The 68% Blind Spot: Enterprises Neglect Vast Attack Surfaces, Report Finds

REDWOOD CITY, CA – March 19, 2026 – A startling new report has exposed a critical disconnect in corporate cybersecurity, revealing that while 95% of enterprises rank penetration testing as a top priority, they are only managing to test an average of 32% of their global attack surface. This leaves a massive 68% of their digital environment—including applications, cloud infrastructure, and APIs—untested and dangerously exposed to increasingly sophisticated, AI-enabled adversaries.

The findings come from “The 2026 State of Agentic AI in Pentesting,” a new study released by the human-led, AI-powered penetration testing firm Synack and technology research group Omdia. The report, which surveyed 200 U.S. security leaders, highlights a structural failure in traditional security practices, which are proving incapable of scaling to protect the complex and rapidly expanding digital footprints of modern businesses.

This security gap is not just a statistical anomaly; it represents a vast, unmonitored territory where attackers can operate with impunity. As organizations accelerate their adoption of cloud services and AI, their attack surfaces are growing exponentially, making the periodic, manual pentesting models of the past obsolete.

A Failing Model in an AI-Driven World

The traditional approach to penetration testing, often conducted once or twice a year, is fundamentally misaligned with the continuous deployment cycles and dynamic nature of modern IT. This outdated model creates significant blind spots, leaving critical vulnerabilities undiscovered for months. The research suggests the industry has reached a breaking point, where the sheer scale of digital infrastructure has outpaced human capacity to secure it.

“This research proves the industry is ready to move beyond the twice-a-year pentest model,” said Jay Kaplan, CEO and Co-founder of Synack. “We founded Synack on the idea that security requires machine speed for breadth and human judgment for creativity. This report confirms the market is catching up to that reality. Continuous, agent-led testing with human oversight is how the modern enterprise will stay ahead of today's sophisticated threats.”

The urgency is compounded by the rapid weaponization of artificial intelligence by malicious actors. As adversaries leverage AI to automate and scale their attacks, defenders are finding themselves in an escalating arms race where legacy tools and manual methods offer little defense. The 68% untested attack surface is a direct invitation for these advanced, automated threats to find and exploit weaknesses.

The Rise of the Agentic AI Red Team

The report signals a profound shift in offensive security, moving away from manual-only efforts toward a new paradigm: agentic AI. Unlike simple automation that follows predefined scripts, agentic AI systems are autonomous, goal-driven platforms that can plan, execute, and adapt multi-step attack campaigns, mimicking the behavior of a human adversary. These AI agents can explore complex environments, chain together multiple low-severity vulnerabilities to create a high-impact breach, and provide a more realistic assessment of risk.

Crucially, the most effective model emerging is not one of full AI replacement but of human-AI collaboration. The Synack and Omdia study found that 64% of organizations prefer an “agent-led, human-oversight” approach. This hybrid model leverages AI for its immense scale, speed, and continuous coverage, while retaining human experts to provide creative problem-solving, contextual understanding, and critical ethical oversight.

“AI delivers scale and coverage, but real-world risk still requires human creativity,” added Dr. Mark Kuhr, Synack CTO and Co-founder. “By combining agentic AI with our elite Synack Red Team, we enable continuous testing that reflects how attackers actually operate.”

The market is already voting with its feet. An overwhelming 87% of organizations surveyed have moved beyond simple evaluation and are actively planning, piloting, or using agentic AI for penetration testing. Furthermore, 95% anticipate that this technology will displace traditional pentesting services, with nearly half (49%) expecting a complete or significant displacement.

The AI Security Paradox: Trust, Transparency, and Guardrails

While the adoption of agentic AI appears inevitable, its implementation is fraught with complexity. The report uncovers a fascinating paradox: while 87% of security leaders express trust in agentic AI, an even greater number—93%—insist that comprehensive guardrails and transparent decision-making are critical for its safe operation. This highlights a deep-seated need for governance and control as organizations prepare to unleash autonomous agents on their most critical systems.

Security leaders are rightfully concerned about the “black box” problem, where an AI’s reasoning is opaque, as well as the potential for unintended consequences. The call for transparency is a demand for audit trails, clear explanations of how vulnerabilities were found, and the ability to understand and validate the AI’s actions.

“The data shows a clear disconnect—security leaders know pentesting is critical, yet most of their environment remains untested,” said Angela Heindl-Schober, CMO at Synack. “That gap is redefining how organizations approach offensive security. Agentic AI is not a future concept—it's becoming the only scalable way to continuously test modern, dynamic environments.”

This tension between trust and the need for control is shaping the development of next-generation security platforms. Vendors are now being tasked not only with building powerful AI but also with engineering the safety systems, ethical frameworks, and user controls necessary to deploy it responsibly. Success will depend on balancing the autonomous power of AI with the strategic oversight that only human experts can provide.

Reshaping the CISO’s Playbook

The rise of agentic AI is set to fundamentally reshape the role of the Chief Information Security Officer (CISO) and the structure of their security programs. Faced with a persistent global cybersecurity talent shortage, CISOs see agentic AI as a powerful force multiplier, capable of automating laborious tasks and freeing up skilled analysts to focus on high-level strategy and threat hunting.

This technological shift is also influencing budget allocations. While overall security budget growth has slowed, industry data indicates a massive reallocation of funds toward AI-powered solutions. This pivot is driven by the need to do more with less and to demonstrate a clear return on investment by reducing risk more efficiently than legacy methods.

For security teams, this means an evolution of required skills. The demand is shifting from manual testers to security professionals who can manage, interpret, and govern AI systems. The CISO of the future will not only be a defender of the enterprise but also a manager of a sophisticated human-AI security workforce, responsible for setting strategic objectives for their AI counterparts and ensuring their actions align with business goals.

As organizations navigate this transition, the message from the report is clear: passivity is not an option. Closing the 68% pentesting coverage gap is becoming a defining priority for survival in an era of AI-driven threats, pushing enterprises toward a more dynamic, resilient, and continuously-tested security posture.