State of pentesting · Q1 2026

Across Q1 2026 we ran 280 engagements covering more than 4,100 web routes, 1,800 API endpoints, 320 mobile binaries, 540 cloud accounts, and 110 smart contracts. This report is the aggregate picture — what teams are shipping, what attackers find first, and what gaps persist year over year.

#Where the criticals came from

Of the 6,870 confirmed findings, 412 were classified as Critical (CVSS 9.0+). The distribution is not where most defensive playbooks assume it is.

• ▸31% — Broken authentication and session management (BOLA / IDOR variants leading)
• ▸24% — Business logic flaws (race conditions, multi-step state confusion, billing abuse)
• ▸17% — Injection (SQL still dominant; SSRF rising sharply in cloud-native stacks)
• ▸12% — Sensitive data exposure via misconfigured caches and observability tooling
• ▸9% — Server-side request forgery against internal services
• ▸7% — Other (XXE, deserialization, smart contract reentrancy)

#Time-to-fix is improving — unevenly

Median time-to-fix dropped from 38 days in Q1 2025 to 21 days in Q1 2026. The headline number hides a bimodal distribution: teams with PR-blocking gates closed criticals in a median of 4 days; teams without one closed them in 47 days.

What made the fast-fixers fast

• ▸Owner mapping was automatic — findings landed in the responsible team's queue without a security gatekeeper relaying them.
• ▸Retest was a button, not a ticket. Verification happened the same day a fix shipped.
• ▸Severity was negotiable but auditable. Disagreements got logged, not escalated indefinitely.

#Stack-level findings

Web applications

Authentication remains the hottest surface. Modern stacks have largely solved password reuse but have introduced a new category: federated identity edge cases. OAuth misconfiguration findings rose 41 percent year over year, almost entirely driven by misconfigured redirect URI allowlists.

APIs

GraphQL deployments produced 2.3x more findings per endpoint than equivalent REST surfaces. The dominant pattern: introspection enabled in production, combined with permissive resolver authorization. Mass assignment via mutations climbed back to top-five.

Mobile

Cert pinning adoption is now north of 80% in tested apps. The new mobile attack surface is mostly client-side business logic and insecure local storage of session artifacts. iOS findings are increasingly about Keychain access group misuse.

Cloud

IAM remains the dominant vector. The shift this quarter: federated access via OIDC trust policies — teams configured these for CI/CD and forgot to scope the trust audience, opening cross-account paths.

// Common misconfiguration found this quarter
{
  "Effect": "Allow",
  "Principal": { "Federated": "arn:aws:iam::123:oidc-provider/token.actions.githubusercontent.com" },
  "Action": "sts:AssumeRoleWithWebIdentity",
  "Condition": {
    "StringEquals": {
      // Missing 'sub' condition — any repo in any org could assume this role.
      "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
    }
  }
}

Smart contracts

Reentrancy is still the headline class but only because the long tail of L2-specific issues is hard to taxonomize. Cross-chain message-passing logic was the single largest source of critical findings on contracts deployed in the last six months.

#How AI-assisted triage performed

We measured the upstream filtering layer of our own pipeline. Across 12,400 raw signals, AI-assisted scoring produced an 820-candidate pool for human review with a 94% precision against final verdict. That is up from 81% in Q1 2025 and is the main reason median triage time dropped.

#What we expect for Q2

Three predictions, low-confidence to high-confidence: (1) Auth-related findings remain dominant; (2) Cloud OIDC misconfigurations become the single largest source of cross-account criticals; (3) Custom-tooling pipelines built on AI code generators surface a wave of subtle authorization bugs — pattern-similar to early RoR mass-assignment days.