Horizon3.ai, a global leader in offensive security, has released its 2025 Cybersecurity Insights Report. The report offers a groundbreaking analysis based on real-world cyberattack techniques conducted at organizations across the globe, delivering invaluable insights.
Keith Poyser, Vice President for EMEA at Horizon3.ai, stated, “This report offers a groundbreaking analysis based on real-world cyberattack techniques conducted at organisations across the globe, delivering invaluable insights.”
The report presents clear evidence of how current security strategies are failing and what organizations must change to stay ahead of evolving threats. By analyzing exploit trends from 50,000 NodeZero® autonomous security tests run in 2024 and insights from a survey sample of nearly 800 security leaders and practitioners, the report reveals the common security gaps organizations struggle to close.
Horizon3.ai defines offensive security as using real-world attacker techniques to identify and exploit weaknesses across IT environments. This approach provides clear, actionable proof that enables teams to find, fix, and verify vulnerabilities before adversaries strike.
The report highlights key findings, including the fact that vulnerability scanning falls short. Despite 98% of organizations using vulnerability scanning, only 34% find it highly effective due to false positives that hinder teams from focusing on real risks. Credential-based attacks also remain a major risk, with NodeZero successfully performing credential dumping in over 28,000 cases, demonstrating the widespread risk of weak credential practices and policies.
The report also reveals that patch management delays leave systems exposed. Over half of practitioners (53%) and more than a third of security leaders (36%) admit to delaying patches due to operational constraints, leaving critical vulnerabilities open. In addition, known vulnerabilities remain unpatched, with NodeZero exploiting 229 known vulnerabilities nearly 100,000 times in customer environments.
Snehal Antani, CEO & Co-Founder of Horizon3.ai, stated, “Security isn’t about reacting—it’s about outpacing your adversary. Too many organizations still confuse compliance for security, falling back on outdated assumptions and annual testing cycles. This report shows what modern defenders already know: you have to think like an attacker, validate like an operator, and build a security program that stands up to real-world pressure.”
The report also highlights the need for an offense-driven security approach, which continuously tracks readiness and validates defenses while leveraging deception, detection, and real-world attacker perspectives to expose and eliminate the gaps attackers rely on.
Stephen Gates, Principal Security SME at Horizon3.ai, said, “This report is a reality check for security teams. It doesn’t just highlight where defences are failing, it points to a better path forward. If you’re still relying on assumptions, static tools, or annual tests, this data makes it clear: it’s time to evolve. Offensive security isn’t a nice-to-have—it’s the strategy that separates the resilient from the exposed.”
The State of Cybersecurity in 2025: Data-Driven Insights from Over 50,000 NodeZero® Pentests is available now. The report explores the root causes behind today’s most persistent security failures and how an offense-driven approach is helping organizations finally close the gaps attackers rely on. Interested parties can download the full report today.
About Horizon3.ai and NodeZero: Horizon3.ai provides a cloud-based platform, NodeZero, enabling organizations and public authorities to run production safe self-attacks on their IT infrastructure to assess their cyber resilience through penetration testing (pentesting). The platform offers affordable, regular autonomous pentesting, making it accessible from small to mid-sized, to large enterprises. Horizon3.ai continuously monitors the cybercrime landscape to ensure that newly discovered vulnerabilities are swiftly integrated into the cloud system. NodeZero not only identifies security flaws but also offers tailored recommendations for remediation. Through this platform, Horizon3.ai helps organizations meet rising regulatory demands for cyber resilience in Governance, Risk & Compliance (GRC), with guidelines recommending an internal self-attack at least once a week.
Trademark notice: NodeZero is a registered trademark of Horizon3.ai.
For further information, please contact Horizon3.AI Europe GmbH at Prielmayerstrasse 3, 80335 Munich, or visit their website at www.horizon3.ai. For media inquiries, please contact euromarcom public relations GmbH at www.euromarcom.de, or email team@euromarcom.de.

Derick is an experienced reporter having held multiple senior roles for large publishers across Europe. Specialist subjects include small business and financial emerging markets.