Synack report says vulnerability testing gap widens

Synack has released its 2026 State of Vulnerabilities Report, covering more than 11,000 exploitable vulnerabilities identified across customer environments in 2025.

Organisations cut the average time to remediate high-severity vulnerabilities by 42 days compared with the previous year, while average remediation time across all severity levels fell by 47%.

Those gains came as the broader vulnerability landscape grew more crowded. Published CVEs rose 20% year on year to 48,244 in 2025, according to cve.org, while AI and large language model security missions on Synack's platform increased 120%.

In the environments analysed, overall vulnerability volumes were broadly stable, but the mix shifted towards more serious weaknesses. High-severity findings rose 10%, with remote code execution up 39%, brute force attacks up 17.4% and content injection up 8%.

The data points to a growing emphasis on identity systems, authentication boundaries and exploit chaining. These areas are under increasing pressure as attackers use AI tools to accelerate reconnaissance and exploitation.

Coverage gap

A central finding is that many businesses are still testing only a limited share of their digital estate. Research cited in the report, conducted with Omdia, found that enterprises test about 32% of their attack surface on average.

That leaves many assets outside regular security validation programmes, even as attack surfaces continue to expand. The report argues that this gap is becoming harder to manage as infrastructure grows more complex and threats move faster.

The sector breakdown shows manufacturing and technology with the highest concentration of critical and high-severity vulnerabilities. Manufacturing recorded 43.1% of findings in those categories, while technology stood at 40.0%.

Across the full sample, 37% of vulnerabilities identified in 2025 were rated critical or high severity. Injection vulnerabilities accounted for 40.6% of findings, while broken access control represented 32.8%.

Synack CTO and co-founder Dr Mark Kuhr linked the trend to the pace at which attackers can move.

"The rules changed in 2025, and time is now the biggest vulnerability. The issue is no longer how many vulnerabilities exist, it's how quickly adversaries can find and exploit them. Organisations that continuously validate security across their environment are responding faster and closing critical exposure windows earlier," Kuhr said.

The report suggests shorter remediation times may reflect changes in how some organisations structure testing and response. It contrasts continuous validation with periodic security testing models, which it says can leave teams with incomplete visibility into current risk exposure.

Rising pressure

Synack's figures suggest the threat environment is changing in quality as much as in quantity. Stable total volumes did not mean stable risk, as a larger share of flaws were severe and exploitable.

Chief marketing officer Angela Heindl-Schober said the core issue was the mismatch between expanding estates and the amount of testing many organisations still carry out.

"Stable vulnerability volume is not a sign that risk is stable. The real story is the growing coverage gap between expanding attack surfaces and what organizations are actually testing. Traditional point-in-time pentests cannot keep pace with AI-driven threats. Continuous security validation is emerging as the new operating model for enterprise security," Heindl-Schober said.

The findings also reflect growing scrutiny of AI systems themselves. The rise in AI and LLM security missions suggests companies are paying more attention to the risks around AI infrastructure as those systems become a larger part of enterprise technology estates.

The report also found that organisations reduced remediation times for critical-severity vulnerabilities by 25 days on average in 2025. Alongside the improvement in high-severity remediation time, that points to faster handling of the issues most likely to expose businesses to immediate harm.

Synack also used the report to highlight its AI-assisted security testing work, including its Sara AI Pentesting product. The service combines automated reconnaissance, attack surface mapping and exploit exploration with validation by human security researchers.

Founded by former NSA operatives, the company says it has enabled nearly 10 million hours of security testing across assets ranging from financial systems to US Defence Department networks.