Pentesting was built as a point-in-time exercise, designed to validate a system at a specific moment. Modern software doesn't stay still long enough for that model to work reliably anymore.

ONLY
0%
Deploy significant changes weekly or faster
ONLY
0%
Validate security on
every release

“We see teams go from idea to production in hours, so when security testing takes weeks to return results, you're testing a system that no longer exists."

Anton Osika
CEO, Lovable
KEY FINDING #3

Testing got left behind

0%
Are concerned about missing vulnerabilities introduced between scheduled tests
0%
Say findings are already outdated when they arrive
“A pentest report that's outdated before the remediation meeting is a compliance artifact, not a security control. Most modern companies should be shipping weekly or faster. The annual model tells you where you were, not where you are.”
Adam Glick, CISO at PSG
KEY FINDING #4

Manual pentesting leaves gaps

0%
Say logic flaws, broken access controls, and multi-step vulnerabilities are missed always or often
0%
That number rises for teams shipping daily or faster

"Traditional penetration testing was built around periodic assessments, but modern software delivery no longer operates on a periodic schedule. As development velocity increases, especially with AI-assisted software creation, security testing will increasingly need to move closer to the release cycle itself."

Katie Norton

Senior Research Manager, IDC
KEY FINDING #5

Leaders want speed, not savings

Which characteristics matter most when considering new approaches to security testing? Select all that apply.

Ability to test frequently or on demand
0%
Speed of results
0%
vs
Lower cost per test
0%
"The current model is broken. As software becomes faster and more complex, testing needs to keep up in a way it hasn’t before."
Willem Delbare,
CEO & Co-founder at Aikido

If you work in software security,
you need to read this.

The 2026 State of AI in Pentesting is live