Published November 2025

Executive summary

While 71% of organizations feel their readiness programs are mature, our new report reveals a troubling disconnect: key performance metrics have flatlined year-over-year. This is the “Readiness Rut,” a dangerous gap between perceived readiness and actual capability.

Combining industry-wide survey data with performance metrics from millions of real-world cyber exercises, the 2025 Cyber Workforce Benchmark Report is the definitive look at the state of cyber resilience today. It provides the data-driven diagnosis you need to identify hidden risks, benchmark your teams, and build a truly resilient workforce.

Immersive’s report draws from:

• An Immersive commissioned survey with Osterman Research of 500 cybersecurity leaders and practitioners in the U.S. and U.K. (August–September 2025), capturing how organizations perceive and measure readiness.
• Anonymized performance data within the Immersive One platform (July 2024–June 2025), representing millions of hands-on labs across industries.
• Results from Immersive’s “Orchid Corp” crisis simulation, involving 187 professionals across 11 drills in 9 cities, measuring real-world decision-making and containment under pressure.
• Analysis of the Immersive Resilience Score, a benchmark that quantifies readiness across people, process, and technology by measuring decision accuracy, response time, framework alignment, and adaptability to new threats. The score applies to all Immersive users, subject to eligibility, as customers must have the relevant product to be evaluated on each corresponding factor.

Published October 2025

Executive summary

AI is no longer a future disruptor – it’s a present reality. But as adoption accelerates, trust in AI outputs is eroding. Organizations realize that without strong governance, resilient data strategies, and a commitment to quality, AI can just as easily become a liability as a competitive advantage.

Building on AvePoint’s 2024 report, the 2025 report tracks the evolution from AI experimentation to enterprise-wide enablement. The findings revealed that despite widespread AI adoption efforts, critical operational gaps persist around data security and quality, with these foundational issues delaying AI rollouts by up to a year for three-quarters of organizations.

Key takeaways:

• AI rollouts stall before takeoff. 86% of organizations delayed AI deployments by up to a year due to security and data quality concerns.
• AI security incidents are too common. 75% experienced at least one AI-related breach in the past year, primarily due to oversharing sensitive employee or customer data.
• AI data frameworks exist – but fail to deliver. While 90% of organizations claim to have an information management framework, only 30% say it classifies and protects data effectively.
• AI training alone won’t fix trust. 99.5% have invested in AI literacy, but inaccurate outputs and hallucinations still erode employee judgment and decision-making.
• AI customer impact falls short. Organizations say enhancing customer insights and personalization is their top AI goal – yet there is a 5.8% gap between what they hope to achieve and what they actually do.

Published June 2025

Executive summary

The rising menace of AI weaponized by threat actors has stormed onto the scene, dampening confidence in application security protections and threatening a renewed onslaught of attacks against applications. Indispensable application design constructs developed internally and across the supply chain remain ill-protected, even as usage relentlessly increases and threats multiply. Visibility into threats and security weaknesses is too low, and many organizations lack sufficient protections against new AI threats and business logic attacks, among others.

Key takeaways:

• AI-powered cyberthreats spark high concern, rapid response
• Applications are under attack from all directions
• New attacks against APIs exploit logic vulnerabilities
• Use of third-party service APIs is widespread, but not fully understood
• Application DDoS attacks are disruptive and costly

Published April 2025

Executive summary

Over the last 12 months, there is one word that best describes the cyber threat landscape: velocity.

The speed of cyber threats created an urgent and pressing need for CISOs to respond, as cybercriminals continued to leverage generative AI to increase the volume and velocity of attacks, leaving enterprises on the defense against increased threat activity.

In response, enterprises are prioritizing strategies to respond to threats, invest in security tools, mitigate the cybersecurity skills gap and integrate AI responsibly.

In fact, threat actors are now breaking out into networks faster than ever, according to CrowdStrike, with adversaries moving laterally across a compromised network in 48 minutes on average, with 51 seconds breaking the all-time low record as the fastest time ever recorded.

Security leaders expressed serious concerns that “if we fail [to adapt] … the losses will be immeasurable.”

High-profile breaches and zero-day exploits continue to dominate headlines, while enterprise security teams remain under-resourced from a team, technology and budget standpoint. This forces organizations to make strategic investments to combat the speed, scale and complexity of attacks. The good news? It seems to be working.

AI is both cybersecurity’s biggest threat and most promising savior. Three of the top six challenges related to AI this year, lead by AI-driven cyber attacks (#1), in addition to AI defenses (#5) and generative AI (#6). On the defense side, 77% of CISOs were confident in the future potential of AI to improve their security posture this year, with 75% of firms expressing interest in leveraging AI agents to automate SOC investigations using AI agents by triaging large volumes of security alerts.

As AI dominates both sides of the threat landscape, Scale Venture Partners conducts ongoing research to understand CISO challenges and evolving security solutions. Now in its 12th year, this year’s report consolidates perspectives from CISOs, CIOs, VPs, directors, and IT managers.

Scale Venture Partners commissioned Everclear Marketing and Osterman Research to conduct a survey of 301 security leaders in the United States who are responsible for buying decisions, the success of security deployments, or the overall security of the company.

See also:

• Scale VP’s blog post on the 2025 report.

Published March 2025

Executive summary

Organizations across the world face relentless growth in cyberthreats, as criminal groups leverage new technologies for malicious ends. The application of AI for offensive cyberthreats has threat actors rubbing their hands in glee, and organizations are racing to fight emerging offensive AI with defensive AI. In most years, we see continued evolution in the design of new types of attacks and threats – with recent explorations by threat actors focusing on MFA bypass in phishing attacks, new types of BEC attacks, QR code phishing, and early forays into deepfakes. Incidents and data breaches usually follow.

This research study investigates the on-the-ground cyberthreat realities for firms with up to 1,000 employees. We surveyed 252 organizations in the United States, Canada, United Kingdom, and the European Union.

Discover the latest email security attack trends, new and emerging tactics, and real-world experiences from IT professionals.

Key findings include:

• Half of organizations experienced between two and four types of incidents during the previous 12 months.
• 64.3% expect the threat level of phishing attacks against their organization to rise this year.
• One in five organizations lost money through a business email compromise attack over the previous 12 months.
• 56.3% of respondents anticipate that the threat level of BEC attacks against their organization will increase in 2025.
• Offensive AI used by threat actors enables cyberattacks to become more sophisticated, voluminous, unique, and evasive.
• AI is the emerging innovation that respondents say offers the greatest potential boost to email security at their organization over the next 12 months.
• With continued degradation in the threat landscape anticipated over the next 12 months, organizations that don’t improve their readiness and defenses will be in a progressively worse position over time.

Published December 2024

Executive summary

Today’s organizations seek marketplace success in collaboration with an ecosystem of supply chain partners while using hundreds or even thousands of applications. Unifying systems and apps across the supply chain ecosystem enables organizations to orchestrate experiences that delight customers and employees alike — keeping customers coming back for more and employees engaged in productive work.

Orchestrating these experiences requires organizations to contend with an ever-changing mix of organizational, regulatory, business and technology forces. To account for and embrace this dynamic change environment, organizations must fully embrace automation and orchestration technologies to achieve speed, eliminate errors, and delight customers, trading partners, and employees for true competitive advantage.

Leveraging automation and orchestration technologies enables businesses to seamlessly combine data from across their ecosystem — and more importantly, to act on it in real-time. This 360-degree visibility allows organizations to rapidly identify shifts in demand, optimize supply chain performance, and respond to changing customer preferences. A unified, enterprise-wide approach allows companies to maximize operations, make data-driven decisions and increase speed to market.

Released September 2024

Executive summary

Organizations in critical infrastructure sectors operate under heightened warnings of cyberattack due to their control of physical infrastructure that wreaks havoc on economic, financial, and health systems when compromised. While warning levels are increasingly high, efficacy at protecting the most common attack vector— email—is low. Most organizations have been breached in the past 12 months (multiple times), half lack confidence in their current protections, and most know their approach is not best in class. With the level of threat posed by email attacks expected to increase over the next 12 months, critical infrastructure organizations intent on strengthening their email security posture must take a dramatic approach that emphasizes prevention and preclusion of email-borne threats. The data in this survey is drawn from a global audience of organizations in critical infrastructure sectors.

Published June 2024

Executive summary

Many organizations continue to believe that cloud providers are responsible for protecting their data in SaaS apps from all types of data loss, even when cloud providers explicitly opt out of assuring data integrity under the shared responsibility model. When the inevitable happens and data is lost via a cyberattack or deletion action in the normal course of business operations, organizations are faced with the startling realization that their data is actually gone—and the cloud provider can do nothing about it. The data is lost. Irretrievably so.

But there is an alternative, albeit one that requires a decision upfront to assure recovery whatever happens to the cloud provider, whether during a ransomware attack, a malicious insider rampage, or deletion that happens in the normal course of business operations. The alternative is an approach that diligent IT organizations always used to practice—with relentless discipline—in the age of on-premises IT infrastructure. As an increasing proportion of organizations embrace an ever-growing set of SaaS applications, reinstituting solid data backup processes for data in SaaS applications enables organizations to achieve security standards and compliance mandates.

Request a copy

Published May 2024

Executive summary

The shift to the cloud, like most transformational technologies, has been a slow transition over the past decade. In the past five years, we’ve seen more enterprises making the shift to cloud-based infrastructure and applications and, as they do, they become reliant on third-party cloud providers, opening new vulnerabilities and areas of exposure that didn’t exist before.

As CISOs seek stable ground in the face of increasing cloud complexity, a new trend has emerged: AI acts as an accelerant, promising efficiency, automation, and a lower barrier to entry for both defenders and attackers.

In order to keep up with threat actors, CISOs are increasingly looking at AI to improve their own security posture, with 89% of security leaders indicating that AI is important to improving their security in 2025.

As these trends converge, Scale Venture Partners has conducted ongoing research to understand the challenges CISOs are facing and how solutions are evolving. Now in its 11th year, this year’s report consolidates perspectives from CISOs, CIOs, VPs, directors, and IT managers.

Our research shows more security incidents, with 76% of companies reporting three or more security incident types. Cloud infrastructure security reclaimed the top priority spot for CISOs, and data center/server security jumped in importance from 8th in 2023 to second.

While we’re still in the early days of AI adoption, CISOs are taking a proactive stance.

Although budget growth has slowed, enterprises allocated 29% more budget toward new, innovative, and experimental security solutions this year.

In the face of increased threats, contracting budgets, and continued talent shortages, CISOs are strategizing to ensure they don’t fall behind in the AI arms race while navigating security in the age of cloud apps and cloud infrastructure.

Scale Venture Partners commissioned Everclear Marketing and Osterman Research to conduct a survey of 300 security leaders in the United States who are responsible for buying decisions, the success of security deployments, or the overall security of the company.

See also:

• Scale’s blog post on the 2024 report

Published May 2024

Executive summary

Governance, risk, and compliance is a team sport — in a league where no two teams look alike. This diversity in team structures, responsibilities, and program resources makes GRC benchmarking across organizations and industries challenging — and objectively evaluating your program strategy even more difficult.

To better enable GRC leaders with a clear understanding of what “good” GRC looks like, we surveyed 350 risk, cybersecurity, and compliance leaders worldwide about their program objectives, team structures, processes, and technology investments — and aligned responses to a maturity model to gauge their GRC program maturity and success.

One finding stood out above all others: there is no silver bullet for running an effective GRC program. Good GRC practices are simply good business practices.

Team sizes, responsibilities, processes, and spending varied considerably across organization sizes, industries, and geographies. This suggests GRC leaders should first align their strategy and program to business objectives — and interpret peer benchmarks with several grains of salt.

However, what successful GRC teams did have in common were collaborative processes, strong stakeholder engagement, and integrated data and systems.