First real-world penetration testing data on AI security flaws published in Edgescan’s 11th annual vulnerability benchmark
DUBLIN, IRELAND, April 23, 2026 /EINPresswire.com/ — AI systems are being deployed faster than they are being secured. That is among the most significant findings in the 2026 Edgescan Vulnerability Statistics Report, published today, which for the first time tracks vulnerabilities specific to large language model (LLM) deployments in production enterprise environments.
Prompt Injection — where attackers trick AI models into leaking sensitive data or executing unintended actions — now ranks among the top ten critical and high severity findings on internal enterprise systems. Jailbreak techniques, which bypass an AI model’s built-in safety controls entirely, account for 8% of complex critical-severity vulnerabilities discovered through expert-led penetration testing. These are not theoretical risks. They are appearing in real assessments, on live systems, today.
“Prompt injection is to LLMs what SQL injection was to web applications 27 years ago — a fundamental input-handling weakness,” said Eoin Keary, Founder and CEO of Edgescan. “The difference is that we have had nearly three decades to learn from SQL injection, and it is still the number one critical web vulnerability. With AI, the window to get ahead of this is now.”
The AI findings sit within a broader picture of accelerating risk. Drawing on thousands of penetration tests and security assessments conducted globally throughout 2025, the report reveals that the cybersecurity landscape is defined by growing volume, persistent backlogs, and a dangerous gap between how fast vulnerabilities are discovered and how fast they are fixed.
The numbers that matter:
• 48,185 new vulnerabilities were published in 2025 — an all-time record and an 18% increase year on year. Threat actors weaponized new flaws within hours of disclosure.
• 37% of vulnerabilities in large enterprises remained unfixed after a full year. Nearly one in five of those were high or critical severity — material risk sitting in the open.
• 210 days — the average time to remediate a vulnerability with even a 10% chance of being exploited. Nearly seven months of known exposure.
• 134 days — the average time to fix vulnerabilities with the highest likelihood of exploitation. Even the flaws attackers are most actively targeting take over four months to close.
• 55 vs. 123 days — the remediation gap between the fastest industry (software) and the slowest (construction), based on benchmarks across 14 sectors. Same threats, very different outcomes.
“We know where the vulnerabilities are. We have known for months, in some cases years. The question organizations need to answer is: why are they still open?” said Keary. “That is not a technical question. It is a leadership and capacity one.”
Download the report:
The 2026 Edgescan Vulnerability Statistics Report is available for free download.
The full report covers a landscape snapshot based on delivering 12 months of proactive security and PTaaS globally to organizations. It includes PCI DSS failure analysis, ransomware-linked vulnerabilities, CISA KEV analysis, exploit likelihood scoring, and the emerging LLM threat landscape.
About Edgescan:
Edgescan is a proactive security platform delivering Hybrid Penetration Testing that combines automation with human validation, headquartered in Dublin, Ireland, with offices in New York. The company pairs continuous automated testing with expert-led penetration testing to deliver validated, false-positive-free vulnerability intelligence across the full attack surface, including web applications, APIs, networks, mobile, and cloud. Edgescan’s data lake of over 20 million validated vulnerabilities powers its AI-driven risk prioritization. Edgescan is a contributing data partner to the Verizon Data Breach Investigations Report (DBIR), a certified PCI-ASV and a barometer for the vulnerability landscape for the past 10 years.
Notes to editors:
• Eoin Keary, Founder and CEO of Edgescan, is available for interview. To arrange, contact the media contact above.
• High-resolution graphics, charts, and data tables from the report are available on request.
• The Edgescan Vulnerability Statistics Report has been published annually since 2015. Edgescan’s dataset is a contributing source to the Verizon Data Breach Investigations Report (DBIR).
Jack McKenzie
Edgescan
+1 917-565-9530
email us here
Visit us on social media:
LinkedIn
Legal Disclaimer:
EIN Presswire provides this news content “as is” without warranty of any kind. We do not accept any responsibility or liability
for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this
article. If you have any complaints or copyright issues related to this article, kindly contact the author above.
Media gallery
