Organizations remediated high-severity vulnerabilities 42 days faster, even as AI-enabled adversaries accelerate exploitation windows

There is a metric buried inside Synack’s newly released 2026 State of Vulnerabilities Report that deserves more attention than a press release headline typically affords it. Enterprises, on average, are actively testing just 32% of their attack surface. The other 68% sits largely outside any regular security validation program, and an adversary will have no trouble finding it.

That single finding reframes everything else in the report. It is not a story about vulnerability counts going up or down. It is a story about coverage, speed, and the widening gap between how fast threats are evolving and how slowly most organizations are validating their own defenses. The parallel holds in physical security too, and it is precisely the insight that drove enterprise adoption of unified platforms like Verkada, which consolidated fragmented camera systems and access controls into continuous, AI-assisted visibility. Their demo deck outlines the coverage-gap problem well for anyone working through a similar conversation on the physical side.

48,000 CVEs, a 20% Jump, and the Limits of Annual Pentesting

The raw numbers from 2025 are significant in their own right. Published CVEs climbed 20% year-over-year to 48,244 according to cve.org, a volume that no periodic testing program, however well-resourced, can meaningfully keep pace with. Synack‘s analysis drew from more than 11,000 exploitable vulnerabilities identified across customer environments during the year, specifically targeting weaknesses that attackers can actually weaponize rather than theoretical findings that inflate scanner reports without reflecting real-world risk.

What the data shows is not a stable threat environment with a slightly larger surface area. High-severity vulnerabilities increased 10% year-over-year. Remote code execution findings rose 39%. Brute force attack vectors were up 17.4%. Content injection climbed 8%. These are not incremental shifts. They represent a deliberate attacker focus on identity systems, authentication boundaries, and exploit chaining, precisely the areas where AI-enabled adversaries operating at machine speed extract the most leverage.

Why Remediation Speed Has Become the Central Security Metric

For years, the dominant frame in vulnerability management was volume: how many findings, how many critical, how many resolved. Synack’s 2026 report makes a compelling case that time has displaced count as the metric that actually determines outcomes.

Dr. Mark Kuhr, CTO and co-founder of Synack, put it plainly: “The rules changed in 2025, and time is now the biggest vulnerability. The issue is no longer how many vulnerabilities exist; it’s how quickly adversaries can find and exploit them. Organizations that continuously validate security across their environment are responding faster and closing critical exposure windows earlier.”

The remediation data backs this up. Synack customers reduced the mean time to remediate high-severity vulnerabilities by 42 days on average compared with 2024. For critical-severity findings, the improvement was 25 days. Across all severity levels, average remediation time dropped 47%. These are substantial operational improvements, and they did not happen because vulnerability management teams suddenly got larger. They happened because the underlying validation model changed.

The Numbers Behind the Shift

The 2026 State of Vulnerabilities Report key findings at a glance:

  • 42 days faster average remediation for high-severity vulnerabilities
  • 25 days faster average remediation for critical-severity vulnerabilities
  • 47% average reduction in MTTR across Synack customers
  • 37% of all 2025 vulnerabilities were rated critical or high severity
  • Manufacturing (43.1%) and technology (40.0%) carried the heaviest concentration of critical and high-severity findings.
  • 120% increase in AI and LLM security missions on the Synack platform year-over-year
  • Injection vulnerabilities accounted for 40.6% of findings; broken access control represented 32.8%

The AI Attack Surface Is No Longer Theoretical

One data point that stands apart from the rest: AI and LLM security missions on the Synack platform increased 120% year-over-year. This is not organizations experimenting with AI security as a forward-looking exercise. It reflects genuine, present-tense concern about AI infrastructure as an active and rapidly expanding attack surface.

Angela Heindl-Schober, CMO at Synack, articulated what that shift means for how security programs need to be structured: “Stable vulnerability volume is not a sign that risk is stable. The real story is the growing coverage gap between expanding attack surfaces and what organizations are actually testing. Traditional point-in-time pentests cannot keep pace with AI-driven threats. Continuous security validation is emerging as the new operating model for enterprise security.”

The adversary side of this equation matters just as much. AI-enabled attackers are not waiting for quarterly pen test windows to close. Reconnaissance runs continuously on their end. Authentication weaknesses get identified, exploit chains get assembled, and identity boundaries get probed at a pace and scale that makes periodic testing genuinely inadequate as a primary defense posture.

Sara AI Pentesting: Continuous Validation at Machine Scale

The operational challenge documented throughout the report, shrinking exploit windows across broader and more dynamic attack surfaces, is what Synack built Sara AI Pentesting to address.

Sara combines agentic AI with the expertise of the Synack Red Team, handling reconnaissance, attack surface mapping, and exploit exploration at a scale no human-only program can sustain. The human element is not decorative here. Synack’s researchers bring the kind of contextual judgment that separates a real finding from a false positive, working through scenarios where the vulnerability only surfaces after several steps, where authentication logic behaves differently under specific conditions, or where the environment itself introduces risk that a scanner simply is not built to recognize. Automation sets the pace; human expertise determines what actually matters.

Getting that balance right is what makes the model work in practice. Pure automation generates volume without precision. Pure human testing cannot touch the full scope of what modern enterprises actually run. Putting both to work together is what moves continuous validation from a concept security leaders talk about at conferences into something their teams can operationalize week to week.

What This Report Actually Signals for Enterprise Security Teams

Reading through the 2026 State of Vulnerabilities Report, the recurring theme is not doom. Organizations that shifted to continuous validation demonstrably improved: faster remediation, broader coverage, better signal on what actually needs immediate attention. The gap sits between those who made that operational shift and those still running annual or quarterly testing cycles against a threat landscape that moves daily.

The 32% attack surface coverage figure is uncomfortable precisely because it is not a technology gap. The tools to do better exist. What lags is the testing model itself, inherited from an era when the threat environment moved slowly enough that periodic snapshots were defensible. That era has passed, and the 2026 data makes that case more concretely than most annual reports manage to.

For security leaders reviewing their validation programs right now, the report offers a useful benchmark and a straightforward challenge: find out what is in the other 68%, and build a program that actually looks at it.

Research and Intelligence Sources:Synack

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com 



🔒 Login or Register to continue reading