Half of all AI penetration tests conducted by CyberCX in 2025 contained at least one severe finding. The rate for standard web application pen tests was 26%. AI systems are being deployed into production with twice the severe vulnerability rate of the technology they sit alongside.
That finding comes from the CyberCX Hack Report, released in May 2026, which analyses more than 70,000 individual findings from over 7,500 security testing engagements across 1,400 customers over three years (2023 to 2025). CyberCX’s Security Testing and Assurance practice comprises 180 penetration testers, red teamers, and offensive security specialists across Australia and New Zealand. This is a dataset of what professional attackers actually found when they tried to break in, not a survey of what organisations think about AI security.
The AI vulnerability problem is structural
The report frames the AI finding as a predictable consequence of pace outrunning governance. Jason Edelstein, CyberCX’s Global Executive Director of Security Testing and Assurance, writes in the foreword that AI systems “contain far higher rates of severe findings, suggesting that the widespread race to adopt and benefit from AI is seeing security considerations often overlooked and new risks introduced.”
The report explains why. Traditional technology development lifecycles have established patterns for embedding security: threat modelling during design, penetration testing after development but before deployment. AI development does not follow these patterns. Models move to production faster, with less pre-deployment testing, under more organisational pressure to ship. The result is that AI systems reach production at a lower security maturity than other technology platforms.
CyberCX’s offensive testing teams documented seven recurring vulnerability classes in AI systems they tested:
In-model identity and access management. AI applications frequently implement authorisation checks inside the model context rather than through application-layer controls. CyberCX found that with the right prompts, testers could overwrite the model’s understanding of who the user was and what they were allowed to access. The models had been granted excessive agency to perform actions in backend systems without applying the principle of least privilege.
Weak or missing guardrails. Guardrails designed to keep AI systems operating within defined boundaries were, in many cases, bypassable. CyberCX’s testers exploited AI systems to extract commercial or sensitive information or perform privileged actions that the guardrails were supposed to prevent.
Prompt injection. Improperly hardened model harnesses allowed testers to exploit prompt injection vulnerabilities, leading to privilege escalation, data exfiltration, and data poisoning.
Lack of content filtering. General-purpose models deployed for specialised tasks were manipulated into producing outputs including profanity, hate speech, and racist content, creating reputational risk.
System prompt exposure. Testers were able to extract system prompts from LLMs, revealing the hidden instructions that define the model’s persona, constraints, and operational guidelines. This gives attackers insight into the logic behind AI-enabled functionality.
Implicit model bias. Training data bias produced outputs reflecting gender, racial, ethnic, age, and disability bias. Models also exhibited confirmation bias, reinforcing user assumptions rather than providing balanced outputs.
Insecure adoption of new standards. Model Context Protocol (MCP) implementations were being adopted before they were enterprise-ready, creating authentication vulnerabilities where data flows bi-directionally between servers and clients without adequate security controls on both sides.
The report’s blunt observation on AI development practices: “Are organisations vibe-coding to production? Yes,” the report states. “CyberCX has conducted architecture reviews and penetration tests for a significant number of systems that were built primarily by AI. Often this is by organisations that have done no internal development prior.”
The broader findings reinforce the AI picture
The AI pen test data sits within a broader dataset that tells a consistent story: organisations are improving, but too slowly.
In 2025, 29% of all security assessments contained at least one severe finding, down from 33% in 2023. Critical findings (where impacts could be catastrophic) dropped to 7.3% from 9.7% over the same period. The average improvement rate was 2.25% per year. CyberCX notes this improvement is “unlikely to be outpacing the rate at which threat actors are increasing their capabilities.”
97.5% of all severe findings had their root cause in just four categories: configuration and patch management (33.4%), identity and access management (32.1%), application and development security (21.1%), and data security and privacy (10.9%). The application security category is the one moving in the wrong direction, jumping from 14.4% of findings in 2023 to 21.1% in 2025.
The report attributes this to AI-driven development and low/no-code platforms enabling more organisations to build custom applications without the engineering security maturity to match. Insecure design drove almost 60% of severe web application vulnerabilities. These are flaws baked into the system before code is written, a vulnerability class that should be caught well before a pen test.
Social engineering: three in four tests found severe vulnerabilities
Social engineering pen tests found severe vulnerabilities 77% of the time. Active Directory assessments found them 78% of the time. DDoS assessments found them 75% of the time. These three services had the highest severe finding rates of any CyberCX offering.
The social engineering finding is relevant to every organisation, not just those with technical vulnerabilities. As organisations harden their external attack surfaces and improve patch management, attackers shift to human targets. CyberCX’s data confirms that the shift is effective: when attackers target people instead of software, they succeed three-quarters of the time.
The report includes a case study where CyberCX used AI-powered deepfake technology to clone a CEO’s voice and attempted to socially engineer the organisation’s IT support staff into granting privileged system access. In this case, the organisation had recently hardened its identity verification procedures specifically against deepfake scenarios, and the IT staff followed protocol. CyberCX was unable to achieve its objective. The report notes that most organisations have not undertaken similar reviews and “are unlikely to be as resilient against these types of attacks.”
The industry heatmap
The report breaks out severe finding rates by industry. Manufacturing and construction had the highest rate at 37.5%, followed by healthcare (36.8%), logistics and transport (35.1%), and agriculture, forestry, and fishing (34.8%). Financial services and insurance had the lowest rate at 22%.
CyberCX notes an important caveat: the financial services sector was the most impacted by actual cyber incidents in their separate Threat Report, despite having the lowest pen test severe finding rate. Financially motivated attackers choose targets based on the ability to monetise attacks, not just the prevalence of vulnerabilities.
For SAW readers tracking the APRA industry letter, the CyberCX data provides independent validation. APRA found governance controls not keeping pace with AI adoption. CyberCX found AI systems have double the severe vulnerability rate of web apps. APRA found entities relying on policy rather than enforceable controls for shadow AI. CyberCX found three in four social engineering tests succeeding. The supervisory findings and the offensive security findings point to the same conclusion.
What this means for AI governance
The CyberCX data converts abstract governance warnings into measurable security outcomes. When APRA says AI governance is falling behind, the Hack Report shows what “behind” looks like: 50% severe finding rates in AI pen tests versus 26% for web apps. When the Five Eyes agentic AI guidance warns about privilege risks and behaviour risks in AI agents, CyberCX documents the specific vulnerability classes that make those risks real: excessive agency, prompt injection, system prompt exposure, and insecure MCP implementations.
The connection to the Vercel/Context.ai breach is direct. That breach started with a consumer AI tool granted excessive permissions. CyberCX’s pen testers found the same pattern in production AI systems: models deployed without least privilege, with identity checks implemented in the model context rather than the application layer, and with guardrails that could be bypassed with the right prompts. The Vercel breach was one organisation’s bad day. The CyberCX data shows the conditions for that bad day exist across the economy.
What CISOs and security teams should do
Pen test AI systems before deployment. The 50% severe finding rate means that deploying an AI system without a pen test is accepting a coin-flip chance of a severe vulnerability in production. Threat modelling should happen during design. Pen testing should happen before go-live. The report notes that these established security patterns “are often not fit for the pace and urgency of AI development.” That is a workflow problem, not an excuse.
Treat application security as the rising risk category. The jump from 14.4% to 21.1% of findings attributable to AppSec issues is the clearest trend in the three-year dataset. As organisations get better at patching and configuration, the harder-to-fix design and development vulnerabilities become a larger share of what remains. Insecure design driving 60% of severe web app findings means the risk is introduced before code is written. Security needs to be in the design process, not bolted on after development.
Harden social engineering defences against AI-powered attacks. The 77% severe finding rate for social engineering pen tests is the headline number for every board briefing on human risk. The CyberCX deepfake case study shows that hardened identity verification procedures work. The report also shows that most organisations have not done this work. If your IT service desk does not have a defined identity verification flow that accounts for AI-cloned voices, the 77% rate applies to you.
Test AI-specific vulnerability classes. Standard pen testing methodologies do not cover prompt injection, system prompt exposure, guardrail bypass, or in-model identity abuse. AI pen testing requires specific expertise and tooling. CyberCX’s data showing AI systems at double the severe finding rate of web apps is partly a reflection of the fact that many organisations have never tested their AI systems at all.
Map findings to root causes, not just individual vulnerabilities. The report’s strongest strategic recommendation is to focus on the four root cause categories (configuration, IAM, AppSec, data security) rather than treating vulnerabilities individually. Addressing root causes eliminates entire classes of weaknesses rather than fixing them one at a time.
Vendor disclosure
CyberCX (now part of Accenture) is a cybersecurity services vendor. The Hack Report draws on data from CyberCX’s own client engagements, which means the dataset reflects organisations that invest in professional security testing rather than the broader market. Organisations that do not conduct regular pen testing are likely to have higher severe finding rates than those represented in this data. The report’s methodology is disclosed, the dataset is substantial (70,000+ findings across 7,500+ engagements), and the three-year longitudinal view provides trend context that point-in-time surveys cannot match.
Sources
- CyberCX, “Hack Report: Insights from CyberCX offensive security testing,” May 2026 (full report: 70,000+ findings, 7,500+ engagements, 1,400+ customers, 2023-2025 data, AI pen test 50% severe, web app 26%, social engineering 77%, AppSec rise 14.4% to 21.1%, industry heatmap, adversary simulation trends, AI vulnerability classes, vibe-coding observation, deepfake case study, Jason Edelstein foreword). cybercx.com.au