2025 Cyberthreat

Defense Report
North America | Europe | Asia Pacific | Latin America | Middle East | Africa

<< Research Sponsors >>

PLATINUM

GOLD
MEDIA
SPONSOR

SILVER
 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Table of Contents

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Research Highlights. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Section 1: Current Security Posture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Past Frequency of Successful Cyberattacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Future Likelihood of Successful Cyberattacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Security Posture by IT Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Assessing IT Security Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Section 2: Perceptions and Concerns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Concern for Cyberthreats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Concern for Web and Mobile Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Responding to Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Barriers to Establishing Effective Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Attack Surface Management Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Challenges Caused by Hybrid, Multi-cloud Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Boosting Careers with Cybersecurity Certifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Section 3: Current and Future Investments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
IT Security Budget Allocation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
IT Security Budget Change. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Top Priorities for Improving Identity Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Preferences for AI in Security Products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Outsourcing to Managed Security Service Providers (MSSPs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Network Security Deployment Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Endpoint Security Deployment Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Application and Data Security Deployment Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Security Management and Operations Deployment Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Section 4: Practices and Strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Frameworks and Standards Used to Assess Cybersecurity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Impact of Implementing Zero Trust Network Access (ZTNA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Information Regularly Reported to the Board of Directors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Emerging IT Security Technologies and Architectures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
The Road Ahead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Appendix 1: Survey Demographics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Appendix 2: Research Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Appendix 3: Research Sponsors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Appendix 4: About CyberEdge Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

2025 Cyberthreat Defense Report 2

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Introduction

CyberEdge’s annual Cyberthreat Defense Report (CDR) plays a

unique role in the IT security industry. Other surveys do a great Survey Demographics
job of collecting statistics on cyberattacks and data breaches
• Responses received from 1,200 qualified IT security
and exploring the techniques of cybercriminals and other bad
decision makers and practitioners
actors. Our mission is to provide deep insight into the minds
• All from organizations with more than 500 employees
of IT security professionals.
• Representing 17 countries across North America, Europe,
More than a decade after its first edition, the CDR has become Asia Pacific, the Middle East, Latin America, and Africa
a staple among IT security leaders and practitioners by helping • Representing 19 industries
them gauge their internal practices and security investments
according to those of their counterparts across multiple countries
and industries. If you want to know what your peers in IT security
are thinking and doing, this is the place to look. 2. AI Is Coming Up Everywhere. Our survey has one question
CyberEdge would like to thank our Silver, Gold, and Platinum specifically about AI, asking respondents about the strength
research sponsors, whose continued support is essential to the of their preference for purchasing security products that
success of this report. feature AI technologies (see page 37). But AI comes up in
many places in this report: as a force helping cybersecurity
teams in their work (page 8), as a factor helping threat actors
Top Five Insights for 2025
(page 17), as a tool to detect fraud and foil web application
Our CDR reports yield dozens of actionable insights. Here are the and mobile attacks (page 19), as a tool to filter out false
top five takeaways from this year’s installment: positive alerts (page 24), as a technology embedded in
secure email gateways to flag abnormal behaviors (page 42),
1. Have we turned the corner? The percentage of
and as the driver of a long-term arms race between threat
organizations experiencing at least one successful
actors and cybersecurity teams (page 57). In many ways
cyberattack trended upward from our 2016 CDR to the 2021
this dynamic mirrors how enterprises are starting to benefit
edition. So did the percentage suffering from six or more.
from AI: not by acquiring “AI products,” but by leveraging AI
And so did the percentage of organizations that expected
capabilities embedded in security solutions and platforms.
to be compromised at least once in the coming year. But
those three metrics essentially plateaued between 2021 and 3. Twists and Turns for Ransomware. It’s hard to summarize
2023 and then dropped to a lower plateau in the 2024 report the changing dynamics of ransomware this year. After rising
and this one. It’s too early to let our guard down, but it does for a decade, the percentage of organizations affected by
seem like the factors working in favor of cybersecurity teams ransomware fell for the second year in a row (good news
(like large investments in cloud security during the COVID J), but average ransom demands have continued to rise
pandemic, the application of zero trust principles, a renewed (bad news L). The percentage of victimized organizations
interest in cybersecurity basics, and AI embedded in security that paid ransoms fell (probably good news J), but the
products) are now matching or even outpacing the factors percentage of ransom payers who recovered their data fell
working for threat actors. (bad news L). If you want to know the factors we think are
behind these gyrations, see pages 20-22.

2025 Cyberthreat Defense Report 3

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Introduction

4. The Never-ending Skills Shortage. The lack of experienced ‹ The perceived impact of cyberthreats and the challenges
cybersecurity personnel has been a running theme in CDRs organizations face in mitigating their risks
for years. In this report it comes up in a tie for first among
‹ The adequacy of organizations’ security postures and their
factors inhibiting organizations from adequately defending
internal security practices
themselves against cyberthreats (page 23) and as the biggest
challenge for attack surface management (ASM) (page 25). ‹ The organizational factors that present the most significant
Also, it turns out there is a huge demand worldwide for barriers to establishing effective cyberthreat defenses
entry-level security fundamentals courses and certifications ‹ Current investments in security technologies and those
(see page 30), most likely because organizations that can’t planned for the coming year
find enough experienced cybersecurity professionals in the
‹ The health of IT security budgets and the portion of the
marketplace are trying to train their own. While this shortage
overall IT budget they consume
can be a big headache for cybersecurity managers, it also has
a significant benefit: it provides incentives for adding more By revealing these details, we hope to help IT security decision
automation and autonomous decision-making capabilities makers and practitioners gain a better understanding of how
to security products. In time, these will improve security and their perceptions, concerns, priorities, and defenses stack up
reduce the gap between cybersecurity jobs and the people against those of their peers around the world. IT security teams
who can perform them. can use the CDR’s data, analyses, and findings to shape answers
to many important questions, such as:
5. Frameworks Are in Favor, Big Time. A few years ago, many
cybersecurity professionals derided cybersecurity frameworks ‹ Where do we have gaps in our cyberthreat defenses relative
and standards as incomplete and perpetually lagging real-world to other organizations?
requirements. But that has changed. We found that 97%
‹ Have we fallen behind in our defensive strategy to the point
of organizations use at least one framework or standard to
that our organization is now the “low-hanging fruit” (i.e., likely
assess the effectiveness and compliance of their cybersecurity
to be targeted more often due to its relative weaknesses)?
program. Which frameworks and standards from organizations
such as the Cloud Security Alliance, NIST, the Center for Internet ‹ Are we on track with both our approach and progress in
Security, and ISO are preferred? Find out on pages 49 and 50. continuing to address traditional areas of concern while
tackling the challenges of emerging threats?
About This Report ‹ How does our level of spending on IT security compare to
The CDR is the most geographically comprehensive, vendor-agnostic that of other organizations?
study of IT security decision makers and practitioners. Rather than ‹ Do other IT security practitioners think differently about
compiling cyberthreat statistics and assessing the damage caused cyberthreats and their defenses, and should we adjust our
by data breaches, the CDR surveys the perceptions of IT security perspective and plans to account for these differences?
professionals, gaining insights into how they see the world.
Another important objective of the CDR is to provide developers of
Specifically, the CDR examines: IT security technologies and services with information they can use
to better align their solutions with the concerns and requirements
‹ The frequency of successful cyberattacks in the prior year and
of potential customers. Our data can lead to better market traction
optimism (or pessimism) about preventing further attacks in
and success for solution providers, along with better cyberthreat
the coming year
protection technologies for our resolute security professionals.

2025 Cyberthreat Defense Report 4

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Introduction

The findings of the CDR are divided into four sections: operations. Readers will be able to compare their organization’s
investment decisions against the broad sample and get a sense
Section 1: Current Security Posture of what “hot” technologies their peers are deploying.
Our journey into the world of cyberthreat defenses begins
with respondents’ assessments of the effectiveness of their Section 4: Practices and Strategies
organization’s investments and strategies relative to the Mitigating today’s cyberthreat risks takes more than investing
prevailing threat landscape. They report on the frequency of in the right technologies. You must ensure those technologies
successful cyberattacks, judge their organization’s security are deployed optimally, configured correctly, and monitored
posture in specific IT domains and security functions, and adequately to give your organization a fighting chance to avoid
provide details on the IT security skills shortage. The data will being a front-page news story. In the final section of the survey
help readers begin to assess: our respondents provide information on how they are deploying
and using leading-edge technologies and services.
‹ Whether, to what extent, and how urgently changes are
needed in their own organization Navigating This Report
‹ Specific countermeasures that should be added to We encourage you to read this report from cover to cover, as it’s
supplement existing defenses chock full of useful information. But there are three other ways
to navigate through this report, if you are seeking out specific
Section 2: Perceptions and Concerns
topics of interest:
In this section, our exploration of cyberthreat defenses shifts
from establishing baseline security postures to determining ‹ Table of Contents. Each item in the Table of Contents
the types of cyberthreats and obstacles to security that most pertains to specific survey questions. Click on any item to
concern today’s organizations. The survey respondents weigh jump to its corresponding page.
in on the most alarming cyberthreats, barriers to establishing ‹ Research Highlights. The Research Highlights page
effective defenses, and high-profile issues such as ransomware showcases the most significant headlines of the report. Page
and security for hybrid cloud environments. These appraisals will numbers are referenced with each highlight so you can quickly
help readers think about how their own organization can best learn more.
improve cyberthreat defenses going forward. We also look at
‹ Navigation tabs. The tabs at the top of each page are
how IT security training and professional certification can help
clickable, enabling you to conveniently jump to different
enterprises address the serious shortfall in skilled IT security staff.
sections of the report.
Section 3: Current and Future Investments
Organizations can ill afford to stand still when it comes to
Contact Us
maintaining effective cyberthreat defenses. IT security teams Do you have an idea for a new topic that you’d like us to address
must keep pace with changes occurring in business, technology, next year? Or would you like to learn how your organization can
and threat landscapes. This section of the survey provides data sponsor next year’s CDR? We’d love to hear from you! Drop us an
on the direction of IT security budgets, and on current and email at research@cyberedgegroup.com.
planned investments in network security, endpoint security,
application and data security, and security management and

2025 Cyberthreat Defense Report 5

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Research Highlights

Current Security Posture ‹ Identity security is a thing now. Organizations outline their
priorities for improving identity security this year (page 35).
‹ Over the hump. The percentage of organizations
experiencing a successful attack stayed a few notches below ‹ AI inside. Four out of five security teams have a moderate
the recent peak (page 7). or strong preference for security products that feature AI
technologies (page 37).
‹ A brighter future. Expectations of future compromises fell for
the fourth straight year (page 10). ‹ MSSPs still popular. Most organizations outsource some
security functions to MSSPs, but they are being a little more
‹ Mobile devices least safe. Among IT domains, cybersecurity selective (page 39).
teams are the least comfortable about the security posture of
mobile devices (page 12). ‹ The perimeter hasn’t disappeared. Organizations continue
to invest in security products to control access to their
‹ Doubts about defenses. Confidence in IT security capabilities networks (page 41).
slipped in 11 of 12 functional areas (page 14).
‹ Signature defenses. Installations of signature-based
anti-malware technology increased last year (page 43).
Perceptions and Concerns
‹ App and data security standouts. Database and web
‹ The not-so-fabulous four. Respondents are most concerned application firewalls are must-haves, API protection is big,
about malware, phishing, ransomware, and account and bot management is on the radar (page 45).
takeovers – again (page 16).
‹ Security management must-haves. Active Directory
‹ Everyone’s exposed on the web. Every major industry suffers protection, patch management, and security configuration
from attacks against web and mobile applications (page 18). management continue their reign as security management
‹ Fewer firms paying ransoms. The number of organizations and operations essentials (page 47).
victimized by ransomware that pay the ransom has fallen
22% over three years (page 20). Practices and Strategies
‹ To err is human. Low security awareness among employees ‹ Embracing frameworks and standards. 97% of
and lack of skilled security personnel continue to undermine organizations use at least one framework or standard to
cybersecurity efforts (page 23). assess the effectiveness and compliance of their cybersecurity
‹ Surfaces count. Cybersecurity teams are paying attention to program (page 49).
the concept of attack surfaces but must work hard to protect ‹ In zero trust we trust. 86% of organizations believe that
them (page 25). implementing zero trust network access (ZTNA) has improved
‹ Cloud complexity. Organizations are struggling to cope with their ability to defend against sophisticated threats (page 51).
the challenges of defending hybrid multi-cloud environment ‹ What boards need to know. Assessments of cybersecurity
(page 27). program maturity or effectiveness lead the list of information
‹ Certifications boost careers. Cybersecurity professionals cybersecurity groups are presenting to their organization’s
see a lot of value in training and cybersecurity certifications board of directors (page 53).
(page 29). ‹ New stars rising. We updated our list of emerging IT
security technologies and architectures being embraced
Current and Future Investments by cybersecurity teams (page 55).
‹ Fair share. The percentage of IT budgets allocated to
information security has held steady over the last five years
(page 31).
‹ Budgets growing. Respondents expect their organization’s
cybersecurity budget to increase a healthy 4.3% this year
(page 33).

2025 Cyberthreat Defense Report 6

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 1: Current Security Posture

Past Frequency of Successful Cyberattacks

How many times do you estimate that your organization’s global network has been compromised
by a successful cyberattack within the past 12 months?

The bleeding has stopped. We’ve stabilized at partly cloudy. The pattern for the percentage of organizations experiencing six
Although we can’t yet see the light at the end of the tunnel, or more successful attacks (the red bars in Figure 1) was roughly
at least it’s not getting any darker. the same. It climbed from 2016 to 2021, flattening out for two
years, then dropping to a significantly lower plateau for the past
We haven’t found exactly the right metaphor (obviously), but if
two reports.
you look at Figure 1 you will get the idea.
Figure 2 shows a breakdown of the frequency of successful
Of the 1,200 organizations responding to our survey each year, the
attacks for this year: just over half of organizations (53.0%)
percentage compromised at least once by a successful cyberattack
experienced between one and five, 20.8% suffered between six
in the previous 12 months climbed fairly steadily from 75.6% in the
and 10, an unfortunate 7.9% were afflicted by more than 10, and
2016 CDR to 86.2% in 2021, plateaued for the next two surveys, then
a lucky 18.4% reported none.
dropped to a lower plateau of 81.5% in 2024 and 81.6% this year.
However, we can’t say the patient is in perfect health, the sun
is shining brightly, or we have emerged from the tunnel. The
At least one successful attack
number of organizations being hit by cyberattacks is still at a high
Six or more successful attacks
level, and with new threats emerging continuously, including
86.2% 85.3%
84.7% those using AI, this is no time for cybersecurity professionals to
80.7% 81.5% 81.6%
79.2%
77.2% 78.0%
let down our guard. But at least we can say that we have held
75.6%
the line, stanched the flood, turned the corner…okay, okay, no
more metaphors.

Not once
40.7%
39.7% 39.2% 18.4% Between 1
35.2% and 5 times
32.9%
31.5% More than
27.4% 27.8% 28.7% 10 times
7.9% 53.0%
23.8%

Between 6 20.8%
and 10 times
2016 2017 2018 2019 2020 2021 2022 2023 2024 2025

Figure 1: Percentage of organizations experiencing at least one Figure 2: Frequency of successful cyberattacks in the past 12 months.
successful attack and those experiencing six or more.

2025 Cyberthreat Defense Report 7

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 1: Current Security Posture

What factors and trends account for the pattern shown in Figure 1? There are some interesting variations by country and by
Negative factors from 2016 to 2021 included: organization size in the data on successful attacks.

‹ Increasingly sophisticated attacks from cybercriminals and For example, job stress is probably highest in the four countries
state-sponsored hackers where at least nine of 10 organizations experienced a successful
attack in the past year: Colombia (96.9%), Turkey (93.9%), South
‹ Additional incentives for cybercrime driven by the
Africa (93.7%), and Mexico (90.6%). Stress levels are probably a
development of new ways to monetize data breaches
little lower in the five countries where the successful attack rate is
‹ The growth of marketplaces and ecosystems on the dark web under 80%: Australia (78.7%), Germany (77.5%), the United States
that allow threat actors to specialize, share techniques and (74.8%), Italy (72.0%), and Canada (71.7%) (see Figure 3).
tools, sell and rent infrastructure to each other, and create
ever-larger virtual organizations
Colombia 96.9%
All these were capped by the COVID pandemic, which increased
attack surfaces by pushing work out to poorly protected remote Turkey 93.9%

locations and homes. South Africa 93.7%

Mexico 90.6%
Trends helping cybersecurity teams regain control after 2021
include: Singapore 89.8%

Japan 89.1%
‹ Remote workers returning to offices
Brazil 87.9%
‹ Benefits from the large investments in network and cloud 87.8%
Spain
security tools made in response to the challenges of COVID,
France 85.9%
as well as investments in the advanced technologies
discussed on page 55 UK 82.8%

Saudi Arabia 81.2%

‹ The widening application of best practices encouraged by
China 80.9%
zero trust principles and mandated by frameworks from
standards bodies and government agencies Australia 78.7%

Germany 77.5%
‹ More attention to cybersecurity basics, including security
hygiene, identity management, security awareness training USA 74.8%

for users, and training for cybersecurity professionals Italy 72.0%

Canada 71.7%
‹ AI capabilities embedded in security products and services

Figure 3: Percentage of organizations compromised by at least one

successful attack in the past 12 months, by country.

2025 Cyberthreat Defense Report 8

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 1: Current Security Posture

Looking at size (Figure 4), there is a steady increase in

500 – 999 76.5% successful attack percentages in organizations from the
smallest represented in our survey (500-999 employees) to the
second-largest category (10,000-24,999 employees). However,
1,000 – 4,999 81.2% the rate then drops significantly when we get to the largest
organizations, with at least 25,000 employees. This pattern
probably reflects the fact that, although as firms get larger and
5,000 – 9,999 84.6% offer more-lucrative targets to attackers, the very largest global
organizations have the most cybersecurity specialists and invest
in the most state-of-the-art defenses.
10,000 – 24,999 87.9%
What does the future hold? We are cautiously optimistic that
the slow improvements since 2021 can be maintained, provided
25,000 or more 77.0% cybersecurity teams, vendors, and standards bodies keep up
their current levels of effort.

Figure 4: Percentage of organizations compromised by at least one

successful attack in the past 12 months, by number of employees.

“We can’t say the patient is in perfect health,

the sun is shining brightly, or we have emerged
from the tunnel...but at least we can say that we
have held the line, stanched the flood, turned
the corner…okay, okay, no more metaphors.”

2025 Cyberthreat Defense Report 9

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 1: Current Security Posture

Future Likelihood of Successful Cyberattacks

What is the likelihood that your organization’s network will become compromised
by a successful cyberattack in 2025?

In the previous section we asked our respondents to report on In fact, the percentage saying that a successful attack is “very
successful cyberattacks in the past year. In this section, we ask likely” in the coming year has fallen to the lowest level since 2018
about the likelihood of one or more successful attacks occurring (see the red bars in Figure 5).
in the current year.
Clearly, the reduction in the rate of successful attacks in past
The pattern is roughly the same: rising, leveling out, then falling years is leading our respondents to expect further reductions
back a bit. Specifically, the percentage predicting a successful in the coming year. In fact, we might say that their optimism
attack in the coming 12 months increased from 62.1% in 2016 to is growing even faster than their experience. Between the
76.1% in the 2022 CDR and has since fallen in steps to 64.0% (see 2023 CDR and the current 2025 report, the percentage of
Figure 5). organizations experiencing at least one successful cyberattack in
the past year fell 3.1% (from 84.7% to 81.6%), while those saying
that it’s somewhat or very likely that they would be attacked
Somewhat or very likely successfully in the coming year fell 7.8% (from 71.8% to 64.0%).
Very likely
75.6% 76.1%
You may also have noticed that our respondents are optimistic in
71.8%
69.3% another way. If 81.6% of organizations experienced at least one
66.7%
65.2%
64.0%
compromise last year (Figure 1), as a group they might be a tad
62.1% 61.5% 62.3%
overconfident in predicting that only 64.0% will be compromised
this year (Figure 5). But that’s okay; we wouldn’t want to rain on
their parade. (Oops, another metaphor. Sorry.)

35.1%
32.0% 32.9%

27.2%
“The percentage [of organizations] saying
20.4% 19.7%
21.2% 21.2% 20.9%
that a successful attack is “very likely” in the
16.1%
coming year has fallen to the lowest level
since 2018.”

2016 2017 2018 2019 2020 2021 2022 2023 2024 2025

Figure 5: Percentage of organizations indicating that compromise

by a successful cyberattack in 2025 is somewhat or very likely.

2025 Cyberthreat Defense Report 10

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 1: Current Security Posture

One interesting detail from the comparison by country (Figure When looking at the results by industry (Figure 7), it is interesting
6) is that the six countries with the highest predictions for to note that finance and healthcare see the lowest likelihood of
successful attacks include the four Asia-Pacific nations in our successful attacks (62.1% and 56.0%, respectively). We think that
survey: Japan (85.5%), China (82.0%), Singapore (77.1%), and reflects the fact that those two sectors have made some of the
Australia (70.0%). largest investments in cybersecurity over the last few years.

Japan 85.5%
China 82.0%
Mexico 78.2%
Singapore 77.1%
Colombia 75.8%
Australia 70.0% Manufacturing 75.2%
Brazil 67.6%
Government 68.6%
UK 67.4%
Canada 67.4%
Retail 66.9%
Germany 66.7%

France 64.3%
Telecom & Technology 65.9%
Spain 62.0%
Saudi Arabia 59.2% Education 65.2%
USA 57.4%

Turkey 52.0% Finance 62.1%

South Africa 52.0%

Italy 48.9% Healthcare 56.0%

Figure 6: Percentage of organizations indicating that compromise by a Figure 7: Percentage of organizations indicating that compromise by a
successful cyberattack in 2025 is somewhat or very likely, by country. successful cyberattack in 2025 is somewhat or very likely, by industry.

2025 Cyberthreat Defense Report 11

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 1: Current Security Posture

Security Posture by IT Domain

On a scale of 1 to 5, with 5 being highest, rate your organization’s overall security posture
(ability to defend against cyberthreats) in each of the following IT components:

Cloud applications (SaaS) 4.07

Servers (physical and virtual) 4.06

Datastores (file servers, databases, SANs) 4.04

Cloud infrastructure (IaaS, PaaS) 4.02

Application program interfaces (APIs) 4.00

Desktops (PCs) 3.98

Laptops / notebooks 3.97

Network perimeter / DMZ (public web servers) 3.93

Websites and web applications 3.93

Application containers (e.g., Docker, Kubernetes) 3.90

Internet of Things (IoT) 3.90

Industrial control systems (ICS) / SCADA devices 3.88

Mobile devices (smartphones, tablets) 3.87

Figure 8: Perceived security posture by IT domain.

Cybersecurity teams need to protect many different types of But they are a touch less confident than they were last year or
devices, applications, and infrastructure components. Our survey the year before. From the 2023 report to last year’s, the security
asked respondents to rate their organization’s security posture in posture rating fell in 10 of the 13 categories. The change this year
13 of those domains (see Figure 8). was similar: declines in 11 of the 13. The average rating across
all categories, which we call the “Security Posture Index,” did not
Overall, respondents are fairly confident about their organization’s
decrease much: by .05 and then .03 (see Figure 9). However, the
ability to defend itself. Their ratings across the board averaged
trend points to nervousness among security teams that their
3.97 on a scale of one to five, with five being the best possible
defenses may not be keeping up with the advances made by
security posture.
threat actors.

2025 Cyberthreat Defense Report 12

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 1: Current Security Posture

4.05 4.06 4.05

4.01 4.00
3.97 “Mobile devices such as smartphones and
tablets...dropped…to the bottom. That is
not because defenses for those devices got
3.81
worse, but rather that phones have been
storing more and more confidential business
data and threat actors are developing new
attacks against them.”
2019 2020 2021 2022 2023 2024 2025

Figure 9: The Security Posture Index.

Respondents were most comfortable about the security of One area of great concern continues to be industrial control
“Cloud applications (SaaS)” and nearly as comfortable with systems, which has been in the bottom position for several years.
“Cloud infrastructure (IaaS, PaaS).” This reflects the fact that Survey respondents also consider internet of things (IoT) security
cloud service providers have made great strides in improving to be a weak spot, which fell two places on the list to tie with
the security of their environments, in many cases by creating application containers for third from worst.
their own native security tools.
And the IT domain where security teams are least confident?
Organizations are also relatively confident about their security “Mobile devices (smartphones, tablets),” which also dropped two
posture for servers and datastores. Most of these are mature places, from third from worst to the bottom. That’s not because
technologies, supported by proven security tools and a body of defenses for those devices got worse, but rather that:
security best practices.
‹ Phones have been storing more and more confidential
Speaking of mature technologies, “Desktops (PCs)” was the one business data.
domain where the security posture rating improved from the
‹ Threat actors have been developing new attacks against them.
previous report.

2025 Cyberthreat Defense Report 13

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 1: Current Security Posture

Assessing IT Security Functions

On a scale of 1 to 5, with 5 being highest, rate the adequacy of your organization’s capabilities
(people and processes) in each of the following functional areas of IT security:

Identity and access management (IAM) 4.05

Incident investigation and response 4.05

Governance, risk, and compliance (GRC) 4.04

Security engineering / architecture and design 4.04

Brand protection 4.04

Cyber risk quantification and reporting 4.03

Detection of advanced / sophisticated threats 4.01

Attack surface reduction (patch management, pen testing) 4.01

Application development and testing (SDLC, DevSecOps) 4.00

Detection of rogue insiders / insider attacks 3.97

User security awareness / education 3.95

Third-party risk management (TPRM) 3.95

Figure 10: Perceived adequacy of security capabilities by functional area.

Confidence in the adequacy of defenses across functional areas The functional areas with the biggest declines in scores were
of IT security fell significantly in this survey, for the second year “Cyber risk quantification and reporting (GRC),”“Detection of
in a row. In both years, ratings declined in 11 of the 12 categories advanced/sophisticated threats,” and “User security awareness/
tracked. In fact, this year confidence didn’t go up in any of the education.”
areas. The one that didn’t go down, “Brand protection,” simply
Other major areas of concern are “Detection of rogue insiders/
remained unchanged.
insider attacks” and “Third-party risk management (TPRM),”
As with the previous question about security posture by IT which were third from the bottom and tied for the bottom spot,
domain, we don’t think respondents are complaining that respectively (see Figure 10).
defenses got weaker. Rather, they sense that attack surfaces are
getting larger and new attack techniques are developing faster.

2025 Cyberthreat Defense Report 14

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 1: Current Security Posture

One of relatively bright spot was “Incident investigation and

response,” which moved from the fifth position from the top
“Confidence in the adequacy of defenses across
last year to the second position this year. “Brand protection” also
moved up, from eighth place to fifth. functional areas of IT security fell significantly
in this survey, for the second year in a row. In
Organizations feel most comfortable about their capabilities for
“Identity and access management (IAM),”“Incident investigation both years, ratings declined in 11 of the 12
and response,”“Cyber risk quantification and reporting (GRC),” categories tracked...We don’t think respondents
“Security engineering, architecture, and design,” and “Brand
are complaining that defenses got weaker. Rather,
protection,” all of which had average ratings of 4.04 or 4.05 on
a five-point scale. they sense that attack surfaces are getting larger
and new attack techniques are developing faster.”

2025 Cyberthreat Defense Report 15

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 2: Perceptions and Concerns

Concern for Cyberthreats

On a scale of 1 to 5, with 5 being highest, rate your overall concern for each of the
following types of cyberthreats targeting your organization.

Malware (viruses, worms, Trojans) 3.92

Phishing / spear-phishing attacks 3.87

Ransomware 3.83

Account takeover / credential abuse attacks 3.79

Denial of service (DoS/DDoS) attacks 3.74

Advanced persistent threats (APTs) / targeted attacks 3.74

Web application attacks (SQL injections,

cross-site scripting) 3.71

Insider threats / data exfiltration by employees 3.68

Attacks on brand and reputation in social media 3.64

and on the web

Drive-by downloads / watering hole attacks 3.63

Supply chain threats 3.62

Zero-day attacks (against publicly
unknown vulnerabilities) 3.59

Figure 11: Relative concern for cyberthreats.

The threats doing the most to cause sleepless nights are not with data breaches and extortion, i.e., the threats that produce
going to surprise you. Our leading nightmares are malware (with the biggest monetary returns for adversaries.
a score of 3.92 on a scale of 1 to 5), phishing (3.87), ransomware
The bottom (relatively least concerning) end of the list also
(3.83), “Account takeover and credential abuse attacks” (3.79),
changed very little over the past few years. The leaders there
“Denial of service (DoS/DDoS) attacks” (3.74), and “Advanced
are “Attacks on brand and reputation in social media and on the
persistent threats (APTs)/targeted attacks” (also 3.74). These are
web” (3.64), “Drive-by downloads/watering-hole attacks” (3.63),
the same top six as last year, in exactly the same order, except for
“Supply chain threats” (3.62), and “Zero-day attacks (against
ransomware and ATO switching places in the third and fourth
publicly unknown vulnerabilities” (3.59).
positions. These are the cyberthreats most directly connected

2025 Cyberthreat Defense Report 16

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 2: Perceptions and Concerns

We are a little surprised to see respondents so sanguine about What is the big picture? You can see it in Figure 12, which shows
supply chain threats, since there were some very visible supply CyberEdge’s Threat Concern Index. This is an average of the
chain attacks in 2024, including a number associated with scores for the 12 cyberthreat types included in this section. The
security and network security tools. Perhaps cybersecurity teams overall concern for cyberthreats fell significantly between the
feel that enough controls are in place to blunt these attacks. 2022 and 2024 surveys, but plateaued this year. We think the
Or perhaps there is a bit of a “that’s not my problem” attitude, earlier improvement reflects the return of workers to offices,
since the primary responsibility to prevent supply chain security increased investment by organizations in AI and other advanced
issues may fall on the teams buying and managing infrastructure security technologies, and the widespread implementation of
and on third-party risk management groups, rather than zero trust frameworks. However, it may be that organizations are
cybersecurity groups. seeing diminishing returns from investments in those areas and
are perhaps becoming more worried about the dangers of threat
3.88 3.88 actors doing more to capitalize on AI and deepfakes.
3.82
3.79
3.75
3.72 3.73
3.71

“We are a little surprised to see respondents so

sanguine about supply chain threats...Perhaps
3.54
3.52
cybersecurity teams feel that enough controls
are in place to blunt these attacks. Or perhaps
there is a bit of a ‘that’s not my problem’ attitude.”

2016 2017 2018 2019 2020 2021 2022 2023 2024 2025

Figure 12: Threat Concern Index, depicting overall concern

for cyberthreats.

2025 Cyberthreat Defense Report 17

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 2: Perceptions and Concerns

Concern for Web and Mobile Attacks

Which of the following attacks on your web and mobile applications are most concerning?
(Select up to three.)

Account takeover / credential stuffing attacks 46.2%

Personally identifiable information

(PII) harvesting 45.7%

Carding / payment fraud attacks 38.9%

Digital skimming / Magecart attacks 27.8%

Ad fraud 22.5%

Denial of inventory attacks 17.5%

Hoarding attacks 15.2%

Figure 13: Most-concerning web and mobile application attacks.

Today, who doesn’t conduct business on the web? What But these attacks can affect every organization that handles
forward-looking enterprise that deals with customers, clients, customer, client, or constituent data. Threat actors employ web
or constituents doesn’t offer a mobile app to make it easy? The and mobile application attacks to steal credentials and personal
answer to both questions: only a vanishingly few organizations information, which they can then use to impersonate victims
don’t perform transactions or share confidential information either to carry out data breaches, identity theft, and other crimes. The
on websites or through apps. And everyone knows that websites problem is made worse when people reuse the same passwords
and phones can be crime scenes and staging grounds for fraud. for multiple personal and work accounts.

Web and mobile application attacks menace every enterprise that That’s why our survey asks respondents to select the three
transacts business on the web and through mobile apps. Financial web and mobile application attacks that most concern them
institutions and retailers can lose substantial sums to online fraud. (see Figure 13).

2025 Cyberthreat Defense Report 18

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 2: Perceptions and Concerns

The most serious threats in this category, each highlighted Not affected
by almost half of the respondents, were “Account takeover
9.1%
(ATO) and credential stuffing” attacks (46.2%) and “Personally
identifiable information (PII) harvesting” (45.7%). They use
stolen or leaked passwords and email addresses to impersonate
customers and other legitimate users to drain money or valuable
data out of web and mobile applications.

The other two leading banes of internet transactions are (a)

“Carding/payment fraud attacks” (38.9%) and (b) “Digital 90.9% Affected
skimming/Magecart attacks” (27.8%). These attacks use a variety
of technical and social engineering techniques to capture and
leverage numbers, names, and security codes from credit cards
and other payment vehicles. Figure 14: Organizations affected by a web or mobile application attack.

Cybersecurity and fraud prevention teams are working hard to

foil web and mobile application attacks. They are widening the
use of biometrics and multi-factor authentication (MFA) to more
and more customer- and client-facing applications, and using
behavioral analysis (now powered by AI) to detect impersonation
and fraud. They are also educating consumers and customers on Telecom & Technology 95.0%
how to create (and never reuse) strong passwords, avoid falling
for social engineering techniques, and take sensible precautions Manufacturing 93.1%
when using payment cards.
Finance 91.0%
Sadly, these efforts are barely holding the line, if that. Concerns
about all our “top four” web and mobile attacks increased over
Education 90.1%
the past year.

Let’s go back to the questions at the beginning of this section Retail 89.2%
about who isn’t affected by web and mobile application attacks.
The answer is: 9.1% of organizations. The other 90.9% are Healthcare 85.3%
affected by one or more (see Figure 14).

When we break down the data by industry, some might be Government 81.7%
surprised to find that technology and manufacturing companies
are affected even more than finance and retail firms (see Figure Figure 15: Organizations affected by a web or mobile application attack,
15). But that just testifies to the fact that today, the vast majority by industry.
of organizations in almost every industry transact business and
share sensitive information through websites and phones.

2025 Cyberthreat Defense Report 19

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 2: Perceptions and Concerns

Responding to Ransomware
If victimized by ransomware in the past 12 months, did your organization pay a ransom
(using Bitcoins or other anonymous currency) to recover data?

72.7%
71.0%
68.5%
64.1%
62.4% 62.6%

55.1% 56.1%

2018 2019 2020 2021 2022 2023 2024 2025

Figure 16: Percentage of organizations victimized by ransomware.

The percentage of organizations affected by ransomware fell ‹ Fewer victimized organizations paying ransoms (discussed
for the second year in a row, reversing the trend of the previous below), which reduces the financial returns and incentives for
decade. The decline of 10.1% over two years is quite significant ransomware gangs
(see Figure 16).
Government and law enforcement efforts are now truly global.
The factors behind this substantial decrease include: Major actions against participants in ransomware activities in 2024
took place across Africa, Asia, Europe, North America, and South
‹ Aggressive actions by government and law enforcement America (so far, ransomware has not been a major problem in
agencies to pursue ransomware gangs around the globe Antarctica).
and to take down the infrastructure they use (or rent to
other criminals) International coordination and cooperation have advanced
significantly, as illustrated by the activities of the 68 nations
‹ Better defenses against some of the tools and techniques
participating in the International Counter Ransomware Initiative
used to distribute and activate ransomware
(CRI), now in its fifth year. That organization has declared a “joint

2025 Cyberthreat Defense Report 20

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 2: Perceptions and Concerns

commitment to develop collective resilience to ransomware, However, the reduction in the number of organizations
support members if they are faced with a ransomware attack, victimized by ransomware has been partially offset by a trend
pursue the actors responsible for ransomware attacks and toward targeting larger enterprises that can afford larger ransom
not allow safe haven for these actors...and forge international payments. According to ransomware experts at Coveware, the
partnerships so we are collectively better equipped to counter average (mean) ransom payment has been trending upward for
the scourge of ransomware.” (Source of quotation: International several years (see Figure 17).
Counter Ransomware Initiative 2024 Joint Statement.)

$850,700

$740,144

$568,705 $553,959
$479,273
$408,644
$381,890 $391,095
$327,883
$258,143
$211,529 $228,125

Q1’22 Q2’22 Q3’22 Q4’22 Q1'23 Q2'23 Q3'23 Q4'23 Q1'24 Q2'24 Q3'24 Q4'24

Figure 17: Average ransom payments by quarter (data source: Coveware Quarterly Ransomware Reports).

62.9%
57.7% 57.0% 59.7%

50.7%
45.0%
40.7% Another very striking finding from our data is that the percentage
38.7%
of organizations that were affected by ransomware and actually
paid a ransom fell a full 10% over the last year, from 50.7% to
40.7%. It is now an astonishing 22.2% below the peak of 62.9% in
our 2022 CDR (see Figure 18).
2018 2019 2020 2021 2022 2023 2024 2025

Figure 18: Percentage of victimized organizations paying ransoms.

2025 Cyberthreat Defense Report 21

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 2: Perceptions and Concerns

The reasons for this trend include: 71.6% 72.2% 72.7%

66.8%
‹ More reliable and attack-resistant backup and recovery methods
61.2%
‹ Increasing doubts about the inclination and even the ability of 57.0%
54.3%
ransomware gangs to provide effective decryption tools, and 49.4%
to honor their promises not to reveal exfiltrated data (in other
words, doubts that paying a ransom will produce any results)
‹ The refusal of some cyber insurance companies to cover
ransom payments (although the policies may still cover
costs related to losses from ransomware attacks)
‹ A growing number of laws prohibiting ransom payments 2018 2019 2020 2021 2022 2023 2024 2025
to some classes of cybercriminals and groups associated Figure 19: Percentage of ransom payers that recovered data.
with terrorist organizations, and governments strongly
discouraging ransom payments to anyone
Regarding this last bullet, the attitude of many governments and
law enforcement agencies is moving steadily toward the famous
declaration: “Millions for defense, but not one cent for tribute”
(referring to resisting both demands for ransoms by Barbary
“The attitude of many governments and law
pirates and requests for bribes by government officials). enforcement agencies is moving steadily toward
The data in Figure 19 supports the idea mentioned above: that the famous declaration: ‘Millions for defense,
paying a ransom may not produce any results, either in terms but not one cent for tribute.’”
of getting back encrypted data or dissuading criminals from
disclosing stolen information. Only slightly more than half
(54.3%) of the organizations that pay ransoms are successfully
recovering their data. That’s down from 72.7% two years ago.

2025 Cyberthreat Defense Report 22

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 2: Perceptions and Concerns

Barriers to Establishing Effective Defenses

On a scale of 1 to 5, with 5 being highest, rate how each of the following inhibit your organization
from adequately defending itself against cyberthreats.

Low security awareness among employees 3.55

Lack of skilled personnel 3.55

Too much data to analyze 3.44

Poor integration/interoperability between 3.42
security solutions
Lack of effective solutions available in the market 3.41

Lack of contextual information from security tools 3.40

Poor/insufficient automation of threat
3.39
detection and response processes
Lack of management support/awareness 3.36

Lack of budget 3.34

Too many false positives 3.30

Figure 20: Inhibitors to establishing effective defenses against cyberthreats.

Why haven’t we (the cybersecurity community) been able to personnel” both came in at 3.55 on our scale of 1 to 5, with
crush cybercrime and frustrate hostile nation-state actors? With 5 being the biggest barrier to success (see Figure 20).
all our experience and technology, why are we having to work
This result reinforces the idea that in cybersecurity, as in so
so hard just to stay in the same place relative to our adversaries?
many other areas of business and life, people challenges
What’s holding us back?
trump technology issues every time. Without doubt, although
We ask every year, and this is what we learned from the latest computers speed up every year, people don’t (and some days
feedback. we suspect they are getting slower). But the data serves as a
reminder that we should be investing more in educating end
Two inhibiting factors have traded places at the top of the list for
users and training our cybersecurity teams.
many years now, and in this survey they ended in a tie for first.
“Low security awareness among employees” and “Lack of skilled

2025 Cyberthreat Defense Report 23

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 2: Perceptions and Concerns

With significantly lower scores, but still high on our list of 3.65 3.64
barriers to success, are “Too much data to analyze” (3.44), “Poor
3.58
integration/interoperability between security solutions” (3.42),
3.53
and “Lack of effective solutions available in the market” (3.41).

Looking toward the bottom of the list, it is somewhat reassuring 3.43

3.41 3.42
to see that “Lack of management support/awareness” and “Lack
3.37
of budget” are viewed as lesser issues. It implies that at least we
have the backing of our bosses.

It is interesting that “Too many false positives” is now rated as

the least serious inhibitor. This indicates progress in our ability 3.18 3.19
to scan security data and filter out false positives. Undoubtedly,
AI has played a role in this improvement.

Our Security Concern Index averages the ratings of all the

inhibitors to provide a reading on the overall feeling of
cybersecurity professionals toward factors that get in the way of 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025

success. As Figure 21 shows, there has been little change from Figure 21: The Security Concern Index, representing the average rating
last year. This finding aligns with some of the other data showing of security inhibitors.
that right now, cybersecurity teams are pretty much keeping
up with their challenges, neither pulling farther ahead or falling
farther behind.

“Although computers speed up every year, people don’t (and some days we suspect they are
getting slower). But the data serves as a reminder that we should be investing more in educating
end users and training our cybersecurity teams.”

2025 Cyberthreat Defense Report 24

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 2: Perceptions and Concerns

Attack Surface Management Challenges

What are the biggest challenges pertaining to attack surface management (ASM) within your
organization? (Select up to five.)

Lack of adequate personnel 35.1%

Poor integration between existing security tools 33.9%

Insufficient testing for web application vulnerabilities 33.7%

Lack of visibility into cloud assets 32.8%

Inability to detect security misconfigurations 31.8%

Inability to detect identity-related risks 30.2%

Limited means to prioritize patching and remediation 28.4%

Inadequate penetration testing 26.8%

Lack of visibility into on-premises assets 25.7%

Figure 22: Biggest challenges pertaining to attack surface management.

The concept of an attack surface, the combination of all areas This topic is particularly important because:
where adversaries can try to enter or cause an effect on a
‹ Attack surfaces are getting much larger, for example, because
computing environment, has been around for some time. But
sensitive data that used to be stored in a few databases and
we noticed recently that cybersecurity practitioners and vendors
file servers in corporate headquarters is now scattered across
have been paying more attention to the idea that attack surfaces
multiple SaaS applications, cloud platforms, hosted services,
should be systematically studied and hardened. This has given
home offices, and remote devices.
rise to the discipline of “attack surface management” (ASM),
which includes elements of vulnerability scanning, penetration ‹ Some cybersecurity experts now suggest that organizations
testing, security hygiene, and risk management. should think in terms of having multiple attack surfaces with
different characteristics, versus one extremely large one.

2025 Cyberthreat Defense Report 25

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 2: Perceptions and Concerns

Examples of attack surfaces that can be said to exist within the Organizations
same organization are a software attack surface, a cloud attack that don't have any
ASM challenges
surface, a network attack surface, a physical (or device) attack Organizations
surface, a social media attack surface, an identity attack surface, that have
and a human attack surface. ASM challenges
7.9%
Given the importance of the topic, we added a question to this
year’s survey about the five biggest challenges each organization
faces pertaining to attack surface management. 92.1%

The challenge mentioned most often: “Lack of adequate personnel,”

cited by 35.1% of respondents. No surprise there: the cybersecurity
skills shortage is a running theme throughout this survey.

Just behind lack of adequate personnel is “Poor integration

between existing security tools” (33.9%). Because attack surfaces Figure 23: Organizations that have challenges related to attack
are so broad and have so many facets, organizations are forced surface management.
to use multiple tools to track different areas. That makes it hard
to see patterns and to determine priorities for remediation
across functional silos. The idea of attack surface management
The next three challenges are “Lack of visibility into cloud assets”
platforms that integrate and combine tools is starting to emerge
(32.8%), “Inability to detect security misconfigurations” (31.8%),
to help security teams address this challenge.
and “Inability to detect identity-related risks” (30.2%).
Third on the list is “Insufficient testing for web application
Clearly this is an area with a very diverse set of security requirements,
vulnerabilities” (33.7%). Because web applications are now
not all of which can be addressed at once. It will be interesting to see
being distributed across multiple cloud and data center systems,
how the discipline of attack surface management evolves.
detecting security issues can be especially tricky. If you want to
drill down in this area, just turn to the next page and see what In the meantime, to validate that the need is real, we found that
our respondents have to say about challenges caused by having only 7.9% of respondents say their organization doesn’t have any
hybrid multi-cloud environments. attack surface management challenges (see Figure 23).

“The challenge mentioned most often: ‘Lack of adequate personnel,’ cited by 35.1% of respondents.
No surprise there: the cybersecurity skills shortage is a running theme throughout this survey.”

2025 Cyberthreat Defense Report 26

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 2: Perceptions and Concerns

Challenges Caused by Hybrid Multi-cloud Environments

What are the biggest challenges to your organization caused by having a hybrid multi-cloud
environment (that is, an environment that includes on-premises systems and two or more
cloud platforms)? (Select up to five.)

Detecting unsanctioned applications / cloud shadow IT 39.2%

Monitoring security events across environments 37.1%

Managing identities and access control 34.7%

Applying security policies consistently 34.6%
across environments
Securing automated development operations 33.5%
processes (DevSecOps)

Configuring and protecting administrative accounts 29.8%

Protecting workloads in containers 28.8%

Protecting APIs 28.5%

Correlating information across environments for
28.3%
incident response
Orchestrating security processes across environments 27.6%

Figure 24: Biggest challenges caused by having a hybrid multi-cloud environment.

As we noted in the previous section and elsewhere in this report, In this year’s survey, we decided to ask what aspects of working
enterprise attack surfaces are expanding and diversifying. One of in a hybrid multi-cloud environment are most problematic for
the main reasons is that applications and data are now, to use a cybersecurity teams.
technical term, “all over the place.”
As it turns out, the issue cited most often is “Detecting unsanctioned
Today, most organizations of any size are operating in hybrid applications/cloud shadow IT,” selected as one of the top five
multi-cloud environments. That means cybersecurity teams must challenges by 39.2% or the respondents (see Figure 24). It has
monitor and protect applications and data residing on systems been easy for individual employees and departments to subscribe
inside their own data centers, in the hosting facilities of SaaS to unauthorized online applications and services with below-
application vendors, and on multiple cloud platforms hosted by standard security and to store sensitive data and confidential
cloud service providers such as Amazon (Amazon Web Services documents there. Cybersecurity teams are playing catch-up trying
or AWS), Google (Google Cloud Platform or GCP). Microsoft to discover and remediate these breaches of policy.
(Microsoft Azure), and IBM (IBM Cloud).

2025 Cyberthreat Defense Report 27

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 2: Perceptions and Concerns

Not surprisingly, another of the most serious challenges is hybrid multi-cloud environment (see Figure 25). Although you
“Monitoring security events across environments” (37.1%). might expect smaller companies to be late adopters in this area,
Most computing environments and platforms have their own that hasn’t been the case. Figure 26 shows that organizations with
management, monitoring, and security tools that don’t share 500-999 employees are working in multi-cloud environments at
information well with each other. As cross-platform tools are almost exactly the same rate as larger entities.
introduced and standards for sharing data and processes
between environments are developed, these issues will become Organizations that don't
less important, but that will take time. have a hybrid multi-cloud
environment Organizations that
The challenge rated third biggest is “Managing identities and have a hybrid
access control” (34.7%). Today, a typical individual using multiple multi-cloud
5.4% environment
platforms may have accounts with different usernames and
credentials on each of them. Cybersecurity and identity teams
may have no idea they all belong to one person. They may
implement special monitoring and controls in some environments
94.6%
for a “privileged user” like an IT systems administrator or a top
executive, but fail to take the same precautions in others. When
people leave the organization, administrators may not disable
all their accounts, leaving some available to be taken over and
abused by attackers. Identity management issues are becoming
increasingly serious with the proliferation of non-human identities
(NHIs) for hardware devices and software workloads. Figure 25: Organizations that have a hybrid multi-cloud environment.

The fourth challenge on the list is “Applying security policies

consistently across environments” (34.6%). Today, cybersecurity
managers would like to ensure that zero trust policies such as 500 – 999 94.1%
continuous, adaptive authentication and the principle of least
privilege (PoLP) are enforced consistently across environments.
Users expect roughly similar processes for creating accounts, 1,000 – 4,999 93.1%
authenticating to applications, managing credentials, reporting
phishing messages, and so forth. But the more platforms users
touch, the harder it is to provide consistency in these areas. 5,000 – 9,999 96.6%
We don’t have the space here to review all the challenges listed
in Figure 24, but it is worth noting how many domains they cross.
10,000 – 24,999 98.7%
Besides the ones discussed above, they include secure application
development, security for containerized workloads and services,
protection for APIs, and security orchestration, automation, and
25,000 or more 91.2%
response (SOAR).

One other observation: today, almost everyone (94.6% of

Figure 26: Organizations that have a hybrid multi-cloud environment,
organizations with at least 500 employees, to be precise) has a by number of employees.

2025 Cyberthreat Defense Report 28

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 2: Perceptions and Concerns

Boosting Careers with Cybersecurity Certifications

Based on your organization’s current climate, which of the following types of
cybersecurity certifications do you believe would be most beneficial to your career path?
(Select up to three.)

Security management 44.1%

Security engineering 36.2%

Entry-level security fundamentals 33.2%

Cloud security 29.7%

Advanced security practices and principles 26.2%

Security architecture 25.0%

Security administration 24.9%

Governance, risk, and compliance (GRC) 22.5%

Secure software development lifecycle 14.7%

Figure 27: Types of cybersecurity certifications most beneficial to career paths.

Cybersecurity professionals only remain effective as long as For these reasons, ongoing cybersecurity training education in
they stay current on evolving threats and the latest defenses. general, and professional certifications in particular, make security
Opportunties for interesting work, increased compensation, and professionals both more effective (minimizing risks and reducing
advancement may depend on demonstrating knowledge and costs) and happier on the job (decreasing staff turnover and
competence in “hot” domains. Moreover, most cybersecurity retaining key skills).
team members enjoy learning about the latest technologies and
But what types of cybersecurity certifications do cybersecurity
techniques used by both evildoers and good guys.
team members perceive as most beneficial for their careers?

2025 Cyberthreat Defense Report 29

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 2: Perceptions and Concerns

The top choice is “Security management” (selected by 44.1% of But not all certification programs are for established security
respondents), which covers management and leadership skills professionals or specialists. The third most often cited certification
for cybersecurity team leaders up to CISOs. Courses typically type is “Entry-level security fundamentals.” Because of the severe
enroll people with established technical skills and educate shortage of cybersecurity professionals (see page 23), many
them in areas such as planning and cybersecurity program organizations seek to bring intelligent people into the field though
management, alignment of security with organizational priorities, a combination of structured and on-the-job training.
and team leadership. These days, when cybersecurity groups
In fact, “Entry-level security fundamentals” certifications were
regularly interact with top executives and boards of directors,
selected more often than any other certification type in nine of the
security management curriculums often include discussions of
17 countries covered in our survey:
communicating upward to executives and outward to peers in
other business functions. ‹ Brazil

Coming next on the list is “Security engineering” (36.2%). ‹ China

Certification programs in that area focus on applying engineering ‹ Columbia
principles and processes to areas like project planning and
management, security systems design, technical procurement, ‹ France
and security operations management. Security engineering ‹ Germany
programs are particularly popular with people who are, or aspire
‹ Mexico
to be, security or systems engineers or analysts.
‹ Saudi Arabia
‹ Spain
‹ Turkey
“Many organizations seek to bring intelligent
people into the field [of cybersecurity] though Certifications in “Cloud security” are also in demand (29.7%). This
reflects the continuing migration of application workloads and
a combination of structured and on-the-job data to cloud platforms and services and the need to master new
training. In fact, entry-level security fundamentals skills and cloud-native security tools.
certifications were selected more often than The other types of certifications listed in Figure 27 are also in
any other certification type in nine of the demand, although not quite as widely. That’s because most of
17 countries covered in our survey.” them provide knowledge in areas that draw fewer (although
usually very dedicated) practitioners, such as security architecture,
security administration, and secure software development.

2025 Cyberthreat Defense Report 30

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 3: Current and Future Investments

IT Security Budget Allocation

What percentage of your employer’s IT budget is allocated to information security
(e.g., products, services, personnel)?

Do you (information technology department) still love us As we can see from Figure 28, the upward trend has flattened out.
(cybersecurity)?
But we’re okay with that. IT budgets have been rising substantially,
You proclaim that we are a top priority. But are you backing so just keeping the same allocation means our budgets have
that up with hard currency – is the percentage of your funding been rising nicely too (see the next section of this report). And
allocated to us rising or falling? we know that cybersecurity budgets jumped in the 2020-2021
timeframe to cope with increasing security needs related to the
COVID pandemic and the work-at-home explosion. So we can’t
12.8% 12.7% complain that our allocation has remained steady or dropped
12.1%
just a bit when those pressures abated.

But how does your specific organization compare with all the
others out there? Let’s look at Figure 29. If the percentage of the
IT budget going to cybersecurity falls in the 6% - 15% range,
then you are comfortably close to the average. If the allocation is
greater than 16%, IT and cybersecurity have a great relationship.
If it’s 5% or less, somebody needs counseling.
2018 mean 2020 mean 2025 mean

Figure 28: Percentage of IT budget allocated to security.

Percentage of IT budget spent on security 1%–5% 6%–10% 11%–15% 16%–20% >20%

Percentage of organizations 13.3% 30.0% 27.4% 20.6% 8.6%

Figure 29: Percentage of organizations at different levels of allocation.

2025 Cyberthreat Defense Report 31

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 3: Current and Future Investments

We can also take into account the data shown in Figure 30. In a Although variations across industries are much less, the numbers
few countries (South Africa, Colombia, Brazil, China), the average in Figure 31 are also interesting. The percentage of the IT budget
allocation is more than 14%. In a few others (Japan, Singapore, allocated to cybersecurity is highest in telecom and technology
Germany), the average is 11% or less. (14.0%) and finance (13.9%), and lowest in government (12.0%)
and manufacturing (11.4%).

South Africa 16.2%

Colombia 15.2% Telecom & Technology 14.0%

Brazil 15.0%

China 14.2% Finance 13.9%

Australia 13.6%

USA 13.3% Healthcare 12.9%

Mexico 13.1%

Saudi Arabia
Education 12.8%
12.8%

France 12.7%
Retail 12.1%
Turkey 12.4%

UK 12.2%
Government 12.0%
Canada 12.1%
Italy 11.7% Manufacturing 11.4%
Spain 11.2%

Japan 11.0% Figure 31: Percentage of IT budget allocated to security, by industry.

Singapore 10.8%

Germany 9.8%

Figure 30: Percentage of IT budget allocated to security, by country.

“Do you (information technology department) still love us (cybersecurity)?

You proclaim that we are a top priority. But are you backing that up with hard currency – is the
percentage of your funding allocated to us rising or falling?”

2025 Cyberthreat Defense Report 32

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 3: Current and Future Investments

IT Security Budget Change

Do you expect your employer’s overall IT security budget to increase or decrease in 2025?

87.7% 88.7%
85.4%
83.5% 83.2%
78.7% 80.2%
77.8%
76.0%
74.1%

2016 2017 2018 2019 2020 2021 2022 2023 2024 2025

Figure 32: Percentage of organizations with rising IT security budgets.

Although economic growth and corporate profits across the

world have been uneven, IT security budgets have continued
to grow. As shown in Figure 32, four out of five organizations
“On average, IT security budgets are expected to
expect their security budgets to increase this year. That’s down increase 4.3% this year. That is a bit off from last
slightly from last year, when almost nine out of 10 respondents year’s record-high 5.7%, but still quite healthy,
predicted an increase, but it still demonstrates that organizations
thank you very much.”
are continuing to invest in improving their security postures.

Another way of looking at the data is that only 6.5% of

organizations expect their budgets to go down this year, while
13.4% predict they will stay about equal.

2025 Cyberthreat Defense Report 33

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 3: Current and Future Investments

5.7% On average, IT security budgets are expected to increase 4.3% this

5.3% year (see Figure 33). That is a bit off from last year’s record high of
4.9% 5.0% 5.7%, but still quite healthy, thank you very much.
4.7% 4.6%
4.3% Figure 34 shows a breakdown of the size of budget increases for
4.0%
IT security groups that expect one. (This chart excludes groups
that anticipate equal or lower budgets.) As in past years, the
sweet spot among organizations expecting budget growth is an
increase of between 5% and 9%.

There are significant differences in expected budget changes

2018 2019 2020 2021 2022 2023 2024 2025 across industries (see Figure 35). Manufacturing, retail, and
healthcare organizations anticipate gains of 4.9%, 4.7%, and
Figure 33: Mean annual increase in IT security budgets. 4.5%, respectively, while finance, government, and education
have more modest expectations of 3.6%, 3.4%, and 3.1%.

Increase by 10% or more

Increase by 5% – 9%
Increase by less than 5%
Manufacturing 4.9%
15.5% 19.9%
16.4% 13.9% Retail 4.7%

Healthcare 4.5%

45.8% 55.3% 45.9% 4.2%

54.8% Telecom & Technology

Finance 3.6%

Government 3.4%
21.0% 20.4%
16.9% 14.0%
Education 3.1%
2022 2023 2024 2025

Figure 34: Breakdown of annual increase of IT security budgets Figure 35: Mean IT security budget increase, by industry.
(excludes organizations expecting declining or flat budgets).

2025 Cyberthreat Defense Report 34

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 3: Current and Future Investments

Top Priorities for Improving Identity Security

What are your organization’s top priorities in the next 12 months for improving
identity security? (Select up to five.)

Detect and respond to identity-related threats 41.1%

Strengthen identity governance and administration (IGA) 37.7%

Improve identity hygiene (remove vulnerabilities and
37.2%
misconfigurations in identity management systems)
Strengthen access controls on privileged accounts 36.9%

Extend multi-factor authentication (MFA) to more users 36.1%

Detect and remediate accounts that are overprivileged, inactive,

35.6%
or unnecessarily shared
Improve management of machine/non-humanidentities (identities
35.1%
of devices and software workloads)
Provide secure remote access to more remote employees, suppliers,
and/or vendors 34.6%
Extend the use of step-up authentication with MFA for
31.3%
high-risk activities
Identify “shadow administrators” (unmanaged identities used to 28.3%
access cloud services)

Figure 36: Top priorities for improving identity security.

Identity security has long been a cornerstone of cybersecurity, More difficult because:
ensuring that the right people have the right access to the right
‹ User accounts, credentials, and critical assets are now
assets. It focuses on protecting accounts, sensitive data, and
scattered across more applications, devices, and computing
mission-critical assets by leveraging policies, processes, and tools
environments.
that govern identity authentication and authorization.
‹ The number of user accounts and non-human identities
However, in the last few years, identity security has become more
(NHIs) has exploded.
difficult and more important.
‹ Identities and credentials continue to be targeted, stolen, and
used by a growing number of threat actors.

2025 Cyberthreat Defense Report 35

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 3: Current and Future Investments

More important because: The second item on the list is “Strengthen identity governance
and administration (IGA)” (37.7%). IGA is mostly concerned
‹ Secure identities are central to zero trust security, which relies
with managing identity lifecycles efficiently and in complete
on identities for all access decisions and must ensure that
alignment with corporate and security policies. Strengthening
users can only reach the assets they need to do their jobs
and automating IGA processes such as identity provisioning and
and only at the moment they need them (i.e., enforcing the
de-provisioning improve security and compliance. They also allow
principle of least privilege).
adminisrators to spend more time on strategic projects and less
‹ Industry frameworks and compliance standards increasingly on routine tasks.
require identity security controls such as MFA and dynamic
Just behind strengthening IGA comes the goal of improving
risk assessments based in part on identity information.
identity hygiene (37.2%). Identity hygiene involves eliminating
‹ Many organizations depend on identity-specific information vulnerabilities and misconfigurations in identity management
to deliver “frictionless” services to some customers but limit systems. This is critical because threat actors have recognized that
access to others. if they can compromise user directories and other elements of the
To examine some of the impact of these factors, we asked identity infrastructure, they can impersonate users, compromise
respondents to select up to five of their organization’s top their accounts, grant themselves additional permissions (privilege
priorities for improving identity security over the next 12 months escalation), and freely traverse applications and systems (lateral
(see Figure 36). movement) without being observed.

The priority selected most often, by 41.4% of the respondents, Strengthening access controls on privileged accounts (36.9%)
is “Detect and respond to identity-related threats.” This certainly involves putting better monitoring and more defenses around
makes sense, since threat actors are increasingly relying on stolen the activities of users who have the most privileges (and if
identities and credentials to launch a wide variety of attacks. compromised, could do the most damage). These users include
top executives who work with business-critical assets like
financial accounts and confidential information and IT system
Organizations with no plans
administrators who manage (and can potential modify or disable)
to improve identity security
in at least one area Organizations with plans to key business and technical processes.
improve identity security in
1.9% at least one area Other key priorities include extending the enforcement of MFA
to more users (often to comply with regulations), identifying and
remediating risky accounts that could be leveraged by attackers,
98.1% and creating identities for software workloads and devices so their
access to other systems can be managed (e.g., you don’t want that
new security tool or device to suddenly start reaching into your
customer database).

Is this growing interest in identity security widespread? The

answer is clearly “yes!” As illustrated in Figure 37, more that 98% of
organizations plan to improve identity security in at least one area
during the coming year.
Figure 37: Organizations planning to improve identity security in at least
one area.

2025 Cyberthreat Defense Report 36

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 3: Current and Future Investments

Preferences for AI in Security Products

Select the option that best describes your organization’s overall preference for purchasing
security products that feature artificial intelligence (AI) technologies.

Unless you’ve been living in a cave without internet connectivity However, the strength of preferences do vary by country and
(and why would you, since today you can live in a cave with industry (see Figures 39 and 40). Mexican respondents were
internet connectivity), you know that AI will soon be everywhere. unanimous in having at least at moderate preference, while
residents of the United States, Italy, Germany, and Canada are
But do cybersecurity professionals believe that AI is ready to
more skeptical about AI. Cybersecurity professionals at telecom
deliver value in the context of security? Are they looking for
and technology companies and finance firms are signicantly
AI-based capabilities when they evaluate security tools?
more enthusiastic than those at educational institutions and
Well, more than four out of five (82.1%) have a moderate or strong healthcare companies.
preference for security products that feature AI technologies. Only
5.6% say they have no preference (see Figure 38).

No preference 5.6% Slight preference Mexico 100.0%

Saudi Arabia 94.0%

12.3% Singapore 93.9%

Turkey 93.8%
Strong
preference 35.2% Brazil 88.2%

South Africa 88.0%

Moderate China 84.0%

46.9% preference Australia 84.0%
UK 82.8%

Spain 82.0%

Colombia 81.8%
Figure 38: Preference for AI in security products.
France 81.4%

Japan 80.0%

USA 78.6%

Italy 76.0%

Germany 76.0%

Canada 63.2%

Figure 39: Moderate or strong preference for AI in security tools,

by country.

2025 Cyberthreat Defense Report 37

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 3: Current and Future Investments

The last time we asked this question was in the 2021 CDR, and it’s Isn’t that counterintuitive, given that AI features in security products
interesting to note that preferences haven’t changed much since are much more common now than they were four years ago?
then (see Figure 41). In fact, 5.3% fewer respondents in the latest We think these results reflect the fact that AI is now expected
survey say they have a strong preference, although that decline to be utilized in security tools, rather than just hoped for. You can
is partially offset by a 2.1% increase in those who say they have a afford to have a moderate preference if you are pretty sure you
moderate preference. are going to get what you want as a matter of course, rather than
having to seek it out.

2021 2025
45.9%
Telecom & Technology 94.4% 44.8%
40.5%
Finance 86.6% 35.2%

Manufacturing 82.0%

Government 80.0%

Retail 77.4% 11.6% 12.3%

5.6%
Education 72.1% 3.2%

Healthcare 72.0% No preference Slight Moderate Strong

preference preference preference

Figure 40: Moderate or strong preference for AI in security tools, Figure 41: Preferences for AI in security products, 2025 compared to 2021.
by industry.

“You can afford to have a moderate preference if you are pretty sure you are going
to get what you want as a matter of course, rather than having to seek it out.”

2025 Cyberthreat Defense Report 38

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 3: Current and Future Investments

Outsourcing to Managed Security Service Providers (MSSPs)

Which of the following IT security functions does your organization outsource to a
managed security service provider (MSSP)? (Select all that apply)

2022 2025

41.1%
Detecting and responding to advanced
cyberthreats/managed detection and response (MDR) 41.1%

36.5%
Monitoring/managing SIEM platforms 41.1%

Monitoring/managing intrusion detection/prevention 36.5%

systems (IDS/IPS) 38.3%

Monitoring/managing secureweb/email gateways 34.4%

(SWG/SEG) 37.5%

34.1%
Monitoring/managing web application firewalls (WAFs)
39.1%

34.1%
Monitoring/managing firewalls or UTMs
36.8%

33.4%
Managing vulnerability scans
33.3%

30.9%
Mitigating distributed denial of service (DDoS) attacks
36.6%

Figure 42: IT security functions outsourced to an MSSP in 2022 and 2025.

As you have probably noticed, the shortage of experienced ‹ Are labor intensive
cybersecurity professionals is a running theme in this report
‹ Can be automated and performed remotely
(see pages 23, 25, and 29). One obvious solution is to outsource
security activities to managed security service providers (MSSPs). ‹ Are generic across industries and do not require a detailed
But MSSPs aren’t ideal in all situations. In fact, they are most knowledge of an organization’s unique business processes or
widely used for tasks that: technology
So, what IT security functions do organizations outsource to
MSSPs most often? Figure 42 compares respondents’ answers in
2022 and 2025.

2025 Cyberthreat Defense Report 39

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 3: Current and Future Investments

The leading response in both years was “Detecting and However, the number of organizations subscribing declined by
responding to advanced cyberthreats/managed detection several percentage points for six of the eight services included in
and response.” This is a classic example of a service that is very the survey. At first glance, this might imply that there has been a
labor intensive, but includes tasks that can be automated and significant pullback in outsourcing to MSSPs. However, as shown
performed remotely, such as triaging alerts, notifying affected in Figure 43, the percentage of organizations not working at all
parties, and initiating containment actions. with MSSPs declined slightly from 6.8% in 2022 to 10.3% in 2025.
So it seems that rather than rejecting the use of MSSPs, some
The next five functions all involve monitoring and managing
organizations are just using them more selectively.
security tools: SIEM platforms, intrusion protection systems, web
and email gateways, and various types of firewalls. Since the tools At one time it was thought that outsourcing to MSSPs would be
are generic across industries (although they may require some most attractive to smaller organizations that could not afford
industry knowledge for tuning), it often makes sense to hire specialists in every area of security. However, the data in Figure 44
an MSSP that already knows the product inside and out rather shows that is not the case now. The percentage of organizations
than training an internal specialist. This dynamic seems to have working with MSSPs is essentially the same for those with 500-999
held steady over time: the ordering of the different outsourced employees, those with 10,000-24,999 employees, and everyone
functions didn’t change much between 2022 and 2025. in between. The usage of MSSPs only drops off for the largest
organizations: those with at least 25,000 employees.

500 – 999 90.7%

Organizations 6.8% 10.3%
NOT working
with an MSSP 93.2%
89.7% 1,000 – 4,999 89.3%

5,000 – 9,999 91.4%

Organizations
working with
an MSSP
10,000 – 24,999 90.8%

25,000 or more 85.1%

2022 2025

Figure 43: Organizations not working with an MSSP in 2022 and 2025. Figure 44: Organizations working with MSSPs, by employees.

2025 Cyberthreat Defense Report 40

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 3: Current and Future Investments

Network Security Deployment Status

Which of the following network security technologies are currently in use or planned
for acquisition (within 12 months) by your organization?

Planned for
Currently in use No plans
acquisition
Secure email gateway (SEG) 58.4% 27.8% 13.7%
Intrusion detection / prevention system (IDS/IPS) 57.2% 32.0% 10.8%
Network access control (NAC) 56.7% 33.2% 10.2%
Secure web gateway (SWG) 56.4% 31.0% 12.5%
Data loss / leak prevention (DLP) 55.4% 33.7% 10.9%
Advanced threat prevention (sandboxing, ML/AI) 50.9% 37.3% 11.8%
Denial of service (DoS/DDoS) prevention 49.9% 34.4% 15.7%
SSL/TLS decryption appliances / platform 49.6% 36.3% 14.1%
Next-generation firewall (NGFW) 44.0% 41.8% 14.2%
Network behavior analysis (NBA) / NetFlow analysis 42.8% 37.3% 19.9%
Deception technology / distributed honeypots 36.6% 39.6% 23.9%

Table 1: Network security technologies in use and planned for acquisition.

You might have heard that “data is the new perimeter,” or For these reasons, cybersecurity teams can benefit from knowing
“applications are the new perimeter,” or “identities are the new the network security technologies their peers are relying on today
perimeter,” or “there is no more perimeter.” Well, our almost-blind and the ones they plan to implement in the future.
reliance on the old (network) perimeter may be gone, but that
Table 1 shows what percentage of organizations currently use
doesn’t mean the network perimeter doesn’t still exist or isn’t an
each of 11 core network security technologies and how many
excellent place to position defenses.
plan to acquire solutions of that kind.
In reality, a huge number of attacks are blocked every day at
The first five rows in Table 1 are what we might call the “war
entry points to networks. So are attempts to exfiltrate data and
horses” of network security: secure email gateways (SEGs),
intellectual property. Also, monitoring activity on the network is
intrusion detection and prevention systems (IDS/IPS), network
crucial to detecting nascent and ongoing attacks.
access control (NAC) products, secure web gateways (SWGs), and
data loss (or leak) prevention (DLP) solutions. All of these are in
production in at least 55% of organizations.

2025 Cyberthreat Defense Report 41

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 3: Current and Future Investments

These five were the leading five in the last CDR, too, but the order SWGs monitor web traffic to screen out malicious content and
has changed. SEGs moved to the top spot for installations from dangerous attachments. They also help incident response and
third place. NAC moved from fifth to third place. SWGs dropped forensic teams identify where web-based attacks originated and
from first place to fourth. how they entered the network.

Why are these five so widely used? DLP focuses on preventing sensitive information from leaving
the network. That is critical for two security use cases:
SEGs scan incoming (and sometimes outgoing) email traffic to
identify and block emails with suspicious links, malicious content, ‹ Preventing threat actors from exfiltrating compromised data
or dangerous attachments. The technology keeps evolving and and files
now typically incorporates AI and threat intelligence capabilities
‹ Blocking employees and other insiders from sending
to help it recognize suspicious deviations from norms and
confidential information to outside locations where it might
content associated with attacks on other organizations, among
be vulnerable
other enhancements. It is in use in 58.4% of enterprises, an
increase of 1.7% from last year’s survey. What network security technologies are most often planned for
acquisition over the next 12 months? Next-generation firewall
IDS/IPS products continue to be core defenses. They are used (NGFW) was cited most often (41.8%), followed by deception
to detect a wide range of activities associated with intrusions. technology/distributed honeypots at 39.6%. Deception solutions
Installations rose slightly last year, reaching 57.2%. create fake computing environments, including simulated user
NAC ensures users can’t log onto the corporate network unless accounts, servers, applications, databases, and file stores. They also
they meet certain conditions, for example, such as using a known track the actions of threat actors in the simulated environment,
device running up-to-date endpoint protection products. revealing their tactics, techniques, and procedures (TTPs).

Next: endpoint security technologies in use and planned for

acquisition (page 43).

2025 Cyberthreat Defense Report 42

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 3: Current and Future Investments

Endpoint Security Deployment Status

Which of the following endpoint security technologies are currently in use or planned
for acquisition (within 12 months) by your organization?

Planned for
Currently in use No plans
acquisition
Basic anti-virus / anti-malware (threat signatures) 73.9% 21.0% 5.1%
Data loss / leak prevention (DLP) 56.8% 32.2% 11.0%
Disk encryption 56.5% 32.3% 11.2%
Endpoint detection and response (EDR) 54.5% 32.8% 12.7%
EPP / Advanced anti-virus / anti-malware
54.3% 35.0% 10.7%
(machine learning, behavior monitoring, sandboxing)
Browser or Internet isolation / micro-virtualization 53.4% 33.0% 13.5%
Digital forensics / incident resolution 46.5% 36.6% 16.9%
Deception technology / honeypot 38.6% 40.7% 20.7%

Table 2: Endpoint technologies in use and planned for acquisition.

Signature-based anti-malware technology is not dead! It might The second most frequently installed endpoint security
be taking a different form, though. technology remains the same as last year: endpoint DLP.
Products in this field examine outgoing files and flag, or simply
Not dead, because installations rose 3.6% over the past year,
block, items that contain words, phrases, and numbers that
from 70.3% to 73.9%, making it by far the most widely installed
suggest sensitive information, including intellectual property
endpoint technology in our survey (see Table 2).
and financial account numbers. They can take actions such
But perhaps not in the same form: we suspect that the reported blocking outgoing files or encrypting them before transmission.
growth comes from signature-based anti-malware capabilities Endpoint DLP is currently installed at 56.8% of organizations,
in endpoint security packages, rather than from standalone down 2.3% from the previous survey.
anti-virus and anti-malware products. Still, it’s worth noting that
Another entry in the “it’s definitely not dead” category is disk
there doesn’t seem to be a mass movement to leave signatures
encryption, which jumped from sixth place in last year’s survey
behind and rely entirely on behavioral analysis and AI pattern
to third place in this one. Its installation rate is 56.5%, only
recognition.
slightly behind DLP.

2025 Cyberthreat Defense Report 43

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 3: Current and Future Investments

Endpoint detection and response (EDR) and endpoint protection The last technology installed in more than half of organizations
platform (EPP) technologies each dropped one spot in the (53.4%) is “Browser or internet isolation/micro-virtualization.” This
list, but remain popular, being installed in 54.5% and 54.3% of technology involves running browser or application sessions in
organizations, respectively. EDR solutions monitor endpoints to an isolated space so users can work as usual but attackers have
detect malware and events associated with attacks. EPP solutions no way of accessing their computers or mobile devices.
usually include EDR features plus additional capabilities to help
In the “planned for acquisition” column, the leaders are deception
incident responders and threat hunters analyze what threat
technology/ honeypot and digital forensics. Respondents at
actors have been doing.
40.7% and 36.6% of organizations say these are planned for the
coming year.

Next: application and data security (page 45).

2025 Cyberthreat Defense Report 44

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 3: Current and Future Investments

Application and Data Security Deployment Status

Which of the following application- and data-centric security technologies are currently
in use or planned for acquisition (within 12 months) by your organization?

Planned for
Currently in use No plans
acquisition
Database firewall 66.4% 23.2% 10.4%
Web application firewall (WAF) 63.1% 28.0% 8.9%
API gateway / protection 62.6% 29.5% 7.9%
Database activity monitoring (DAM) 56.6% 30.1% 13.3%
Application container security tools / platform 55.5% 34.8% 9.7%
Cloud access security broker (CASB) 52.6% 32.4% 15.0%
File integrity / activity monitoring (FIM/FAM) 50.0% 35.6% 14.4%
Runtime application self-protection (RASP) 47.7% 35.0% 17.3%
Application delivery controller (ADC) 47.5% 36.0% 16.5%
Static /dynamic / interactive application security testing
45.5% 37.4% 17.1%
(SAST/DAST/IAST)
Third party code analysis 42.3% 35.0% 22.7%
Bot Management 37.4% 40.5% 22.1%

Table 3: Application and data security technologies in use and planned for acquisition.

The same six application and data security technologies headed Database firewall and web application firewall (WAF) technologies
up our list of must-haves in both the last survey and this reached installation rates of 66.4% and 63.1%, respectively. Those
one. What stands out is that the “currently in use” percentage numbers are up 6.3% and 7.7% from two surveys ago, indicating
increased for every one of them over the year. In fact, it increased a major surge of interest in monitoring and protecting individual
for 11 of the 12 technologies in this category. The only exception databases and web applications. Besides being good security, this
was application delivery controller (ADC) technology, which trend may also reflect the emergence of the data security posture
declined slightly. (DSP) and application security posture (ASP) concepts, which
involve ongoing measurement and systematic improvement in
security capabilities in those two spheres (see page 57 in “The
Road Ahead” section).

2025 Cyberthreat Defense Report 45

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 3: Current and Future Investments

API protection continues to be a hot topic. As organizations Bot management lags in installations (37.4%) but rates the
develop and deploy additional modular, cloud-based applications highest in this technology category for planned acquisitions
that communicate with other applications and cloud services (40.5%). Organizations want to be able to control traffic from
through APIs, threat actors are targeting those interfaces more bots because they are often used to launch ransomware, spam,
often. API gateway and protection technologies are now installed and DDoS attacks, among others.
in 62.6% of organizations.
Application security testing technology, in its static, dynamic,
The next three application and data security technologies, in and interactive flavors (SAST, DAST, and IAST), is similarly at near
terms of installations, are database activity monitoring (DAM), the bottom of Table 3 for “currently in use” (45.5%), but strong in
application container security tools and platforms, and cloud the “planned for acquisition” column (37.4%).
access security brokers (CASBs). These are currently in use in
We now turn to our final table in this survey, which covers
56.6%, 55.5%, and 52.6% of organizations.
current use and planned acquisition of security management
and operations technologies (page 47).

2025 Cyberthreat Defense Report 46

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 3: Current and Future Investments

Security Management and Operations Deployment Status

Which of the following security management and operations technologies are currently
in use or planned for acquisition (within 12 months) by your organization?

Planned for
Currently in use No plans
acquisition
Active Directory protection 57.5% 29.9% 12.6%
Patch management 55.8% 30.8% 13.4%
Security configuration management (SCM) 55.5% 31.8% 12.7%
Cyber risk quantification / scorecard 55.4% 32.7% 11.9%
Vulnerability assessment / management (VA/VM) 53.8% 33.9% 12.3%
Security information and event management (SIEM) 53.7% 35.5% 10.8%
Penetration testing / attack simulation software 50.0% 35.3% 14.7%
Threat intelligence platform (TIP) or service 46.8% 37.7% 15.5%
Advanced security analytics (e.g., with machine learning, AI) 46.6% 42.0% 11.4%
Full-packet capture and analysis 45.1% 37.9% 17.0%
Security orchestration, automation and response (SOAR) 44.5% 39.1% 16.4%
User and entity behavior analytics (UEBA) 44.5% 37.6% 17.9%

Table 4: Security management and operations technologies in use and planned for acquisition.

For the fourth year in a row, Active Directory protection is at the of all kinds, and potentially the ability to impersonate privileged
top of our security management and operations technology users, escalate privileges at will, and move laterally throughout
table. It is currently in use in 57.5% of organizations (see Table 4). corporate networks. Directory services are also critical for
Active Directory is the enterprise directory in the center of the managing non-human identities. These include identities assigned
identity security infrastructure for many enterprises. Many threat to software and hardware entities such as application workloads,
actors are targeting it because compromising Active Directory IoT devices, and industrial control systems. Directories also provide
would give them access to identity information and credentials role and permission information to support zero trust security.

2025 Cyberthreat Defense Report 47

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 3: Current and Future Investments

Patch management will probably never go out of style. It Other security management and operations technologies in use
is a bedrock function of IT operations and security teams. in more than half of organizations are cyber risk quantification/
Unfortunately, it usually involves painfully time-consuming and scorecard (55.4%), vulnerability assessment/management
generally unrewarding tasks, which is why many organizations (VA/VM) (53.8%), security information and event management
would like to automate patch management processes. It’s (SIEM) (53.7%), and penetration testing/attack simulation
also the reason that 55.8% have installed one or more patch software (50.0%).
management products.
What is on the security management and operations shopping
In third place is security configuration management (SCM) list for 2025? The top items planned for acquisition are advanced
technology. Installed in 55.5% of organizations, SCM helps security analytics (42.0%), security orchestration, automation and
security teams manage security applications and devices and response (SOAR) solutions (39.1%), full packet capture and analysis
document that they are enforcing regulatory requirements and (37.9%), and threat intelligence platforms (TIPs) or services (37.7%).
company policies. It not only helps organizations keep security
configurations straight, but it also gives them the power to
deploy configuration changes quickly across the enterprise.

2025 Cyberthreat Defense Report 48

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 4: Practices and Strategies

Frameworks and Standards Used to Assess Cybersecurity

Which frameworks and standards does your organization use to assess the effectiveness
and compliance of your cybersecurity program? (Select all that apply.)

Cloud Security Alliance’s (CSA) Cloud Control Matrix (CCM) 43.2%

NIST cybersecurity framework (CSF) 34.0%

Cybersecurity Maturity Model Certification (CMMC) 2.0 34.0%

Center for Internet Security (CIS) Control Framework 33.9%

NIST SP 800-53 (Security and Privacy Controls for Information 32.0%

Systems and Organizations)
ISO/IEC 27001/27002 30.3%

Service Organization Control Type 2 (SOC2) framework 27.9%

Control Objectives for Information and related Technology (COBIT) 27.6%

NIST SP 800-171 (Protecting Controlled Unclassified Information) 25.3%

HITRUST’s Common Security Framework (CSF) 21.4%

Figure 45: Frameworks and standards organizations use to assess cybersecurity programs.

A few years ago, it was not uncommon for cybersecurity Why the about-face? Partly because what were formerly
professionals to be unenthusiastic or even hostile regarding recommended controls and suggested best practices have
frameworks and standards promulgated by government become mandatory, as governments and standards bodies
agencies and industry standards bodies. They were dismissed respond to demands that organizations do more to protect
as incomplete, lagging behind the latest threats and solutions, the public from cybercrime, espionage, and other forms of
and victims of lowest common denominator groupthink. They aggression. Partly because governments and businesses have
reminded some experts of the old saying that “a camel is a horse invested time and resources improving the completeness,
that was designed by a committee.” quality, and timeliness of the standards documents so they
represent genuine best practices drawn from the experiences of
How the tide (and the camel) have turned! Today, the great
cybersecurity practitioners and experts. And partly for practical
majority of cybersecurity groups are using one or more
considerations, such as qualifying for cyber insurance policies and
frameworks or standards to define best practices, set priorities,
providing cover in the event of breaches and lawsuits (“It’s not our
guide investments in staff and technologies, and assess the
fault, your honor, we complied with the standards.”)
effectiveness and compliance of their organizations.

2025 Cyberthreat Defense Report 49

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 4: Practices and Strategies

controls required for U.S. federal agencies (32.0%). Although

most NIST frameworks and standards are only mandatory
“A few years ago, it was not uncommon for
for U.S. government agencies and defense companies, they
cybersecurity professionals to be unenthusiastic are perceived as quite comprehensive and very valuable by
about frameworks and standards...They were enterprises in many industries.
dismissed as incomplete, lagging behind the The Cybersecurity Maturity Model Certification (CMMC) (also
latest threats and solutions, and victims of lowest 34.0%) is a framework specifically designed to assess compliance
with a variety of NIST frameworks. Although it is intended for
common denominator groupthink. They reminded
defense contractors in the United States, organizations in other
some experts of the old saying that “a camel is sectors have also found CMMC to be a good tool for assessing
a horse that was designed by a committee... the maturity and effectiveness of their cybersecurity programs.

How the tide (and the camel) have turned!” The other framework near the top of our list is the Center for
Internet Security (CIS) Control Framework (33.9%). It provides a
prioritized set of best practices to defend against common attack
vehicles such as malware, ransomware, web application hacking,
But which standards and frameworks are being used most by insider attacks, and targeted Intrusions.
cybersecurity programs? We added a new question to this year’s We said earlier that “the great majority” of cybersecurity groups are
CDR to find out (see Figure 45). using frameworks and standards like these. How much is that?
One caution about the data. Our sample is somewhat weighted As shown in Figure 46, 97.1% are using at least one framework or
toward North American and European organizations. That may standard in some fashion.
slightly exaggerate interest in frameworks endorsed by U.S.
government agencies, such as those related to NIST and HIPAA/
Organizations that use
HITRUST. But we think the results are still broadly valid. none of these frameworks
and standards Organizations that use
The framework most often cited by our respondents (43.2% of at least one of these
them) is the Cloud Security Alliance (CSA) Cloud Control Matrix 2.9% frameworks and
(CCM), which articulates 197 control objectives across 17 security standards
domains related to cloud platforms and services. One of the
strategies of the CSA is to map its controls to other prominent
standards, such as those published by NIST, ISO, and PCI. This
allows organizations to use a “secure once, comply many”
97.1%
approach where, by satisfying one set of requirements, they can
document compliance (or near-compliance) with several others.

NIST (the National Institute of Standards and Technology, an

agency of the U.S. Department of Commerce) is extremely
influential. It has three different frameworks on our list,
including the NIST cybersecurity framework (CSF), cited by Figure 46: Organizations that use at least one framework or standard
34.0% of respondents, and SP 800-53, with security and privacy to assess their cybersecurity program.

2025 Cyberthreat Defense Report 50

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 4: Practices and Strategies

Impact of Implementing Zero Trust Network Access (ZTNA)

Describe your agreement with the following statement: “Implementing zero trust network
access (ZTNA) in our organization has significantly improved our security posture and our
ability to defend against sophisticated threats.”

“Zero trust” may be the most popular two words in cybersecurity 3.0% Somewhat
today. Cybersecurity websites, newsletters, and blogs, not to Neither agree or strongly
mention courses and conferences, are full of “zero trust network or disagree disagree
access,”“zero trust principles,”“zero trust frameworks,”“zero trust 11.4%
models,”“zero trust architectures,”“zero trust strategies,”“zero
34.9% Strongly
trust solutions,”“zero trust platforms,”“zero trust this,”“zero trust agree
that,” and “zero trust the other.”

But are cybersecurity organizations just giving lip service to

the latest fad, or is this zero trust thing producing results? Somewhat 50.8%
agree
We asked our respondents to describe their agreement with
the statement: “Implementing zero trust network access (ZTNA)
in our organization has significantly improved our security posture
Figure 47: Agreement that implementing ZTNA has significantly improved
and our ability to defend against sophisticated threats.” the organization's ability to defend against sophisticated threats.
And what do you know: zero trust is real! Over half of the
respondents (50.8%) somewhat agree with that statement,
and another third or so (34.9%) strongly agree. Only 3.0%
somewhat or strongly disagree, and 11.4% won’t commit
themselves to a position.

These figures are consistent with the fact that zero trust
principles have been absorbed into many frameworks and
“‘Zero trust’ may be the most popular two
standards. They have also helped turn security concepts words in cybersecurity today.”
like MFA, continuous adaptive authentication, privileged
access management (PAM), and micro-segmentation from
nice-to-haves to must-haves.

2025 Cyberthreat Defense Report 51

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 4: Practices and Strategies

Turkey 100.0% We also gave respondents an option to select “We do not

Mexico 100.0%
embrace ZTNA in our organization” (which they could only
answer if they did not agree, disagree, or say that they neither
Japan 100.0%
agreed nor disagreed with our statement. As Figure 48 shows,
Singapore 98.0%
there is a whole lot of embracing of zero trust (98% or more) in
Australia 98.0% some countries (Turkey, Mexico, Japan, Singapore, and Australia),
Spain 96.0% but not quite such universal enthusiasm (less than 90%) in a few
France 96.0% other countries (Saudi Arabia, Colombia, and Canada).
South Africa 96.0%
Germany 95.9%

Brazil 94.1%

Italy 94.0%

China 94.0%

UK 93.9%

USA 92.1%

Saudi Arabia 89.6%

Colombia 87.9%

Canada 87.5%

Figure 48: Organizations implementing ZTNA, by country.

2025 Cyberthreat Defense Report 52

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 4: Practices and Strategies

Information Regularly Reported to the Board of Directors

What types of information are most important to present to your organization’s
board of directors on a regular basis? (Select up to five.)

Overall assessment of the cybersecurity program maturity 42.9%

or effectiveness
Quantified estimates of the costs of attacks (ransomware, data 40.9%
breaches, DDoS attacks, etc.)
Assessments of the threat landscape and specific threats 37.6%
Progress complying with specific security and privacy standards
or regulations 35.9%
Measurements of employee cybersecurity
35.8%
training and awareness
Business justifications for proposed investments in cybersecurity
35.6%
staff and technologies
Incident preparedness and business continuity plans 34.8%

Incident reporting statistics 33.7%

Third-party and supply chain risks 28.7%

Benchmarks against peer organizations 22.5%

Figure 49: Information most important to present regularly to the board of directors.

In previous surveys, we found that IT security leaders are The type of information presented most often (selected by
interacting with members of their board of directors more often 42.9%) is “Overall assessment of the cybersecurity program
and in more ways than in the past (2023 CDR) and that more maturity or effectiveness.” This is a very business-savvy approach
than half of boards (62.2%) have at least one member with a to communicating with boards. Not all board members can
cybersecurity background that helps them understand security understand technical metrics or appreciate ingenious methods
issues and educate non-technical members (2024 CDR). of discovering and remediating the latest malware. But any good
manager can grasp the importance of getting better at what
This year we decided to dig deeper into what kinds of
you’re doing, and why it is important to fund cybersecurity so your
information IT security leaders are presenting to their board
program doesn’t slip backward. A variety of available frameworks,
of directors (see Figure 49).
maturity models, and tools for assessing the effectiveness of
security programs provide scales or numerical scores to quantify
current levels of effectiveness and track progress over time.

2025 Cyberthreat Defense Report 53

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 4: Practices and Strategies

The second type of information on the list is “Quantified standards or regulations” (35.9%), and ”Measurements of
estimates of the costs of attacks (ransomware, data breaches, employee cybersecurity training and awareness” (35.8%). These
DDoS attacks, etc.)” (40.9%). Again, this reflects IT security leaders’ topics show that boards are receptive to information about some
recognition that they need to talk the language of business: of the key details that cybersecurity teams deal with every day.
dollars (or euros, yuan, yen, pounds, etc.). If you are going to ask
We were a little surprised to see “Benchmarks against peer
for more money to fight, say, phishing attacks, you need to say
organizations” in last place on this list (22.5%). Peer benchmarks,
what they are costing you or potentially could.
like program assessments, are easy to understand: “We are ahead
The next three types of information presented to boards are: of our peers in A, B, and C, and although still behind in D and E, we
“Assessments of the threat landscape and specific threats” are catching up.” Perhaps we will see greater use of them over time.
(37.6%), “Progress complying with specific security and privacy

2025 Cyberthreat Defense Report 54

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 4: Practices and Strategies

Emerging IT Security Technologies and Architectures

Describe your organization’s deployment plans for each of the following emerging
IT security technologies/architectures.

Currently in production Implementation in progress Implementation to begin soon No plans

Identity threat detection and

response (ITDR) 45.4% 31.9% 14.4% 8.3%

Internet of things (IoT) security 43.9% 31.0% 15.9% 9.2%

SaaS security posture 41.3% 36.1% 13.8% 8.9%

management (SSPM)
Cloud-native application
40.1% 32.6% 18.6% 8.6%
protection platform (CNAPP)
Cloud infrastructure entitlement 38.0% 36.6% 14.7% 10.7%
management (CIEM)
Passwordless/ biometric 38.0% 31.4% 13.9% 16.8%
authentication

Social media monitoring and

37.1% 31.9% 16.7% 14.3%
brand protection

Continuous threat exposure

management (CTEM) 36.6% 34.0% 18.9% 10.6%

Dark web monitoring 30.2% 33.0% 15.5% 21.3%

Figure 50: Plans for implementing emerging IT security technologies and architectures.

For the last several years, the final question in our survey Just so you know, in this report we dropped four that appeared
has asked participants about plans for implementing a set in last year’s CDR:
of emerging technologies and architectures. Periodically
‹ Secure access service edge (SASE)
we remove some entries because either (a) they are so well
‹ Zero trust network access (ZTNA)
established that they can’t be considered “emerging” anymore,
or (b) they have lost momentum in the marketplace and are no ‹ Extended detection and response (XDR)
longer rising stars. ‹ Risk-based vulnerability management (RBVM)

2025 Cyberthreat Defense Report 55

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Section 4: Practices and Strategies

And substituted these four: platform (CNAPP) monitors and protects cloud-based
applications. Some also facilitate DevSecOps practices,
‹ IoT security
which help organizations develop and deploy secure cloud
‹ Social media monitoring and brand protection applications. Cloud infrastructure entitlement management
‹ Continuous threat exposure management (CTEM) (CIEM) products manage identities and entitlements for
cloud-based applications. CNAPP and CIEM solutions are in
‹ Dark web monitoring
production in 40.1% and 38.0% of organizations and are being
Do you agree with these choices? implemented in an additional 32.6% and 36.6%, respectively.

At the top of our list is identity threat detection and response Passwordless authentication improves the experiences of both
(ITDR). Products in this area detect and help contain attacks users and administrators and improves security by securing
on identity information everywhere it resides, including in authentication without passwords. After all, too often passwords
enterprise directories, cloud identity stores, and applications, are captured in data breaches, guessed in brute force attacks,
and on devices. It is an essential element of identity security (see or stolen via phishing and social engineering. Passwordless
page 35) and zero trust security (see page 51). ITDR is currently in authentication is in use in 38.0% of organizations and is being
production in 45.4% of organizations, and implementation is in deployed in 31.4% more. Look up the FIDO Alliance if you are
progress in 31.9% more. interested in how it works.

The technology in second place for deployment is Internet of Social media monitoring and brand protection and dark
Things (IoT) security. An interesting aspect of this area is that IoT web monitoring are ways of detecting threats outside of
security is not only about protecting IoT devices from attacks, an organization’s computing environment. They can alert
vital as that is. It’s also about protecting everything else in the cybersecurity teams to takeovers of an organization’s social
computing infrastructure from attacks by IoT devices. That is, media accounts, look-alike websites and social media accounts
some IoT devices have lots of intelligence but weak defenses. used for phishing attacks and fraud, threat actors planning
That makes them tempting targets for threat actors who can attacks on certain companies or industries, compromised
compromise them and use them as platforms to capture data data and credentials for sale on dark web marketplaces, and
on the network or launch denial of service attacks. IoT security is other threats that might never be detected by conventional
active in 43.9% of organizations and being implemented in an security tools. These activities to obtain threat intelligence are in
additional 31.0%. production in 37.1% and 30.2% of organizations and are being
deployed in an additional 31.9% and 33.0%.
Our third technology is SaaS security posture management
(SSPM). These solutions monitor and manage security issues Finally, continuous threat exposure management (CTEM) is in
in SaaS applications. They are in production in 41.3% of production in 36.6% of organizations and is being implemented
organizations and being deployed in an additional 36.1%. in an additional 34.0%. Solutions in this area provide continuous
automated monitoring of attack surfaces, identify vulnerabilities
Fourth and fifth come technologies that enhance security in
and security issues, and provide data to prioritize remediation.
cloud environments. A cloud-native application protection

2025 Cyberthreat Defense Report 56

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

The Road Ahead

The AI Arms Races Fortunately, this proliferation of terms has limits. In English we
can only have 26 four-letter acronyms that end in “SPM.” Speakers
There are many AI arms races going on right now. One is
of Hindi and Khmer aren’t so lucky: their alphabets have 50 and
between technology firms striving to build and market the
74 characters, respectively.
best AI models and platforms. Others pit companies in many
industries against each other in struggles to gain advantages But there is a good reason why “____________ security posture
over competitors. Some involve scientists and other researchers management” acronyms are popping up. They reflect the idea
employing AI so they can be the first to cure diseases and solve that each security domain has its own attack surface, and that
problems that plague humanity. There is also a literal AI arms each attack surface can be assessed, tested, hardened, and
race by governments and defense contractors to design and managed better. That can include:
deploy lethal autonomous weapons systems (LAWS) – scary!
‹ Scanning and testing for vulnerabilities and other
And of course, we are in the midst of an arms race between
security issues
cybersecurity professionals and threat actors.
‹ Improving administration and management processes
Who is winning that last one? Right now, based in part on
to keep configurations, permissions, security controls, etc.,
findings in our 2024 CDR, we have a sense that the good guys
up to date and functioning correctly
have been getting a little more mileage out of AI technologies
than the bad guys. AI capabilities are being embedded rapidly ‹ Assessing and scoring risks across the domain and using
into a wide range of security solutions. Although threat actors the assessments and risk scores to prioritize remediation
are also using AI technologies, so far none of the popular disaster activities
scenarios—a deluge of undetectable, wholly persuasive phishing ‹ Tracking and reporting progress toward a better security
emails, proliferating polymorphic malware that effortlessly posture for the domain.
evades conventional defenses, hundreds of undetectable
deepfake videos persuading hapless finance workers to wire You can get a flavor of this in our discussion of attack surface
money to mysterious bank accounts, thousands of deceptive management challenges on pages 25 and 26.
social media accounts that successfully turn voters against By the way, “____________ security posture management” is not
political candidates—have materialized on a large scale. synonymous with “____________ security.” The latter includes
But we are only in the first few miles of a marathon. The best a whole bunch of detection and response activities that lie
we can do now is stay alert and respond quickly to new outside of posture management. You might think of the various
developments as they occur. forms of security posture management as focusing on reducing
and hardening a domain’s attack surface prior to attacks, while
not including the parts of security that are about detecting,
[Fill In the Blank] Security Posture analyzing, and containing attacks in progress.
Management
We don’t know if the raft of __SPM acronyms will catch on, but
Have you noticed industry analysts and security product
even if the names change, we think the approach they represent
vendors promoting data security posture management
will play an increasingly large part in cybersecurity programs.
(DSPM)? Application security posture management (ASPM)?
Cloud security posture management (CSPM), network security
posture management (NSPM), and identity security posture
management (ISPM)?

2025 Cyberthreat Defense Report 57

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

The Road Ahead

Cold and Hot Cyberwars The Quantum Computing Arms Race

You might have heard the expression: “Hope for the best but What, another arms race? Didn’t we already cover that?
prepare for the worst.” It sounds both practical and inspirational.
Well, when quantum computing becomes commercially viable,
But it’s not easy or painless to put into practice. Preparing for
it is going to upend everything we said earlier about the AI
the worst requires large investments in defenses to cope with
arms race between cybersecurity teams and threat actors.
extreme conditions that may never occur. That doesn’t leave
For example, quantum computers will be able to break the
many resources to work toward whatever “best” conditions you
encryption algorithms we have relied on until now to keep
hope to enjoy. In fact, most of us operate on a spectrum where
communications and data secure. That includes bad guys going
we take some precautions against the worst possible conditions,
back and reading encrypted data obtained in earlier breaches
but allocate most resources based on the assumptions that
that has been beyond their reach.
things will stay the same, or maybe even get better.
The experts predict that quantum computers will be widely
Very unfortunately, events related to the Russian invasion of
available sometime between, oh, five and 50 years from now.
Ukraine, global conflicts occurring now, and the potential for
(Really helpful, right?) You don’t need to drop everything to come
additional hot or cold wars between major powers, are pushing
up with a detailed plan. But there are steps you can take now to
us toward the “preparing for the worst” end of the spectrum.
start preparing. For example, you can investigate quantum-safe
Commercial enterprises and government agencies with no
encryption algorithms that are starting to become available.
connections to the military or to defense industries could be
targeted in these conflicts if they are perceived as supporting At a minimum, keep quantum computing on your radar. You’ll be
one of the belligerents, or simply to damage the productivity hearing a lot more about it over the next few years.
or morale of a nation or an interest group.

We’re not saying everyone must become a doomsayer. But we

think cybersecurity professionals, even those in industries that
have traditionally focused on cybercrime, should be ready to
analyze and prepare for some worst-case scenarios involving
political or military adversaries.

2025 Cyberthreat Defense Report 58

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Appendix 1: Survey Demographics

This year’s report is based on survey results obtained from 1,200 America, the Middle East, and Africa). Each participant has an IT
qualified participants hailing from 17 countries (see Figure 51) security job role (see Figure 52). This year, 39.2% of our respondents
across six major regions (North America, Europe, Asia Pacific, Latin held CIO, CISO, or other IT security executive positions.

United States 29.2%

United Kingdom
8.3%

Colombia Germany
2.8% 6.3%
Mexico 2.8%
Brazil 2.8% 6.3% France

South Africa 4.2%

4.2% Canada
4.2%
Saudi Arabia
4.2%
4.2% Italy
Turkey 4.2%
4.2% 4.2% Spain
Singapore 4.2% 4.2% China
Australia Japan

Figure 51: Survey participants by country.

CIO, CISO, or IT security executive 39.2%

DevSecOps / application
security engineer 2.3%
IT security / compliance auditor 4.0% 20.1% IT security administrator

5.9%
Other IT security position
7.0%
IT security architect / engineer 11.2%
10.3%
Data protection / privacy officer
IT security analyst / operator /
incident responder

Figure 52: Survey participants by IT security role.

2025 Cyberthreat Defense Report 59

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Appendix 1: Survey Demographics

This study addresses perceptions and insights from research 25,000 or more
participants employed with commercial and government 500 – 999
10,000 – 24,999 12.8% 16.4%
organizations with 500 to 25,000+ employees (see Figure 53).
A total of 19 industries (plus “Other”) are represented in this
year’s study (see Figure 54). The big 7 industries – education, 13.0%
finance, government, healthcare, manufacturing, retail,
and telecom & technology – accounted for two-thirds of all
respondents. No single industry accounted for more than 35.2%
5,000 – 9,999 22.7%
15.1% of participants.
1,000 – 4,999

Figure 53: Survey participants by organization employee count.

15.1%
Telecom & Technology
14.9%
Manufacturing
9.3%
Retail & Consumer Durables
8.5%
Healthcare
7.2%
Business Support & Logistics
6.3%
Construction and Machinery
5.9%
Education
5.9%
Government
5.6%
Finance & Financial Services
3.8%
Other
3.2%
Utilities, Energy, and Extraction
2.6%
Automotive
2.3%
Insurance
2.2%
Airlines & Aerospace
1.9%
Advertising & Marketing
1.7%
Food & Beverages
1.5%
Entertainment & Leisure
0.8%
Agriculture
0.8%
Real Estate
0.7%
Nonprofit

Figure 54: Survey participants by industry.

2025 Cyberthreat Defense Report 60

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Appendix 2: Research Methodology

CyberEdge developed a 27-question, web-based, vendor-agnostic ‹ Constructing survey questions in a way that eliminates survey
survey instrument in partnership with our research sponsors. The bias and minimizes the potential for survey fatigue
survey was completed by 1,200 IT security professionals in 17
‹ Only accepting completed surveys after the respondent has
countries and 19 industries in November 2024. The global margin
provided answers to all of the questions
of error for this research study (at a standard 95% confidence level)
is 3%. All results pertaining to individual countries and industries ‹ Ensuring that respondents view the survey in their native
should be viewed as anecdotal, as their sample sizes are much language (e.g., English, German, French, Spanish, Japanese,
smaller. CyberEdge recommends making actionable decisions Chinese)
based on global data only. ‹ Randomizing survey responses, when possible, to prevent
All respondents had to meet two filter criteria: (1) they had to order bias
have an IT security role; and (2) they had to be employed by a ‹ Adding “Don’t know” (or comparable) responses, when
commercial or government organization with a minimum of 500 possible, so respondents aren’t forced to guess at questions
global employees. they don’t know the answer to
At CyberEdge, survey data quality is paramount. CyberEdge goes ‹ Eliminating responses from “speeders” who complete the
to extraordinary lengths to ensure its survey data is of the highest survey in a fraction of the median completion time
caliber by following these industry best practices:
‹ Eliminating responses from “cheaters” who apply consistent
‹ Ensuring that the right people are being surveyed by patterns to their responses (e.g., A,A,A,A and A,B,C,D,A,B,C,D)
(politely) exiting respondents from the survey who don’t ‹ Ensuring the online survey is fully tested and easy to use on
meet the respondent filter criteria of the survey (e.g., job role, computers, tablets, and smartphones
job seniority, company size, industry)
CyberEdge would like to thank our research sponsors for making
‹ Ensuring that disqualified respondents (who do not meet this annual research study possible and for sharing their IT security
respondent filter criteria) cannot restart the survey (from the knowledge and perspectives with us.
same IP address) in an attempt to obtain the survey incentive

2025 Cyberthreat Defense Report 61

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Appendix 3: Research Sponsors

CyberEdge is grateful for its Platinum, Gold, and Silver sponsors, for without them this report would not be possible.

Platinum Sponsors
Cloudflare | www.cloudflare.com Google Cloud | cloud.google.com
Cloudflare, Inc. (NYSE: NET) is the leading connectivity cloud Make Google part of your security team with Mandiant frontline
company on a mission to help build a better Internet. It empowers experts, intel-driven security operations, multi-cloud risk
organizations to make their employees, applications and management and secure-by-design and default platforms —
networks faster and more secure everywhere, while reducing supercharged by AI. Organizations can reduce digital risk and
complexity and cost. Cloudflare’s connectivity cloud delivers the secure their AI transformation with the same cybersecurity
most full-featured, unified platform of cloud-native products specialists, capabilities, and secure enterprise platforms Google
and developer tools, so any organization can gain the control uses to keep more people and organizations safe online than
they need to work, develop, and accelerate their business. Learn anyone else in the world, powered by our industry-leading threat
more about Cloudflare’s connectivity cloud at cloudflare.com/ intelligence. AI enhances all of these components, enabling
connectivity-cloud. Learn more about the latest Internet trends security teams to detect more threats, minimize toil, and take
and insights at radar.cloudflare.com. productivity to new levels.

Delinea | www.delinea.com ISC | www.isc2.org

Delinea is a pioneer in securing human and machine identities ISC2 is the world’s leading member organization for cybersecurity
through intelligent, centralized authorization, empowering professionals, driven by our vision of a safe and secure cyber
organizations to seamlessly govern their interactions across world. Our more than 265,000 certified members, and associates,
the modern enterprise. Leveraging AI-powered intelligence, are a force for good, safeguarding the way we live. Our award-
Delinea’s leading cloud-native Identity Security Platform applies winning certifications – including cybersecurity’s premier
context throughout the entire identity lifecycle – across cloud and certification, the CISSP® – enable professionals to demonstrate
traditional infrastructure, data, SaaS applications, and AI. It is the their knowledge, skills and abilities at every stage of their careers.
only platform that enables you to discover all identities – including Our charitable foundation, The Center for Cyber Safety and
workforce, IT administrator, developers, and machines – assign Education, helps create more access to cyber careers and educates
appropriate access levels, detect irregularities, and respond to those most vulnerable. Learn more, get involved or become an
threats in real-time. With deployment in weeks, not months, 90% ISC2 Candidate to build your cyber career at ISC2.org.
fewer resources to manage than the nearest competitor, and a
guaranteed 99.99% uptime, Delinea delivers robust security and
operational efficiency without compromise.

2025 Cyberthreat Defense Report 62

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Appendix 3: Research Sponsors

Gold Sponsors
Absolute Security | www.absolute.com Illumio | www.illumio.com
Absolute Security is partnered with more than 28 of the world’s Illumio is the world leader in ransomware and breach
leading endpoint device manufacturers, embedded in the containment, protecting organizations from cyberattacks and
firmware of 600 million devices, trusted by thousands of global enabling operational resilience without complexity. Powered by
enterprise customers, and licensed across 16 million PC users. With the Illumio Al Security Graph, our breach containment platform
the Absolute Security Cyber Resilience Platform integrated into identifies and contains threats in modern hybrid multi-cloud
their digital enterprise, customers ensure their mobile and hybrid environments before they become disasters. Named a Forrester
workforces connect securely and seamlessly from anywhere in Wave leader in microsegmentation, Illumio helps secure
the world and that business operations recover quickly following the operations that keep the world running — from critical
cyber disruptions and attacks. Our award-winning capabilities infrastructure and financial systems to healthcare and beyond.
have earned recognition and leadership status across multiple
technology categories, including Zero Trust Network Access Secureworks | www.secureworks.com
(ZTNA), Endpoint Security, Security Services Edge (SSE), Firmware- Secureworks, a Sophos company, is a global cybersecurity leader
Embedded Persistence, Automated Security Control Assessment that protects customer progress with Taegis, an AI-native security
(ASCA), and Zero Trust Platforms. analytics platform built on more than 20 years of real-world threat
intelligence and research, improving customers’ ability to detect
HackerOne | www.hackerone.com advanced threats, streamline and collaborate on investigations,
HackerOne is a global leader in offensive security solutions. and automate the right actions.
Our HackerOne Platform combines AI with the ingenuity of the
largest community of security researchers to find and fix security,
privacy, and AI vulnerabilities across the software development
lifecycle. The platform offers bug bounty, vulnerability disclosure,
pentesting, AI red teaming, and code security. We are trusted by
industry leaders like Amazon, Anthropic, Crypto.com, General
Motors, GitHub, Goldman Sachs, Uber, and the U.S. Department of
Defense. HackerOne was named a Best Workplace for Innovators
by Fast Company in 2023 and a Most Loved Workplace for Young
Professionals in 2024.

2025 Cyberthreat Defense Report 63

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Appendix 3: Research Sponsors

Silver Sponsors
AgileBlue | www.agileblue.com Keeper Security | www.keepersecurity.com
AgileBlue combines AI-powered cybersecurity with the 24/7 Keeper Security is transforming cybersecurity for millions of
human touch you trust. Our SecOps platform autonomously individuals and thousands of organizations globally. Built with
detects, investigates, and responds to endpoints, network, and end-to-end encryption, Keeper’s intuitive cybersecurity platform
cloud cyber-attacks faster and more accurately than legacy is trusted by Fortune 100 companies to protect every user, on
technologies. Our platform is both intelligent and automated, every device, in every location. Our patented zero-trust and
but we take a custom approach for every client we work with, zero-knowledge privileged access management solution unifies
analyzing and detecting exactly what matters most. AgileBlue enterprise password, secrets and connections management
products are entirely cloud-based with advanced machine with zero-trust network access and remote browser isolation.
learning and user behavior analytics, all supported by our By combining these critical identity and access management
U.S.-based team of cyber experts. components into a single cloud-based solution, Keeper delivers
unparalleled visibility, security and control while ensuring
Dataminr | www.dataminr.com compliance and audit requirements are met.
Adversaries strike fast—you have to be faster. Dataminr Pulse
for Cyber Risk detects external cyber threats the moment they
first surface. Powered by 50+ Domain-specific language models Media Sponsor
(DSLM) and a massive knowledge graph with over 1 million
unique public data sources, Dataminr delivers real-time, actionable Security Buzz | https://securitybuzz.com/
cyber insights to security teams at unprecedented speed and Security Buzz is a leading cybersecurity news website. A subsidiary
scale. Automate threat detection, reduce response time, and stay of CyberEdge Group, our mission is to deliver accurate, timely,
ahead of attacks before they escalate. Proactive security starts and actionable information to help IT professionals and the
now—are you ready? general public navigate the complex world of cybersecurity. By
offering a mix of breaking news, expert insights, and practical
Intel 471 | www.intel471.com resources, we aim to empower our readers to make informed
Intel 471 empowers enterprises, government agencies, and decisions and enhance their cyber defense strategies.
other organizations to win the cybersecurity war using the
real-time insights about adversaries, their relationships, threat
patterns, and imminent attacks relevant to their businesses. The
company’s platform collects, interprets, structures, and validates
human-led, automation-enhanced intelligence, which fuels our
external attack surface and advanced behavioral threat hunting
solutions. Customers utilize this operationalized intelligence to
drive a proactive response to neutralize threats and mitigate risk.
Organizations across the globe leverage Intel 471’s world-class
intelligence, our trusted practitioner engagement and
enablement, and globally dispersed ground expertise as their
frontline guardian against the ever-evolving landscape of cyber
threats to fight the adversary — and win.

2025 Cyberthreat Defense Report 64

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

Appendix 4: About CyberEdge Group

Founded in 2012, CyberEdge Group is the largest research, marketing, and publishing firm to serve the IT security vendor community.

CyberEdge’s highly acclaimed Cyberthreat Defense Report (CDR) and other single- and multi-sponsor survey reports have
garnered numerous awards and have been featured by both business and technology publications alike, including The Wall Street
Journal, Forbes, Fortune, USA Today, NBC News, ABC News, SC Magazine, DarkReading, and CISO Magazine.

CyberEdge has cultivated its reputation for delivering the highest-quality survey reports, analyst reports, white papers, and
custom books and eBooks in the IT security industry. Our highly experienced, award-winning consultants have in-depth subject
matter expertise in dozens of IT security technologies, including:

‹ Advanced Threat Protection (ATP) ‹ Privileged Account Management (PAM)

‹ Application Security ‹ Risk Management/Quantification
‹ Cloud Security ‹ Secure Access Service Edge (SASE)
‹ Data Security ‹ Secure Email Gateway (SEG)
‹ Deception Technology ‹ Secure Web Gateway (SWG)
‹ DevSecOps ‹ Security Analytics
‹ DoS/DDoS Protection ‹ Security Configuration Management (SCM)
‹ Endpoint Security (EDR & EPP) ‹ Security Information & Event Management (SIEM)
‹ ICS/OT Security ‹ Security Orchestration, Automation, and Response (SOAR)
‹ Identity and Access Management (IAM) ‹ Software-defined Wide Area Network (SD-WAN)
‹ Intrusion Prevention System (IPS) ‹ SSL/TLS Inspection
‹ Managed Security Services Providers (MSSPs) ‹ Supply Chain Risk Management
‹ Mobile Application Management (MAM) ‹ Third-party Risk Management (TPRM)
‹ Mobile Device Management (MDM) ‹ Threat Intelligence Platforms (TIPs) & Services
‹ Network Behavior Analysis (NBA) ‹ User and Entity Behavior Analytics (UEBA)
‹ Network Detection & Response (NDR) ‹ Unified Threat Management (UTM)
‹ Network Forensics ‹ Virtualization Security
‹ Next-generation Firewall (NGFW) ‹ Vulnerability Management (VM)
‹ Patch Management ‹ Web Application Firewall (WAF)
‹ Penetration Testing ‹ Zero Trust Network Access (ZTNA)

For more information about CyberEdge and our services,

call us at 800-327-8711, email us at info@cyberedgegroup.com,
or connect to our website at www.cyberedgegroup.com.

2025 Cyberthreat Defense Report 65

 Table Research Current Perceptions Current and Future
Introduction
of Contents Highlights Security Posture and Concerns Investments

Practices and The Survey Research Research About

Strategies Road Ahead Demographics Methodology Sponsors CyberEdge Group

CyberEdge Acceptable Use Policy

CyberEdge Group, LLC (“CyberEdge”) encourages third-party organizations to incorporate textual and graphical elements
of this report into presentations, reports, website content, product collateral, and other marketing communications without
seeking explicit written permission from CyberEdge, provided such organizations adhere to this acceptable use policy.

The following rules apply to referencing textual and/or graphical elements of this report:

1. R
 eport distribution. Only CyberEdge and its authorized 4. Figures and tables. Figures and tables extracted from this
research sponsors are permitted to distribute this report for report must not be modified in any way. Artwork for figures
commercial purposes. However, organizations are permitted and tables for the most recent Cyberthreat Defense Report
to leverage the report for internal uses, including training. are available for download at no charge on the CyberEdge
website at www.cyberedgegroup.com/cdr.
2. S
 ource citations. When citing a textual and/or graphical
element from this report, you must incorporate the following 5. No implied endorsements. CyberEdge does not endorse
statement into a corresponding footnote or citation: “Source: technology vendors. Cited CyberEdge content should never
2025 Cyberthreat Defense Report, CyberEdge Group, LLC.” be used to imply favor from CyberEdge.

3. Q
 uotes and excerpts. Quotes and excerpts extracted from If you have questions about this policy or would like to incorporate
this report must not be modified in any way. Rephrasing is content from this report in a manner not addressed by this policy,
not permitted. submit an email to research@cyberedgegroup.com.

Copyright © 2025, CyberEdge Group, LLC. All rights reserved. The CyberEdge Group name and logo are the property of CyberEdge Group, LLC.
2025 CyberthreatAllDefense Report
other company names, trademarks, and service marks are the property of their respective owners. Version 1.0 66