If 95% of your security program is a priority but only 32% of it is being tested, you don’t have a security program. You have a bet.
Here’s a sentence that should make every CISO uncomfortable: penetration testing has never been more popular, and enterprises have never been more exposed.
That’s not a contradiction. It’s the headline finding from Synack and Omdia’s 2026 State of Agentic AI in Pentesting report, released in March. The research surveyed 200 U.S. security leaders and found that 95% of organizations rank pentesting as a top priority. Sounds healthy, right? Until you read the next line: those same organizations are testing only 32% of their global attack surface, on average.
Two-thirds of the enterprise environment is going untested. And that’s the number companies are willing to admit out loud.
| 68%Of the average enterprise attack surface that is currently untested by penetration testing — even at organizations that call pentesting a top priority. (Synack/Omdia, 2026) |
The compliance illusion is finally cracking
For years, the standard enterprise pentest looked like this: pick a scope narrow enough to finish in two weeks, run it once or twice a year, deliver a PDF, file it under SOC 2 evidence, and move on. The auditor was satisfied. The board was satisfied. The attackers were also satisfied — because nothing about that process slowed them down.
This is what compliance-first security looks like. It tests what the framework requires you to test, on the cadence the framework requires you to test it, and calls the rest of your environment somebody else’s problem. The 95/32 number is the receipt.
Compliance tells you what to test. Attackers don’t care about your scope document.
Frameworks like SOC 2, ISO 27001, HIPAA, NYDFS 23 NYCRR Part 500, and CMMC 2.0 all require some form of vulnerability testing. None of them require you to test everything. They require you to test something, document it, and demonstrate a process. That’s a floor, not a ceiling — but the industry has spent the last decade treating it like both.
Why the gap is 68% — and getting wider
The gap isn’t really about budget. The same Synack/Omdia data shows the deeper issue: traditional pentesting models can’t scale with the speed and complexity of modern cloud and AI-driven environments. The attack surface is growing faster than human pentesters can keep up with.
Consider what’s actually inside the average enterprise environment in 2026:
• Multi-cloud workloads spinning up and down by the hour
• APIs and microservices nobody has fully inventoried
• Shadow SaaS picked up by every department
• AI agents and LLM integrations introducing entirely new categories of risk
• Third-party integrations that quietly expand the blast radius of every breach
A point-in-time pentest scoped to last year’s architecture can’t see most of that. By the time the report lands, the environment has already changed.
Meanwhile, attackers aren’t scoping. They’re scanning continuously, automating reconnaissance, and increasingly using their own AI agents to accelerate exploitation. The defender who tests 32% of the surface twice a year is fighting a continuous war with a discontinuous defense.
The market knows. The question is who moves first.
The Synack/Omdia data shows security leaders aren’t in denial — they’re actively rebuilding:
| 87%Of organizations have moved beyond evaluation and are actively planning, piloting, or using agentic AI for penetration testing. (Synack/Omdia, 2026) |
| 64%Prefer an agent-led, human-oversight model — combining machine scalability with human judgment. (Synack/Omdia, 2026) |
Translation: the twice-a-year pentest is being quietly retired. What’s replacing it is a model where AI handles continuous breadth, humans handle creative depth, and findings flow into remediation workflows in days, not quarters.
That shift matters for one reason above all: it closes the 68% gap. You can’t scale human-only testing to cover an environment that mutates by the hour. You can scale a hybrid model. And the organizations that make this transition before their next audit cycle — not after their next breach — will be the ones still answering the boardroom’s easiest question: “Are we actually tested?”
What to do before your next board meeting
If you’re a security leader reading this, here are the three questions worth answering this quarter:
• What percentage of your actual attack surface was tested in the last 12 months? Not what was in scope — what was tested. If you can’t answer in a number, that’s the answer.
• How fast does a finding move from pentest report to remediation ticket? Continuous testing only matters if the rest of the workflow keeps up.
• Where is your pentest model going to fall apart first — cloud, APIs, or AI surface? Pick one. Start there. Don’t wait for the breach to pick for you.
Compliance frameworks set the floor. Attackers set the ceiling. The 95/32 problem is what happens when you confuse the two.
Pentesting isn’t failing because nobody believes in it. It’s failing because too many organizations believe in it the way they believed in antivirus in 2005 — as a checkbox you can run twice a year and walk away from. The ones treating it as a continuous, integrated, human-plus-AI discipline are the ones who will still be in business when the 68% gap shows up in someone else’s breach disclosure.
Test what you actually have. Test it as fast as it changes. Or accept that the only thing your last pentest proved is that you ran one.
Curious where your 32% ends and your 68% begins?
Brackish.io helps security leaders move past point-in-time pentesting and toward continuous, attacker-realistic testing across cloud, API, and AI surfaces. Talk to our team about scoping a continuous testing engagement that actually matches your environment.