CyberCX finds 29% severe flaws

CyberCX said on Tuesday, May 12, that 29% of the security assessments it performed in 2025 uncovered at least one severe finding that could have left an organization open to compromise. The Australia-based cybersecurity company said the figures were published in its 2026 Hack Report, which draws on more than 70,000 findings from over 7,500 engagements for more than 1,400 customers across three years. The report also singled out artificial intelligence systems and social-engineering exercises as areas with particularly high rates of severe weaknesses. CyberCX, which is now part of Accenture, said the data came from its Security Testing and Assurance practice. ### How big was the severe-flaw rate in CyberCX’s testing? CyberCX said 29% of security assessments in 2025 contained at least one severe finding, down from 33% in 2023. The company described a severe finding as a vulnerability that, if identified first by a threat actor, could have led to an organization being hacked. (cybercx.com.au) More than 70,000 findings underpin the report’s analysis, according to CyberCX. The company said that scale gave it what it called a “globally unique vantage point” into vulnerability patterns across sectors and testing types in 2026. ### Why did AI systems stand out in the report? (cybercx.com.au) Half of all penetration tests of AI applications contained at least one severe finding, CyberCX said. The company said that rate was almost double the rate for web application penetration tests, which it described as the most common form of test in its dataset. (cybercx.com.au) CyberCX said the higher rate in AI testing likely reflected the speed with which organizations were deploying AI tools and systems without the governance and controls already used for other technologies. That assessment was CyberCX’s explanation in the report, not an independent regulatory finding. (cybercx.com.au) ### Why were social-engineering exercises even worse? CyberCX said 77% of social-engineering penetration tests contained a severe finding. The company said those exercises focus on human interaction rather than software vulnerabilities, and the result showed attackers could still find openings even where technical defenses had improved. (cybercx.com.au) The report said organizations that have hardened technical controls still face risk from human behavior. CyberCX said the social-engineering results showed defenders needed to look beyond technical fixes alone. ### Which industries showed the highest rates of severe findings? (cybercx.com.au) Manufacturing and construction, healthcare, and logistics and transport had the highest rates of severe findings, CyberCX said. Communications, media and technology, and financial services and insurance had the lowest rates in the report’s industry breakdown. (cybercx.com.au) CyberCX said industries that rely on operational technology and heavy machinery appeared more exposed in its testing data. That characterization came from the company’s report and was tied to the sector results it published. ### What does the dataset cover? (cybercx.com.au) The 2026 Hack Report draws on over 7,500 engagements for more than 1,400 customers over three years, according to CyberCX. The company said its Security Testing and Assurance unit includes more than 150 penetration testers across Australia, New Zealand, the United Kingdom and the United States. (cybercx.com.au) In a separate resource page for the report, CyberCX said its team carried out more than 2,500 engagements for over 800 clients in 2024 and made 26,000 individual findings. The company used that page to describe the Hack Report as a compilation of trends from its offensive security testing work. ### What happens next for companies reading the report? (cybercx.com.au) CyberCX has made the 2026 Hack Report available through its website and says the document is intended for security practitioners deciding where to focus limited resources. The company’s May 12 release presents the report as current guidance on AI security, social engineering exposure and industry-specific weakness patterns. (cybercx.com.au) Accenture completed its acquisition of CyberCX on February 27, 2026, according to the report download page. Future CyberCX research and follow-up material now appears through the company’s newsroom and resource pages under the Accenture ownership structure. (cybercx.com.au 1) (cybercx.com.au 2)