The State of Continuous Security Validation: An Early Look at the Data
We’re sharing two headline numbers as an early look at our State of Continuous Security Validation report before the full analysis lands in July. Turns out 95% of security teams discover high or critical vulnerabilities outside their scheduled testing windows—proof that cadence alone is no longer a reliable measure of coverage.
Key Takeaways
- 95% of security teams discover high or critical vulnerabilities outside their scheduled testing windows—proof that cadence alone is no longer a reliable measure of coverage.
- 79% of security leaders won't act on AI-generated findings without human validation, confirming that speed and judgment aren't interchangeable.
- Coverage is the real gap. Most programs test frequently, but high-severity issues keep surfacing between windows.
- Continuous security validation is emerging as a distinct operating model.
A few months ago we set out to answer a question we kept hearing from security leaders: In a world where attack surfaces change by the hour, is the way we validate security keeping up?
So we ran the research. The result is The State of Continuous Security Validation, a study built on what security teams are actually doing today: how often they test, what triggers testing, where coverage holds and where it quietly slips, and how the roles of AI and human expertise are shifting underneath all of it.
We’re releasing the full findings in July, so this is just a preview of two headline numbers.
Why Continuous Security Validation Can’t Wait
Most security programs have gotten faster, where pipelines ship daily, cloud configurations change constantly, and new assets appear without anyone filing a ticket. But validation, the work of confirming what is actually exploitable right now, has for many teams stayed periodic, fragmented, and disconnected from how quickly their environment moves.
That gap between how fast environments change and how often they are validated is the thread running through this entire study. It’s also why “we tested this last quarter” is becoming a harder sentence to say with confidence.
Two Numbers That Define the Security Validation Gap
From a survey of 97 security leaders, these are preliminary results. Stay tuned for the full analysis that publishes in July.
- 95% of teams discover high or critical vulnerabilities outside their scheduled testing windows at least a few times a year. This is the clearest sign that cadence alone is no longer enough.
- 79% would not act on an AI-generated finding without human validation. That’s because AI brings the speed, but human expertise still confirms what is real, exploitable, and worth acting on.
What the Data Reveals About Security Validation Today
We tested a set of common assumptions about cadence, coverage, AI, and the future of pentesting. Some held up, and some had to be reframed. A few surprised us. Here’s what we can share today:
- Coverage, not cadence, is the real gap. Most teams test often, but high and critical issues keep surfacing between scheduled windows.
- AI scales, humans still decide. Teams want AI speed, but they still rely on human expertise to confirm exploitability, impact, and business context.
- Continuous security validation is becoming its own discipline. Security leaders increasingly treat it as a distinct operating model, not a feature bolted onto periodic testing.
How Continuous Security Validation Is Reshaping Security Programs
The reason this research matters is because it indicates where the market is shifting: from point-in-time testing toward continuous security validation. We believe this shift is already underway because security teams want the combination of AI speed, human judgment, and trusted researcher expertise to know what is exploitable now.
The organizations pulling ahead are not the ones generating the most findings. They are the ones who have moved from testing on a schedule to knowing their real exposure continuously.
We’re building the story across the summer, starting at Black Hat and DEF CON.
| See a first look at the research at Black Hat and DEF CON Want the full report the day it drops? Email me and you’ll be the first to know. |
The State of Continuous Security Validation lands in July. We think it will change a few assumptions, including some of our own.
Related reading AI Can’t Fix What It Can’t Trust: Why Continuous Security Validation Matters • Continuous Security Validation: Why It Matters and Why Synack Is Built for It • What I Told Security Leaders at Gartner SRM 2026
Frequently Asked Questions
Continuous security validation is the practice of continuously confirming what is actually exploitable in your environment, rather than relying on periodic snapshots. It combines AI speed with human expertise to prove which exposures are real, reachable, and worth fixing now, and to verify that remediation worked.
We surveyed 97 security leaders, including CISOs, security directors, security architects, and offensive security teams, reporting on how they test today, how much of their attack surface they validate, what triggers testing, and how they expect the model to evolve.
In July 2026, in the lead-up to Black Hat and DEF CON. The numbers shared here are a preliminary first look. The complete analysis, methodology, and reframed findings publish with the full report.
Coverage is the gap. 95% of teams discover high or critical vulnerabilities outside their scheduled testing windows at least a few times a year, which is why the current testing cadence alone is no longer enough.
The 2026 State of Vulnerabilities report focuses on vulnerability intelligence and The 2026 State of Agentic AI in Pentesting focuses on AI pentesting adoption. This study maps the emerging operating model itself, continuous security validation, and where the market really is on the shift away from point-in-time testing.
