Osterman Research surveyed 500 cybersecurity leaders and practitioners in the United States and the United Kingdom for this report, with a focus on how organizations perceive and measure readiness. The survey data we collected and analyzed for Immersive was combined with proprietary performance and benchmarking data from Immersive’s platform and a crisis simulation they ran.

Key findings:

• The cybersecurity industry has become expert at measuring readiness by activity not by outcome.
• Nearly every organization believes it is prepared for the next major incident – but underlying performance data doesn’t support such a conclusion.
• Leaders are relying on false metrics – ones that prove nothing about performance under pressure.
• The are four missteps holding readiness back, including practicing the past, fixating on fundamentals, and excluding the business.
• Organizations are failing for a lack of practiced coordination – not a lack of knowledge.

If cyber readiness and resilience in the face of growing cyber attacks is important to your organization, please get a copy from the Immersive web site, grab a cup of coffee or tea, and read to learn / adjust / improve.

Next action: get your copy of the report – 2025 Cyber Workforce Benchmark Report.

AvePoint has just published its latest report – The State of AI: Go Beyond the Hype to Navigate Trust, Security, and Value. We conducted the underlying survey (775 respondents across 18 countries) and prepared the results for the AvePoint team. To portray the breadth of the data we collected, the report clocks in at 61 pages – although there are many graphs and charts, sub-title pages, and expert perspectives throughout. Please, grab yourself a copy and have a read if AI in the enterprise is relevant to your work and future.

From the research data, we found a set of concerns around trust, security, and value that organizations will need to factor into their AI strategies. For example:

• Inaccurate AI output (68.7%) and data security concerns (68.5%) top the list of factors for why organizations are slowing the rollout of generative AI assistants.
• 75% of organizations experienced at least one AI-related data breach in the past year.
• 90.6% of organizations claim effective information management programs, but only 30.3% have implemented effective data classification systems. Gaps in data governance and information management create significant obstacles to safe AI implementation.
• 70.7% of organizational data is more than five years old, creating significant training data quality issues for AI systems.
• Nearly 20% of organizations expect generative AI to create more than half their data within 12 months.
• … and much, much more. This is a very data rich report.

For us, it was a tremendous opportunity to work with the AvePoint team to pull this research together. For you, we hope it provides tremendous insight and assistance as you navigate your AI journey.

Next action: get your copy of the report – The State of AI: Go Beyond the Hype to Navigate Trust, Security, and Value.

It was the data-driven finding from our initial Cybersecurity Investment Priorities program in 2023 that really hit the home run on the importance of visibility for us. We’d just run a large survey to gauge investment priorities among CISOs and CIOs over the coming year, which had included a deep dive into four specific cybersecurity topics. During the data analysis phase of the research, we correlated the data on how visibility affected prioritization, and the relationship was clear (“self-evident” / “stark” / choose your “oh wow!” word): the better the visibility, the higher the priority. This was one of those post-survey data analysis moments where you see “A-ha!” written all across the spreadsheet and you want to fist-bump the data. The importance of visibility has been a recurring theme throughout our cybersecurity research ever since.

Sometimes, though, visibility is more than just a recurring theme within the research … and takes a starring role in the program itself. That’s the case for our latest report into identity security – with a focus on visibility, governance, and autonomous remediation. Last year we took on the question of MFA posture – which included a visibility angle – but this year the intent was to look much wider than just MFA. This research project has been on the wish list for a long time, and it’s a delight to make it available. Please see Strengthening Identity Security: Visibility, Governance, and Autonomous Remediation, sponsored by Abnormal AI, Constella Intelligence, Enzoic, NinjaOne, and Silverfort.

What’s the big idea underlying this research? IAM – identity and access management – is an established control for managing which identities can access what resources. Few organizations don’t have an IAM system in place in 2025, but even with a mature IAM system, organizations continue to suffer from identity-led and identity-implicated attacks and breaches. IAM was not designed to protect against:

• A threat actor using credentials they compromised through a phishing attack. An IAM system will see the credential pair as valid and give access.
• A threat actor using credentials they purchased from the dark web. Ditto.
• A threat actor bypassing strong IAM controls like MFA through various means, including MFA bombing attacks. An IAM system can’t see whether the MFA approval is from the intended user or a malicious one.
• A threat actor accessing data after compromising a credential because the IAM system is out of date, thereby allowing the employee’s now compromised credential to access data that was validly needed one or two job roles before but that has never been revoked. An IAM system effectively shrugs its shoulders saying “looks fine to me.”
• Malicious changes to identity configurations in order to engineer greater access than what should be allowed.
• … and many others.

Identity-led and identity-implicated attacks are front-and-center across most cyberattacks. Snowflake – check. Colonial Pipeline – check. There’s often an identity component in 80% to 90% of breaches, depending on which study you read.

The lesson … is that IAM is no longer enough. In response to the changing and challenging threat landscape, startups and established vendors alike have been building new layers of identity protections – some to beef up underlying IAM processes directly, and some to create ways of protecting identity protections. Our report looks at identity security solutions in three groupings – visibility (think identity security posture management and the detection of compromised credentials), governance (think identity governance and administration), and autonomous remediation (think identity threat detection and response; and identity platform backup and recovery).

It’s not a light read nor a short report. It’s 25 pages of hard data and analysis. We’re all about crafting insightful research that impacts organizations, and this program is no different. We want to facilitate the discussions internally within organizations that need to happen about strengthening identity security protections and approaches. If that sounds like your bailiwick, please get a copy.

We’ve been heads-down on several major reports over the past couple of months (hence the near radio silence), and the first of those has recently been published. Please check out Radware’s 2025 Cyber Survey: Application security at a breaking point (published June 12). This is the third year running we’ve had the privilege of working on Radware’s application security research, and this year’s research extends, expands, and tightens the nature of this annual research program.

From an extend perspective, the 2025 survey had a much higher focus on the role of AI in cybersecurity – from both the offensive and defensive sides. AI in cybersecurity has become a significant research area for Osterman Research, and each research program gives us the opportunity to refine our questions and contextualize those within a specific strand of the cybersecurity matrix. As you’ll see from the findings for this research program, the threat of AI being used to intensify hacking tradecraft is of highest concern to the organizations we surveyed. There’s a common set of refrains among respondents about the effect of AI on threat evolution, detection difficulty, and growing threat diversity. Unsurprisingly, there’s also a common refrain on strengthening application security defenses via AI-based cybersecurity solutions.

From an expand perspective, the research encompassed new threat areas we haven’t looked at over the past couple of research rounds. The major addition was API business logic attacks – a new class of threat – which is already being experienced with high frequency. On page 9 of the report, we say: Business logic attacks present an ideal opportunity for threat actors to use emerging offensive AI capabilities. For example, AI agents can automate the malicious exploration of API sequencing, looking for unexpected logic vulnerabilities and loopholes to exploit. Organizations should expect hackers to develop and share newly crafted playbooks to amplify threat opportunities. Our annual diagram on the cadence of different attack types portrays good news – in that average cadence is lower than our previous data set – along with a dire warning, in that the amplification of threat actor capabilities via AI is likely to increase attack cadence over the next 12 months.

And finally, from a tighten perspective, this year’s research doubled the number of organizations surveyed to allow a deep dive focus on two specific industries (financial services and healthcare) compared to all other industries. There are cohort-to-cohort comparisons throughout the report, with the interesting findings where financial services and healthcare are different to the overall data set or the other two cohorts noted. These are oriented around different attack patterns (page 6), API usage (page 7), documentation status (page 8), among others.

Please get your copy of the full report from the Radware web site.

Join the webinar on June 26

We will be presenting the key findings from our research with Radware later this week. The webinar is on Thursday June 26 – please register to attend. We’d love to have you there.

Our latest report on email security is now available. It was commissioned by TitanHQ and is called The State of Email Security in 2025. It’s the first of what could become an annual series by TitanHQ, although as with all annual reports we undertake, the focus in future years is responsive to the issues and trends of each year. An annual report offers a framework for what’s important aligned with an overarching theme, not a tomb for what isn’t relevant anymore.

For the 2025 annual report, we analyze email security realities at organizations with up to 1,000 employees in the United States, Canada, United Kingdom, and the European Union. If this describes your organization, please get a copy hot off the press from the TitanHQ web site.

Worse outlook for their own organization versus everyone else

When you get a copy of the report, have a look at Figure 2 (on page 4). It presents the comparison of answers to two questions – how threats will intensify against all organizations in general, and how threats will intensify against the respondent’s organization specifically. Asking the question pair is a test of how the respondents view the likelihood that their organization is under attack versus everyone else. For every threat type we asked about (e.g., phishing, zero-day exploits, ransomware, and 9 others), respondents saw their organization as being more directly in the line of fire than everyone else. It’s more normal for a sense of bravado to reign in such answers, with other organizations in general being more at risk. But for the respondents to this survey, that didn’t happen. Respondents acknowledge full ownership of the fact that they are under attack and expect to be under increasing levels of attack over the next 12 months. We use this acknowledgment to lay out a decision matrix for email security readiness (see Figure 3 in the report) for organizations.

The top investment priorities are the newest threats

We use a three question series in our Cybersecurity Investment Priorities programs (see 2023 and 2025) to assess the correlation across concern about current posture for a given area, the investment required to bring a given area up to the organization’s desired standard, and the spending priority for that area over the next 12 months. We used the same approach for TitanHQ’s annual report to assess the priorities for 10 areas related to email security. We’re pretty happy with the shape of the dominant patterns that our research found, with protecting against AI-enhanced attacks at the top of the list, followed by protecting against attacks that use deepfake audio or video in second place. These are both new and emerging types of threats that many organizations are less prepared to mitigate / address / deal with, and seeing them at the top of the list is right where we’d hope they’d be. Coming back to the idea above about taking ownership, indeed, there is work to be done on these by most.

These two emerging attack types are followed closely by continued investment in various enduring threat types that we talk about throughout the research, such as phishing. Phishing attacks were the most common incident type for the organizations in this research, and yes, given how threat actors are always exploring new approaches to make phishing attacks more nefarious, more effective anti-phishing protections are essential.

Other topics

There are multiple other topics explored in this year’s annual report, including deep dives on BEC attacks, QR code phishing, and generative AI. There’s also a major section on email security strategies, covering human risk management, priorities for 2025, and buying criteria for email security products / services. As above, please get a copy hot off the press from the TitanHQ web site for more.

The data comes from a survey of 268 CISOs and CIOs in the United States, at organizations with more than 1,000 employees. This is the second time we’ve run this research program. The first program was run in 2023, and this program builds on and extends our earlier research.

The key takeaways from this research are:

• Cybersecurity driven by changing threat response calculus
  Increasing prices for cybersecurity insurance, the growing use of AI in cyberattacks, software supply chain compromise, and return-to-office mandates for employees are the top trends and challenges driving how CISOs and CIOs approach cybersecurity in 2025. All force a reevaluation of how best to address current and emerging threats.
• Cloud infrastructure security, cybersecurity talent availability, and control and
  ethical processing of data top the priority stack
  Out of 24 potential investment areas for cybersecurity, two thirds of organizations assigned the highest priority to cloud infrastructure, internal cybersecurity talent, and compliant data processing. They see weaknesses in their current posture that are misaligned with where they want to be and are investing the resources to do something about it.
• Budgets continue to rise, showing resilience across economic cycles
  Almost all organizations have received a higher budget for cybersecurity over the previous two years, and most believe they could put even more budget to productive and effective use.
• Strong risk management disciplines make a significant difference
  Organizations with higher efficacy in managing the business risks associated with key cybersecurity areas such as applications, cloud, and identities show much higher commitment to address security weaknesses and are spending accordingly. Being able to see what is and isn’t happening drives change.
• Organizations must do the work to understand their priorities
  Investment priorities for any given organization must be set within the context of their current posture, real-world threat data, and known areas of concern (and unknown areas of weakness). This is the fundamental work that cybersecurity decision-makers and influencers must coordinate.

This research was sponsored by BIO-key International, OpenText, and Salt Security.

If your firm provides cybersecurity solutions AND you would like to spread this research to your customers and prospects, please get in contact to talk about licensing options.

If you’ve read any of our reports – and there’s quite a collection of them across a wide range of topics – you’ll notice that [1] they aren’t short, and [2] we try to dig into the details. Our latest report is no exception … with a hype-busting and bluster-disabusing examination into the role of AI in enhancing defensive cybersecurity. You can get a copy from our portfolio.

To gather the data, we surveyed organizations in the United States on the front lines of cybersecurity attacks. To take the survey, the respondent had to work at an organization with at least 500 employees and/or at least 50 people on their security team. We wanted to get a sense of what they were seeing in terms of changing dynamics with cybersecurity attacks, particularly the impact of offensive AI. And equally, we wanted to get a read on how they were responding to these changing attack dynamics.

We reached four key conclusions in the research:

• Attackers have the early advantage in generative AI and GANs
  Generative AI and GANs are tipping the scales in favor of attackers, but defensive AI tools are catching up, especially in behavioral AI and supervised machine learning.
• Integrate AI strategically into cybersecurity frameworks. Strategic integration of AI into cybersecurity frameworks is essential to fully
  leverage the technology’s potential. Organizations should focus on aligning AI investments with core business objectives and risk management practices.
• AI is a force multiplier for cybersecurity teams. AI enables cybersecurity teams to focus on high-impact activities. However, this requires appropriate training, organizational alignment, and investment in the right tools.
• The time for embracing AI in defensive cybersecurity is now. As AI reshapes both offensive and defensive cybersecurity, organizations must act swiftly to secure their infrastructures, adopt AI-powered defenses, and prepare their teams for the next generation of AI-enabled threats.

Do these conclusions echo what you’re seeing at your organization? Get your copy of the report if so.

This research was sponsored by Abnormal Security, IRONSCALES, and OpenText.

If your firm provides AI-powered cybersecurity solutions to offer protections against AI-enabled attacks AND you would like to spread this research to your customers and prospects, please get in contact to talk about licensing options.

Our latest research agenda program fits in the latter category. When we were looking at possibilities for 2024, a client suggested:

Something around how the security industry is evolving to make the SOC more efficient and reduce stress and burnout would be good. For example, the H/M/L prioritization of alerts didn’t really do much. What are vendors doing that works, and what doesn’t work? (There could be a little AI in here, but it would be good to go beyond that.)

That nudge (thanks, Bob!) became the origin point for our latest report, Making the SOC More Efficient (available on the main Osterman Research site). It’s a long paper (26 pages) that attempts to deal thoughtfully and in-depth with the topic, exploring the data points we captured through the survey and advocating a way forward. There is more than “a little AI” in the report, though, as this has become both the greatest threat (82.4% of security leaders said that “the use of AI by cyberthreat actors in cyberattacks” was “very impactful” or “extremely impactful” – the highest-rated trend in this research) and one of the greatest tools for defenders (via the rise of AI-enabled cybersecurity solutions).

Some of the key takeaways from the research:

• Current SOC approaches have hit the wall
  Confidence in the ability of the SOC to protect against the threats detected by their security tools has dramatically increased during the past two years, but this increase in confidence is expected to rapidly crater. The innovations that drove increased SOC performance over the past two years do not contain the necessary ingredients to continue driving performance over the next two.
• Specialized threat intelligence to eliminate false positives, AI for behavioral analysis, and autonomous remediation seen as top innovations
  The three innovations seen as most likely to drive SOC efficiency and reduce stress and burnout among SOC analysts are the use of specialized threat intelligence to eliminate false positives; using AI for behavioral analysis in investigating alerts and autonomously creating or updating detection rules; and autonomously remediating incidents without SOC analyst intervention. Almost half of respondents gave two AI-powered defensive innovations the highest rating.
• New innovations improve SOC metrics by a composite average of 35%
  All organizations in this research are already experimenting with at least one new approach to improving the efficiency of their SOC. The most impactful innovations on key SOC metrics (time to begin working on an issue, time to close an incident, and number of false positives) are AI behavior analysis with autonomous rule creation/updating, AI behavioral modeling for detecting baseline deviations, and autonomous remediation of incidents.

If SOC efficiency is in your wheelhouse, we’d love you to get a copy.

This program was sponsored by Dropzone AI, HYAS Infosec, Radiant Security, and Sevco Security.

The research programme:

• Collected data from a global audience of critical infrastructure organizations, with representation across North America, EMEA, and APAC. The survey was balanced to get around 40% of responses from North America, 20% from EMEA, and 40% from APAC.
• Engaged with leaders within these organizations that have IT or security responsibility and knowledge of their email security posture.
• Drew on CISA’s list of critical infrastructure sectors, such as chemicals, commercial facilities, communications, critical manufacturing, dams, and more. CISA says there are 16 sectors classified as critical infrastructure. CISA defines these sectors on this basis: sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. While this definition is US-centric, the same principle applies in other places, too.

Once the research design was agreed, we worked on the survey questions, took this to field, and analyzed the data. You can get your copy of the results from the OPWAT website. But here’s a preview:

• Critical Infrastructure Remains a Target
  80% of critical infrastructure entities fell prey to email-related security breaches within the past 12 months, highlighting their attractiveness to cyber threat actors.
• Lingering Vulnerability
  Despite advancements in cybersecurity, 48% of organizations lack confidence in their existing email security defenses, leaving them vulnerable to potentially devastating cyberattacks.
• Noncompliance presents significant operational and business risks
  Shockingly, 65% of organizations are not compliant with regulatory standards, exposing themselves to significant operational and business risks.

A major recommendation in the report is finding email security capabilities that “preclude and prevent threats” from finding their way into an organization’s email system. While this is critical for critical infrastructure organizations, it is no less so for those in other sectors.

Check out OPSWAT’s site for your copy.

MFA is a critical security defense. We encourage everyone to use it, and to use the strongest versions of it that they can, as often as they can, in as many places as they can. There are multiple “however” statements about MFA, though, such as “not all forms of MFA are created equal” and “MFA bypass has become a thing.” Here’s a paragraph re MFA from one of our reports in March 2021:

MFA was rated as the most effective mitigation against both phishing and ransomware in our research. Without MFA protections in place, phishing attacks that result in credential compromise hand a threat actor the key to the door. It is an open invitation to walk in, take whatever they want, and stay or leave at their whim. MFA increases the difficulty level in successfully leveraging compromised credentials, because a compromised username and password are no longer enough on their own. It is similar to having an alarm system just inside the door, a guard dog patrolling the premises, or a security guard performing additional checks on whomever walks in the door. In the same way that there are options for how physical premises are safeguarded beyond a lock, there are options for MFA too …

The report then talks about phone and email-based MFA, authenticator apps, and hardware security keys and biometrics – commenting on strengths and weaknesses of the respective approaches.

Almost a year earlier we’d said this in our report on Cybersecurity in Financial Services (April 2020):

Approaches for MFA are available on a good-better-best continuum, with good (SMS code, email notification) and better (Authenticator app) approaches still being vulnerable to carefully designed phishing attacks. At present, the best approach, which ideally would be provisioned for all employees who have access to sensitive, data, is to use modern hardware security keys based on FIDO2/WebAuthn that use public-key cryptography.

There’s a very similar paragraph in our Cybersecurity in Government report (December 2019), too.

Net-net: this has been on our radar for a long time, and the purpose of the new research was to dive as deeply as possible into where organizations are at with MFA and identity security. The current research went through several design concepts before we found the right shape and format. More on that later.