Synack’s Analysis of 11,000+ Vulnerabilities Reveals Top Weaknesses Attackers Are Weaponizing Today

Organizations remediated high-severity vulnerabilities 42 days faster, even as AI-enabled adversaries accelerate exploitation windows

REDWOOD CITY, Calif., May 14, 2026 (GLOBE NEWSWIRE) -- Synack, the leader in continuous security validation, today released its 2026 State of Vulnerabilities Report, an analysis of more than 11,000 exploitable vulnerabilities identified across customer environments in 2025. Synack goes beyond the capabilities of breach and attack simulators and automated scanners to target vulnerabilities that attackers can weaponize. The report reveals how the attack surface is changing, why high-impact vulnerabilities are increasing, and how leading organizations are reducing remediation time.

As AI-enabled adversaries accelerate reconnaissance and exploitation, organizations relying on periodic testing models are increasingly operating with incomplete visibility into their current risk exposure. The findings suggest the industry is beginning to respond.

In 2025, Synack customers reduced mean time to remediate (MTTR) high-severity vulnerabilities by 42 days on average, compared with 2024. Across all severity levels, average remediation time dropped by 47%, signaling a broader operational shift toward continuous security validation.

At the same time, the broader threat landscape intensified. Published CVEs increased 20% year-over-year to 48,244 in 2025, according to cve.org, while AI and LLM security missions on the Synack platform increased 120%, reflecting growing concern around AI infrastructure as a rapidly expanding attack surface.

“The rules changed in 2025, and time is now the biggest vulnerability,” said Dr. Mark Kuhr, CTO and co-founder of Synack. “The issue is no longer how many vulnerabilities exist, it’s how quickly adversaries can find and exploit them. Organizations that continuously validate security across their environment are responding faster and closing critical exposure windows earlier.”

While overall vulnerability volume remained relatively stable year over year, high CVSS vulnerabilities increased significantly. High-severity findings rose 10%, with increases in remote code execution (+39%), brute force attacks (+17.4%), and content injection (+8%). The findings point to a growing focus by attackers on identity systems, authentication boundaries, and exploit chaining—areas increasingly targeted by AI-enabled adversaries operating at machine speed.

“Stable vulnerability volume is not a sign that risk is stable,” said Angela Heindl-Schober, CMO at Synack. “The real story is the growing coverage gap between expanding attack surfaces and what organizations are actually testing. Traditional point-in-time pentests cannot keep pace with AI-driven threats. Continuous security validation is emerging as the new operating model for enterprise security.”

The report also highlights a critical industry challenge: organizations are still testing only a fraction of their environments. Synack research with Omdia found that enterprises test, on average, only about 32% of their attack surface, leaving thousands of assets outside regular security validation programs.

Key findings from the 2026 State of Vulnerabilities Report include:

• 42 days faster remediation on average for high-severity vulnerabilities in 2025
• 25 days faster remediation on average for critical-severity vulnerabilities in 2025
• 47% average reduction in MTTR across Synack customers
• 37% of vulnerabilities identified in 2025 were critical or high severity
• Manufacturing (43.1%) and technology (40.0%) carried the highest concentration of critical and high-severity vulnerabilities
• 120% increase in AI and LLM security missions year over year
• Injection vulnerabilities accounted for 40.6% of findings, while broken access control represented 32.8%
  

The operational challenge outlined throughout the report—shrinking exploit windows across broader and more dynamic attack surfaces—is exactly why Synack developed Sara AI Pentesting.

Sara, Synack’s AI-powered pentesting capability, combines agentic AI with the expertise of the Synack Red Team to continuously validate enterprise attack surfaces at scale. Sara automates reconnaissance, attack surface mapping, and exploit exploration, while Synack’s elite human researchers validate real-world exploitability and high-impact attack paths that automation alone often misses. Together, Sara AI Pentesting and the Synack Red Team deliver continuous security validation by combining AI-driven scale with human-led exploit validation.

Where to Get the Report: Synack’s 2026 State of Vulnerabilities Report is available for download at: go.synack.com/2026-state-of-vulnerabilities-report

About Synack

Synack delivers continuous security validation through its Human + AI platform for continuous pentesting. Sara AI Pentesting, powered by the Synack Autonomous Red Agent, combines agentic AI with the Synack Red Team—the world’s most rigorously vetted community of security researchers—to help organizations proactively reduce risk, stay compliant, and stay ahead of evolving cyber threats. Sara handles reconnaissance, attack surface mapping, and initial exploit validation at scale, while human experts validate real-world exploitability and provide the creativity and judgement automation cannot replicate. Founded by former NSA operatives, Synack has enabled nearly 10 million hours of security testing to protect critical assets, from global financial systems to U.S. Defense Department networks. Synack was recognized by GigaOm’s 2025 PTaaS Radar as both a Leader and Fast Mover, and received Global InfoSec Awards for Market Leader in AI-Powered Cybersecurity and Trailblazer in PTaaS. Learn more at synack.com

Media Contact
Katy Nally
Senior Content Marketing Manager
cnally@synack.com 

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.