IT Brief US - Technology news for CIOs & IT decision-makers
United States
Editorial corporate network cybersecurity analysts limited testing shadowed connections risk
#
DevOps
#
Digital Transformation
#
Cloud Security

Firms test just 32% of attack surface, study finds

Thu, 19th Mar 2026
Author image
By Shannon Williams, News Editor

Most organisations say penetration testing is a top security priority, but they assess only 32% of their global attack surface on average, according to new research from Synack and Omdia.

The study, based on a survey of 200 US security leaders, highlights a wide gap between board-level concern about cyber risk and the reach of current testing programmes. With 68% of enterprise environments going untested on average, the findings suggest many companies still lack visibility across expanding digital estates shaped by cloud services, connected systems and artificial intelligence.

Respondents also showed a growing willingness to use AI in offensive security work. The research found that 87% of organisations have moved beyond simply evaluating agentic AI and are now planning, piloting or using it for penetration testing. It also found that 95% expect agentic AI to displace traditional pentesting services to some extent, with 49% anticipating complete or significant displacement.

The results reflect a broader shift in cybersecurity operations as security teams look for ways to test more systems more often without relying solely on periodic manual reviews. Traditional pentesting has often been carried out once or twice a year, but the report argues that model is struggling to keep pace with change in modern IT environments.

Synack said the figures help explain why many security teams are rethinking their approach to continuous testing. The company uses a model that combines automation and AI with human oversight from security researchers.

"This research proves the industry is ready to move beyond the twice-a-year pentest model," said Jay Kaplan, Synack CEO and Co-founder. "We founded Synack on the idea that security requires machine speed for breadth and human judgment for creativity. This report confirms the market is catching up to that reality. Continuous, agent-led testing with human oversight is how the modern enterprise will stay ahead of today's sophisticated threats."

Coverage Gap

The central finding is the gap between stated priority and actual coverage. While 95% of respondents ranked pentesting as a top priority, only about a third of their attack surface is tested on average. That leaves a large share of applications, infrastructure, cloud assets and other digital entry points outside formal scrutiny.

For large organisations, that shortfall can create blind spots across fast-changing systems. Security teams are under pressure to monitor new software deployments, third-party integrations and AI tools introduced across the business. The report suggests that growing attack surfaces, combined with concern over AI-assisted attackers, are now outweighing worries about guardrails for internal use of AI in testing.

The survey also found that 64% of organisations prefer an agent-led model with human oversight, pointing to demand for a hybrid approach rather than fully autonomous testing. Although 87% of leaders said they trust agentic AI, 93% said comprehensive guardrails and transparent decision-making are critical to safe operation.

Human Oversight

That emphasis on supervision reflects continued caution in the market. Security leaders appear open to using AI to expand the scale and frequency of testing, but they still want people involved in reviewing actions, validating findings and making judgement calls.

"AI delivers scale and coverage, but real-world risk still requires human creativity. By combining agentic AI with our elite Synack Red Team, we enable continuous testing that reflects how attackers actually operate," said Dr Mark Kuhr, chief technology officer and co-founder of Synack.

The findings also suggest security buyers are not treating agentic AI as a fringe experiment. Instead, many appear to see it as a practical response to longstanding problems in offensive security, particularly the difficulty of testing enough of a large organisation's estate on a continuous basis.

"The data shows a clear disconnect-security leaders know pentesting is critical, yet most of their environment remains untested," said Angela Heindl-Schober, chief marketing officer at Synack.

She added: "That gap is redefining how organisations approach offensive security. Agentic AI is not a future concept-it's becoming the only scalable way to continuously test modern, dynamic environments."

Market Shift

The research comes as security teams face pressure to show faster remediation, clearer risk reduction and stronger justification for cybersecurity spending. In that context, broader and more frequent testing may become a more visible metric for chief information security officers reporting to boards and senior management.

For providers in the sector, the data points to an emerging market in which customers want broader coverage, shorter testing cycles and tools that can operate across rapidly changing environments while keeping a human decision-maker in the loop.

As organisations expand their use of cloud systems and AI tools, the gap between security ambition and actual testing coverage is likely to remain a central issue for cybersecurity teams.

Related stories
Wayvia updates Shoppable platform to track retail sales
Protegrity launches AI Team Edition for secure inferencing
CERN joins OpenSearch foundation as associate member
Autonomize launches healthcare AI platform version 3
OpenAI launches Trusted Access for Cyber with major names

Top stories

TestRail launches AI test script generation in beta
FIRST conference highlights AI & CVE disclosure push
OpenAI expands Codex with desktop & workflow tools
OpenAI launches GPT-Rosalind for life sciences research
Mirantis integrates NVIDIA Run:ai to speed AI deployment