banner ad
Event Calendar Event List It's Showtime!
Online Flipbook Archives Breaking News Advisory Board Street Smarts Legacy HTML
Banner Ads Skyscraper Ads Paperless Ads Forum Ads
Merchants Bancard Network Inc. bluu The Merchant Store Maverick Payments North
Dashboard Ad Specifications Production Dates Rate Card
News From the Wire

18:25:05 (UTC) 09-30-2025

Alkami named a 2025 IDC FinTech Rankings Top 50 solution provider

18:23:46 (UTC) 09-30-2025

ParaScript launches ParaScript Recognition Suite

17:58:58 (UTC) 09-30-2025

Viamericas raises $113.6M to expand global remittance network

17:57:29 (UTC) 09-30-2025

Financial services: strong at prevention, weak at vulnerability remediation

17:56:09 (UTC) 09-30-2025

REPAY enhances Fuse’s AI-powered lending software with new integration

17:54:23 (UTC) 09-30-2025

Bluefin, Alacriti to deliver advanced payment security to banks, CUs, insurers

17:51:42 (UTC) 09-30-2025

Midnight, Google Cloud collaborate to scale zero-knowledge applications

17:50:15 (UTC) 09-30-2025

Finastra showcases Nexus integration solution to transform trade at Sibos 2025

News from the Wire

Financial services: strong at prevention, weak at vulnerability remediation

Tuesday, September 30, 2025 — 17:57:29 (UTC)

San Francisco, Calif., September 30, 2025 —San Francisco, CA– Cobalt, the pioneer of penetration testing as a service (PTaaS) and leader in offensive security services, today released its State of Pentesting in Financial Services 2025 Report with new insights into how the financial services industry identifies and resolves serious security vulnerabilities. Cobalt pentesting data shows that the financial services sector is accruing security debt and a backlog of serious vulnerabilities. Although financial services firms have one of the lowest rates of serious vulnerability findings, they are among the slowest industries to remediate them.

Financial Services Findings: Strengths and Backlogs Low rate of serious findings: Financial services organizations rank near the top for preventing serious vulnerabilities from appearing at all. Moderate resolution rates: The industry resolves about two-thirds (66.7%) of serious findings, ranking 10 out of the 13 industries Cobalt researched. Slow median time to remediation (MTTR): At 61 days, financial services ranks 11th of 13 industries, well behind hospitality, which resolves serious findings in 20 days. Backlogs reflected in half-life: Financial services has a half-life of 147 days for serious findings, placing ninth overall, out of the thirteen industries measured. Half-life, unlike MTTR, accounts for unresolved vulnerabilities and provides a fuller picture of backlog and risk.

Vulnerability Profile: Automation Strengths, Human Testing Gaps The financial services sector excels at addressing straightforward, code-level vulnerabilities, thanks to mature AppSec programs, automated scanning (SAST/DAST), and strong secure coding standards. This results in significantly lower rates of cross-site scripting (5.0% vs. 9.7%) and server-side injection (4.2% vs. 5.3%) in web applications and APIs, compared to other industries.

However, pentests reveal blind spots where automation falls short. The industry struggles with:

Sensitive data exposure: 10.5% vs. 8.0% average in other industries. Business logic flaws: 2.9% vs. 2.3% average in other industries. Server security misconfigurations: 34.9% vs. 27.9% average in other industries. Components with known vulnerabilities: 6.1% vs. 5.5% average in other industries.

“Financial services organizations have some of the most advanced security programs in the world, which is why they see relatively few serious vulnerabilities surface in testing,” said Gunter Ollmann, CTO, Cobalt. “The challenge is not prevention, but remediation. Too often, critical findings linger far longer than they should. This backlog of unresolved vulnerabilities creates systemic risk that automation alone cannot solve. As financial institutions adapt to new pressures, like genAI and evolving regulatory scrutiny, closing the gap between discovery and remediation will be essential to maintaining customer trust and resilience.”

These vulnerabilities often require human-led pentests to uncover because they involve complex data flows, legacy systems, and application-specific logic that scanners cannot interpret.

Pentesting Practices and Pressures While financial services firms struggle to resolve most serious issues (61 day MTTR, 147 day half-life, and one-third of serious issues never resolved), they do maintain a solid track record in meeting strict internal service level agreements (SLAs) for the remediation of serious vulnerabilities. Deeper operational data reveals significant systemic bottlenecks, and major backlogs of vulnerabilities that expose financial organizations to risks of data loss and breaches. The industry's exposure due to slow remediation speed is amplified by external threats and internal challenges—ranging from scheduling delays to the escalating risks posed by third-party software vulnerabilities, genAI complexity, and insider threats. SLAs narrowly met: Despite their 61-day MTTR for serious issues overall, 78% of financial services firms report fixing critical vulnerabilities in business-critical assets within 14 days, in line with SLA requirements. Scheduling challenges: 70% report that pentest scheduling delays sometimes impact compliance or business timelines, meaning potential security risks remain unaddressed for a longer period. Top risks: Financial services leaders highlight third-party software (76%), genAI-related risks (68%), and insider threats (46%) among their greatest concerns.

Additional Resources: Read the State of Pentesting in Financial Services 2025 Read the State of Pentesting in Financial Services 2025 blog

Methodology The findings in the State of Pentesting in Financial Services 2025 is based on 10 years of Cobalt pentesting data, and data from Emerald Research, an independent third-party research firm, sponsored by Cobalt. The survey included 500 respondents, consisting of security leaders, defined as a mix of C-level and VP-level security professionals, and security practitioners, representing organizations with 500 to 10,000 employees.

About Cobalt Cobalt is the pioneer in pentesting as a service (PTaaS) and a leader in human-led, AI-powered offensive security services. We are focused on combining talent and technology with speed, scalability, and expertise. Thousands of customers and hundreds of partners rely on the Cobalt Offensive Security Platform, along with 450+ trusted security experts, to find and fix vulnerabilities across their environments. By enabling faster pentest launches, real-time collaboration with pentesters, and seamless integration with remediation workflows, we help organizations identify critical issues and accelerate risk mitigation so they can operate fearlessly and innovate securely. Cobalt maintains an outstanding NPS of 9.12, reflecting its dedication to customer satisfaction. Read our reviews on G2 to see why customers love us. More at www.cobalt.io. Follow Cobalt on LinkedIn and X.

Contacts Media Contact: Leslie Kesselring Kesselring Communication for Cobalt leslie@kesscomm.com

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.

Source: Company press release.

Categories: Reports and research

skyscraper ad
  • Home
  • Forums
  • Emagazine
  • Flipbook
  • News From the Wire
  • Breaking News
  • Ad Page
  • Podcasts
  • Calendar of Events
  • Community Voices
  • Resource Guide
  • Advisory Board

    • © 1983-2025 The Green Sheet, Inc.