New data shows faster remediation times, but rising high-severity flaws and expanding attack surfaces keep pressure on security teams
Cybersecurity teams are getting faster at fixing critical vulnerabilities—but attackers are moving even faster. That’s the central takeaway from Synack’s 2026 State of Vulnerabilities Report, which analyzed more than 11,000 exploitable security vulnerabilities discovered across enterprise environments in 2025.
The report highlights a shifting security landscape shaped by AI-enabled adversaries, who are accelerating both reconnaissance and exploitation. As a result, the time between vulnerability discovery and active exploitation—often called the “exploit window”—is shrinking, forcing organizations to rethink how they test and secure their systems.
Synack’s data suggests that many enterprises are adapting. In 2025, organizations reduced the average time to remediate high-severity vulnerabilities by 42 days compared to the previous year. For critical vulnerabilities, remediation improved by 25 days, contributing to an overall 47% reduction in mean time to remediate (MTTR).
Despite these gains, the broader threat environment is intensifying. The number of publicly disclosed vulnerabilities (CVEs) rose 20% year over year, reaching 48,244 in 2025. At the same time, security testing focused on artificial intelligence systems surged, with AI and large language model (LLM) security engagements on Synack’s platform increasing by 120%. This reflects growing concern over AI infrastructure as a rapidly expanding and relatively immature attack surface.
“The rules changed in 2025, and time is now the biggest vulnerability,” said Synack co-founder and CTO Dr. Mark Kuhr. “The issue is no longer how many vulnerabilities exist, but how quickly adversaries can find and exploit them.”
High-Severity Risks on the Rise
While the total number of vulnerabilities remained relatively stable, the composition of those vulnerabilities shifted in a more dangerous direction. High-severity issues increased by 10% year over year, with notable spikes in:
* Remote code execution vulnerabilities, up 39%
* Brute force attack vectors, up 17.4%
* Content injection flaws, up 8%
These trends point to a growing focus on identity systems, authentication layers, and exploit chaining—areas where attackers can maximize impact. Synack attributes this shift partly to AI-assisted offensive techniques, which allow attackers to scale and automate complex attack paths.
Injection vulnerabilities accounted for 40.6% of all findings, while broken access control made up 32.8%, underscoring persistent weaknesses in core application security practices.
Certain industries appear more exposed than others. Manufacturing and technology sectors reported the highest concentration of critical and high-severity vulnerabilities, at 43.1% and 40% respectively. These sectors often operate complex, interconnected systems that expand the potential attack surface.
Visibility Gap Remains a Core Problem
One of the report’s more concerning findings is the gap between what organizations own and what they actually test. On average, enterprises assess only about 32% of their attack surface, leaving a significant portion of assets unmonitored or untested.
This visibility gap is becoming more problematic as environments grow more dynamic, spanning cloud infrastructure, APIs, third-party integrations, and AI systems. Traditional point-in-time penetration testing, once a standard practice, is increasingly seen as insufficient.
“The real story is the growing coverage gap between expanding attack surfaces and what organizations are actually testing,” said Synack CMO Angela Heindl-Schober. “Periodic testing simply can’t keep pace with AI-driven threats.”
Shift Toward Continuous Security Validation
The findings reflect a broader industry shift toward continuous security validation—a model that emphasizes ongoing testing rather than periodic assessments. This approach aims to provide real-time visibility into vulnerabilities as systems evolve.
Synack positions its own platform, including its AI-powered “Sara” pentesting capability, within this emerging model. Sara combines automated reconnaissance and attack surface mapping with human validation from Synack’s Red Team, aiming to identify not just theoretical vulnerabilities but those that can be realistically exploited.
The hybrid approach highlights a growing consensus in cybersecurity: automation alone is not enough. While AI can scale discovery and analysis, human expertise remains critical for understanding context, chaining exploits, and prioritizing real-world risks.
A Race Against Time
The report ultimately underscores a fundamental shift in cybersecurity priorities. As attackers adopt AI to compress timelines and scale operations, defenders must focus not just on identifying vulnerabilities but on reducing response times and expanding visibility.
Even with measurable improvements in remediation speed, the combination of rising high-severity vulnerabilities, expanding digital footprints, and incomplete testing coverage means organizations are still playing catch-up.
In this environment, security is less about eliminating vulnerabilities entirely and more about minimizing the window of opportunity attackers have to exploit them—a race where every day, and increasingly every hour, counts.
