New research shows organizations are responding faster to critical vulnerabilities as AI-powered attacks accelerate exploitation windows and expand enterprise attack surfaces
Synack has released its 2026 State of Vulnerabilities Report, revealing that enterprises reduced remediation times for high-severity vulnerabilities by an average of 42 days in 2025 as organizations race to keep pace with increasingly sophisticated AI-enabled cyber threats.
The report, based on analysis of more than 11,000 exploitable vulnerabilities identified across customer environments during 2025, highlights a growing industry shift away from periodic security testing toward continuous security validation. According to the findings, the average remediation time across all vulnerability severity levels dropped by 47% compared to 2024.
The research comes at a time when the global cybersecurity landscape is becoming significantly more complex. Published Common Vulnerabilities and Exposures (CVEs) increased 20% year-over-year to 48,244 in 2025, while AI and large language model (LLM) security missions on the Synack platform surged by 120%, reflecting mounting concerns around AI infrastructure security.
“The issue is no longer how many vulnerabilities exist, it’s how quickly adversaries can find and exploit them,” said Dr. Mark Kuhr, CTO and co-founder of Synack.
Synack said the findings demonstrate that organizations are beginning to recognize that traditional point-in-time security testing is no longer sufficient against AI-driven adversaries capable of operating at machine speed.
Dr. Mark Kuhr, CTO and co-founder of Synack, said attackers are increasingly focusing on shrinking exploitation windows. “The rules changed in 2025, and time is now the biggest vulnerability. Organizations that continuously validate security across their environment are responding faster and closing critical exposure windows earlier,” he said.
The report also found that 37% of vulnerabilities identified in 2025 were classified as critical or high severity. High-severity vulnerabilities related to remote code execution increased by 39%, while brute force attacks rose 17.4% and content injection vulnerabilities increased 8%.
Manufacturing and technology sectors recorded the highest concentration of critical and high-severity vulnerabilities, accounting for 43.1% and 40% respectively.
Angela Heindl-Schober, Chief Marketing Officer at Synack, said the growing disconnect between expanding attack surfaces and the percentage of systems actually being tested remains a major challenge for enterprises. “Traditional point-in-time pentests cannot keep pace with AI-driven threats. Continuous security validation is emerging as the new operating model for enterprise security,” she said.
The report additionally revealed that enterprises currently test only around 32% of their overall attack surface on average, leaving significant portions of infrastructure outside regular security validation programs.
Synack said its AI-powered pentesting capability, Sara AI Pentesting, was developed to address these challenges by combining agentic AI with human-led exploit validation to continuously assess enterprise environments.