95% of Enterprises Prioritize Pentesting, Yet Only 32% of Attack Surfaces Are Tested, New Synack and Omdia Research Finds
REDWOOD CITY, Calif., March 19, 2026 /prnewswire.com/ — Synack, the leader in AI-powered penetration testing, and Omdia, a technology research firm, released a new report, “The 2026 State of Agentic AI in Pentesting,” revealing a major gap between security priorities and real-world testing coverage. While 95% of organizations rank pentesting as a top priority, they are currently testing only 32% of their global attack surface on average. The full report is available here: Download the AI pentesting report.
This massive security gap leaves 68% of the enterprise environment untested, creating significant blind spots as AI-enabled adversaries become more prevalent. The primary research study, commissioned by Synack, surveyed 200 U.S. security leaders to understand how organizations are adopting agentic AI to overcome the scalability limits of traditional, manual pentesting. This disconnect highlights a structural limitation in traditional pentesting models, which cannot scale with the speed and complexity of modern cloud and AI-driven environments.
The report signals a fundamental shift from traditional pentesting to agentic, AI-driven offensive security while maintaining a human in the loop. Learn more about agentic AI in pentesting and how organizations are evolving their security strategies.
“This research proves the industry is ready to move beyond the twice-a-year pentest model,” said Jay Kaplan, Synack CEO and Co-founder. “We founded Synack on the idea that security requires machine speed for breadth and human judgment for creativity. This report confirms the market is catching up to that reality. Continuous, agent-led testing with human oversight is how the modern enterprise will stay ahead of today’s sophisticated threats.”
Dr. Mark Kuhr, Synack CTO and Co-founder, added, “AI delivers scale and coverage, but real-world risk still requires human creativity. By combining agentic AI with our elite Synack Red Team, we enable continuous testing that reflects how attackers actually operate.”
“The data shows a clear disconnect—security leaders know pentesting is critical, yet most of their environment remains untested,” said Angela Heindl-Schober, CMO at Synack. “That gap is redefining how organizations approach offensive security. Agentic AI is not a future concept—it’s becoming the only scalable way to continuously test modern, dynamic environments.”
Key Findings from the 2026 ResearchThe findings underscore a growing urgency for enterprises to rethink how they approach continuous security testing:
- 87% of organizations have moved beyond evaluation and are actively planning, piloting, or using agentic AI for penetration testing.
- 95% of organizations anticipate that agentic AI will displace traditional pentesting services, though the degree varies: 49% expect complete or significant displacement.
- 64% of organizations prefer an agent-led, human-oversight model, combining machine scalability with a human safety net.
- 87% of leaders trust agentic AI, yet 93% state that comprehensive guardrails and transparent decision-making are critical for safe operation.
The report serves as a call to action for security teams aiming to improve remediation times and prove business value to leadership. By delivering a complete offensive security platform, Synack is helping CISOs transition to a dynamic, resilient security posture to match the scale and speed of the modern threat landscape. Explore additional cybersecurity insights and Synack research to learn more.
Where to Get the ReportThe full report, “The 2026 State of Agentic AI in Pentesting,” is available here:Download the full report
