Picus Security, a leader in security validation, has unveiled the Blue Report™ 2025, marking its third consecutive year of data-driven insights into cybersecurity performance. This year's findings, assessed through more than 160 million attack simulations, raise significant concerns about the effectiveness of contemporary security measures against evolving threats.
The report illustrates a worrying decline in defensive capacity as cyber-attacks increase in complexity and frequency. One striking revelation is the successful cracking of at least one password hash in 46% of environments tested, a sharp rise from 25% in 2024. Equally troubling is the reduced success in stopping data exfiltration attempts, which have dropped to a mere 3%, down from 9% the previous year.
These stats highlight that a single cracked password can lead to lateral movement and massive data theft. With the persistent emergence of infostealer malware and attackers adeptly bypassing security using legitimate credentials, companies are at soaring risk from seemingly invisible threats.
“We must operate under the assumption that adversaries already have access,” said Dr. Süleyman Ozarslan, co-founder of Picus Security and VP of Picus Labs. “An ‘assume breach’ mindset pushes organisations to detect the misuse of valid credentials faster, contain threats quickly, and limit lateral movement — which requires continuous validation of identity controls and stronger behavioural detection.”
Key discoveries from the report include:
The report attributes these challenges to inadequacies in detection rule configuration, gaps in system integration, and missteps in logging management. Consequently, many enterprises remain blind to malicious activities within their networks.
Findings are based on millions of simulated attacks executed by Picus Security customers, done safely, in a live production environment. You can find the full report here.