Cybersecurity report advocates an offence-driven approach
Horizon3.ai’s newly released 2025 Cybersecurity Insights Report reveals the common security gaps organisations struggle to close.
By analysing exploit trends from 50,000 NodeZero® autonomous security tests run in 2024, along with insights from a survey sample of nearly 800 security leaders and practitioners, the report presents clear evidence of how current cybersecurity strategies are failing and what organisations must change to stay ahead of evolving threats.
Key insights from the cybersecurity report include:
- Vulnerability scanning falls short — despite 98% of organisations using vulnerability scanning, only 34% find it highly effective due to false positives that hinder teams from focusing on real risks.
- Credential-based attacks remain a significant risk — NodeZero successfully performed credential dumping in over 28,000 cases, highlighting the widespread danger of weak credential practices and policies.
- Patch management delays leave systems exposed — over half of practitioners (53%) and more than a third of security leaders (36%) admit to postponing patches due to operational constraints, leaving critical vulnerabilities open.
- Known vulnerabilities remain unpatched — NodeZero exploited 229 known vulnerabilities nearly 100,000 times in customer environments, demonstrating that many organisations struggle to remediate even widely recognised threats.
“Security isn’t about reacting — it’s about outpacing your adversary,” said Snehal Antani, CEO and Co-Founder of Horizon3.ai. “Too many organisations still confuse compliance for security, falling back on outdated assumptions and annual testing cycles. This report shows what modern defenders already know: you have to think like an attacker, validate like an operator, and build a security program that stands up to real-world pressure.”
Offense-driven cybersecurity
These problems reflect a broader pattern that the report lays bare. Across nine key themes, it shows that organisations continue to rely on point-in-time testing, noisy tools, and risk models built on assumptions rather than proof.
Each section reveals a recurring failure, from vulnerability overload and delayed patching to ineffective pentests, cloud misconfigurations, and especially credential weaknesses. Fixing these issues requires more than remediation — it demands continuous visibility into identity, access, and privilege exposure.
Only an offense-driven approach that continuously tracks readiness and validates defenses while leveraging deception, detection, and real-world attacker perspectives can expose and eliminate the gaps attackers rely on.
“This report is a reality check for security teams,” said Stephen Gates, Principal Security SME at Horizon3.ai. “It doesn’t just highlight where defences are failing; it points to a better path forward. If you still rely on assumptions, static tools, or annual tests, this data makes it clear: it’s time to evolve. Offensive security isn’t a nice-to-have—it’s the strategy that separates the resilient from the exposed.”
The 2025 Cybersecurity Insights Report is available to download.
If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :
