BACK TO NEWS
Dec 10, 2025 INSIGHT

2025 Pentest Trends: The Rise of AI-Powered Attack Surfaces

Our annual penetration testing trends report analyzes data from over 120 engagements conducted throughout 2025. This year's findings reveal a dramatic shift in the threat landscape driven by the rapid adoption of AI and machine learning systems across enterprises.

Key Findings

  • 340% increase in AI/ML infrastructure included in pentest scope compared to 2024
  • 72% of organizations deploying LLM-based features had at least one critical prompt injection vulnerability
  • API security remains the #1 weakness — 89% of tested APIs had at least one high-severity finding
  • Cloud misconfigurations dropped 15% year-over-year, suggesting security awareness is improving
  • Supply chain attacks moved from theoretical to practical — we successfully compromised 3 targets via dependency confusion

The AI Attack Surface

The most significant trend of 2025 is the emergence of AI-specific attack vectors. Organizations are deploying LLM-powered chatbots, AI agents, and ML pipelines at unprecedented speed — often without adequate security review. Common vulnerabilities we discovered include:

  • Prompt injection — manipulating LLM outputs to bypass content filters, exfiltrate system prompts, or execute unintended actions
  • Training data poisoning — injecting malicious data into fine-tuning pipelines to create backdoors
  • Model API abuse — exploiting overly permissive model endpoints to extract proprietary data or run unauthorized inference
  • Agent autonomy exploits — leveraging AI agents' tool-use capabilities to perform unauthorized actions on connected systems

Traditional Weaknesses Persist

Despite the new AI frontier, traditional vulnerability categories continue to dominate our findings:

  • Broken access control (OWASP #1) — found in 67% of web application tests
  • Active Directory privilege escalation — successful in 83% of internal network tests
  • Credential reuse and weak passwords — still the fastest path to domain admin in most environments
  • Missing security headers and TLS misconfigurations — present in 91% of external assessments

Recommendations for 2026

Based on our findings, we recommend organizations prioritize:

  • Security review of all AI/ML deployments, especially customer-facing LLM features
  • Continuous penetration testing to keep pace with rapid deployment cycles
  • API security programs with automated scanning and manual review
  • Zero-trust architecture adoption, particularly for internal networks
  • Supply chain security tooling and dependency verification

Want the full report? Contact us to request a copy of the complete 2025 Penetration Testing Trends Report.