CyberCX report finds 29% of tests exposed severe flaws

CyberCX has released its Hack Report for 2026, finding that 29% of the security assessments it conducted in 2025 uncovered at least one severe vulnerability.

The report draws on more than 70,000 issues identified across over 7,500 engagements for more than 1,400 customers over three years, based on data from CyberCX's Security Testing and Assurance practice.

The findings point to uneven progress in cyber resilience across sectors. The share of assessments containing at least one severe finding fell from 33% in 2023, but a substantial proportion of organisations still appear to have weaknesses that could leave them open to compromise if attackers find them first.

Among the more striking results, artificial intelligence systems showed a higher rate of serious weaknesses than more established technology environments. Half of all penetration tests of AI applications found at least one severe issue, compared with a much lower rate for standard web application penetration tests.

The data also showed that attacks exploiting human behaviour remain a major route into organisations. Social engineering penetration tests, which assess how staff respond to deceptive approaches rather than technical flaws in software, produced a severe finding in 77% of cases.

That result comes as many businesses invest heavily in stronger technical controls, from network defences to application testing. The figures suggest those efforts have not removed the need to address employee awareness, internal processes and the wider ways an attacker may gain access.

Sector differences

Performance varied by industry. Manufacturing and construction, healthcare, and logistics and transport recorded the highest rates of severe findings, while communications, media and technology, and financial services and insurance recorded the lowest.

Sectors with higher rates tend to rely more heavily on operational technology, industrial equipment and older systems that can be harder to patch or replace. These environments often combine digital systems with physical processes, complicating security upgrades and increasing the potential impact of a breach.

Government organisations performed better than the non-government sector on data security and privacy measures. Government entities were 9.4% less likely than the base rate to record severe findings in that area, while non-government organisations were almost 2% above it.

The report suggests this gap may reflect more clearly defined and consistently enforced data-handling and privacy policies in the public sector. It also points to the value of governance and policy discipline in reducing risk beyond purely technical controls.

Testing demand

Elsewhere in the data, adversary simulation exercises doubled as organisations sought to test their ability to detect and respond to realistic attack scenarios. At the same time, findings linked to application security rose sharply even as other major categories trended down.

That pattern suggests that as businesses develop and deploy more software, weaknesses in how applications are designed, built and maintained are becoming a more prominent source of risk. It also reflects the pressure on security teams from faster development cycles and the spread of newer technologies such as AI tools.

Liam O'Shannessy, Executive Director, Security Testing & Assurance at CyberCX, said: "The Hack Report paints a picture of cyber maturity that is slowly improving for defenders, but is being rapidly outpaced by the scale of threats from attackers who are creative, determined and out-innovating defenders.

"Organisations are adopting AI systems faster than they can secure them. While AI can enhance capability and efficiency for organisations of all shapes and sizes, insecure adoption also introduces cyber risks. Half of the penetration tests we performed on AI systems and tools last year uncovered severe findings, about double the rate of our standard web application penetration tests.

"Added to this, the threat of cyber criminals using AI tools to find and exploit vulnerabilities looms ever larger. Social engineering penetration tests - which focus on human interaction rather than software vulnerabilities - found a severe vulnerability in 77% of tests. Through deepfakes, voice phishing and other techniques, AI in the hands of threat actors is actively turbocharging the effectiveness of social engineering attacks. This is a reminder that as organisations harden their technical defences, attackers will target other vulnerabilities.

"By sharing insights from more than 7,500 CyberCX offensive security engagements, our hope is that defenders and security teams will be better informed about where to focus their efforts and limited security resources to protect their organisations against a growing number of threats in a fast-evolving risk landscape."