Download the State of
Offensive Security Report 2025
What you don't know can hurt you. In this data-rich report, Capture The Bug uncovers how even the most mature security teams are still vulnerable-due to persistent flaws, delayed remediation, and the rapid evolution of AI threats.
This year's report you'll learn:
- Why 94% of web apps still suffer from broken access controls, and how attackers are exploiting them every day-not with 0-days, but with unpatched, known flaws.
- How long it really takes to fix critical vulnerabilities (hint: the median is 60+ days), and why nearly half remain unpatched a year later.
- Why AI is now both a weapon and a weakness. Discover how attackers are using generative AI to launch more convincing phishing attacks and how security teams are missing coverage for AI systems.
- The new gold standard for modern security teams-including continuous testing, shift-left culture, and AI-aware pentesting practices that help you stay ahead of threats.
State of Offensive Security Report 2025
Uncover what security teams are missing-and what attackers already know. This year's report analyzes thousands of pentests to reveal the most common vulnerabilities, delays in remediation, and blind spots created by rapid AI adoption.
Core Discoveries from the Report
Security Perception Gap
81% of security leaders say their posture is strong-but pentesting proves otherwise. Hidden vulnerabilities continue to surface even in teams with high perceived maturity.
Remediation Reality Check
Most organizations commit to fixing critical findings within 14 days. In practice, very few achieve it. The gap between policy and execution is a growing risk factor.
Extended Exposure Window
The median time to resolve serious issues is 37 days-over 5× longer than typical SLAs. That extended exposure window gives attackers a dangerous head start.