Healthcare is a leader in preventing serious vulnerabilities, but the risks are not resolved longer than most industries due to slower repair speeds
San Francisco, September 3, 2025 – (Business Wire) – Cobalt, a pioneer in penetration as a service trial and a leader in offensive security services, today announced the pentest status of Healthcare 2025. Although vulnerabilities are one of the slowest to fix them, leaving many vulnerabilities with sensitive data that have not been exposed for weeks or months.
Pentest Performance Benchmark
In cobalt analysis, four important metrics were tracked. The frequency, resolution, median resolution time (MTTR) of serious vulnerability, and half-life of unresolved findings (time to resolve survey results of 50% or more). Healthcare performance shows a combination of pros and cons.
Low rates of serious survey results: Just 13.3% of healthcare pen test findings are recognized as “serious” as ranked sixth out of 13 industries.
Resolution rate delay: Healthcare solves only 57.4% of serious survey results, ranking 11th out of 13 industries. By comparison, transport led by 80.2%.
Extended Resolution Timeline: The median healthcare time to resolve critical findings was 58 days, ranked 10th out of 13 industries. Hospitality led in 20 days.
Long Half Life of Unresolved Issues: Healthcare half life was 11th out of 13 industries, 244 days for serious discovery, far behind in 43 days to transport.
These results place healthcare in the “struggling” quadrant of the comparative framework. This is an industry with relatively low prevalence of serious findings, but consistently slow corrections. This delay exposes vulnerabilities for several months, increasing the risk of compliance and creating dangerous entry points for attackers.
Healthcare typically meets the SLA deadline for business assets
Despite the overall slower resolution, most healthcare organizations have managed to fix the most important issues on time. Almost 40% of healthcare SLAs require serious discovery of business-critical assets within three days, and an additional 40% need a resolution within four to fourteen days. In reality, most organizations meet these deadlines.
43% resolve important survey results in 1-3 days
37% will resolve within 4-7 days
14% will be resolved within 8-14 days
This shows that while healthcare backlogs accumulate in emergency regions, teams quickly prioritize and act when businesses are at risk for critical assets. Healthcare leaders also cited Genai (71%) and third-party software (68%) as the best risk, along with concerns about data exposure, insider threats and phishing. These concerns highlight the growing complexity of healthcare risk aspects where Genai, the software supply chain, and insider threats converge to challenge traditional security programs.
The story continues
