A new report from Cobalt, a leader in offensive security services, reveals that while financial services organizations excel at preventing serious security vulnerabilities, they consistently lag in remediating discovered issues, leading to significant security debt and backlogs.

Cobalt’s “State of Pentesting in Financial Services 2025 Report” highlights a disparity in the financial sector’s cybersecurity posture: strong prevention capabilities alongside slow vulnerability resolution. Despite having one of the lowest rates of initial serious vulnerability findings, financial services firms are among the slowest industries to address them.

The report indicates that the financial services industry resolves approximately two-thirds (66.7%) of serious findings, placing it 10th out of 13 industries Cobalt researched. The median time to remediation (MTTR) for the sector is 61 days, ranking 11th, significantly behind industries like hospitality, which resolves serious findings in 20 days. Furthermore, the half-life for serious findings in financial services is 147 days, reflecting a substantial backlog of unresolved vulnerabilities.

Financial services organizations demonstrate proficiency in addressing straightforward, code-level vulnerabilities. This is attributed to mature AppSec programs, the use of automated scanning tools (SAST/DAST), and robust secure coding standards. As a result, the sector shows lower rates of cross-site scripting (5.0% compared to 9.7% average in other industries) and server-side injection (4.2% versus 5.3% average) in web applications and APIs.

However, the report identifies blind spots where automation proves insufficient. The industry struggles with sensitive data exposure (10.5% compared to 8.0% average), business logic flaws (2.9% versus 2.3% average), server security misconfigurations (34.9% versus 27.9% average), and components with known vulnerabilities (6.1% versus 5.5% average). These types of vulnerabilities often necessitate human-led penetration tests to uncover, as they involve complex data flows, legacy systems, and application-specific logic that automated scanners may not interpret effectively.

Gunter Ollmann, CTO at Cobalt, commented on the findings, stating, “Financial services organizations have some of the most advanced security programs in the world, which is why they see relatively few serious vulnerabilities surface in testing. The challenge is not prevention, but remediation. Too often, critical findings linger far longer than they should. This backlog of unresolved vulnerabilities creates systemic risk that automation alone cannot solve. As financial institutions adapt to new pressures, like genAI and evolving regulatory scrutiny, closing the gap between discovery and remediation will be essential to maintaining customer trust and resilience.”

Despite the 61-day MTTR for serious issues generally, 78% of financial services firms report adhering to internal service level agreements (SLAs) by fixing critical vulnerabilities in business-critical assets within 14 days. This indicates systemic bottlenecks and backlogs in other areas that expose organizations to data loss and breaches. External threats and internal challenges, such as scheduling delays—with 70% of firms reporting impacts on compliance or business timelines—exacerbate the slow remediation. Top concerns for financial services leaders include risks related to third-party software (76%), generative AI (genAI) (68%), and insider threats (46%).

The “State of Pentesting in Financial Services 2025 Report” draws on 10 years of Cobalt’s proprietary pentesting data and additional research from Emerald Research, an independent firm sponsored by Cobalt. The study surveyed 500 security leaders and practitioners from organizations with 500 to 10,000 employees. Cobalt provides penetration testing as a service (PTaaS) and offensive security services, combining human expertise with technology. Its platform and network of over 450 security experts assist organizations in identifying and mitigating vulnerabilities.