Analysis of millions of real-world attack simulations uncovers novel findings about where enterprise security controls effectively stop attacks, where threat actors silently succeed, and how performance differs across industries and architectures
SUNNYVALE, Calif.--(BUSINESS WIRE)--#OffensiveSecurity--SafeBreach, the leader in enterprise exposure validation, today announced the release of its inaugural State of the Breach Report, which analyzes millions of real-world attack simulations executed by global enterprises over the last 12 months using the SafeBreach Exposure Validation Platform. The report addresses the central question CISOs face every day—and one that traditional security metrics like alerts generated, patches applied, or tools deployed do little to answer: Are we actually protected against the attacks that matter most?
Throughout 2025, SafeBreach customers executed more than 1.8 million high-fidelity simulations drawn from CISA alerts, nation-state tradecraft, emerging ransomware and infostealers, and industry-specific tactics, techniques, and procedures (TTPs)—creating one of the richest bodies of empirical security-control-effectiveness data available today. The 2026 State of the Breach Report analyzes this data to reveal clear trends about how enterprise security controls perform against the actual attacker behaviors associated with today’s most pressing threats.
The findings show that behaviors like identity abuse, lateral movement, and AI-driven infostealing continue to evade defenses, directly impacting how teams should prioritize detection engineering, identity controls, and exposure management. The report also highlights how industry sector and security architecture influence resilience, helping leaders benchmark their own posture against relevant peers. Most importantly, the report surfaces insights CISOs can use to:
- Understand real exposure beyond tool coverage
- Defend security investments with evidence, not anecdotes
- Focus remediation efforts where they measurably reduce risk
- Strengthen operational resilience heading into 2026
“Our customers use the data from attack simulations within the SafeBreach platform to easily understand and improve the efficacy of their controls—not by adding more tools or alerts, but by validating whether their existing controls stop real attack paths in practice,” said Guy Bejerano, CEO of SafeBreach. “The findings within the SafeBreach 2026 State of the Breach Report are designed to do the same, replacing assumptions with empirical evidence about where enterprise controls perform well, where they fail, and how trends differ across industries and architectures. It’s a must-read for CISOs and security leaders looking for data-driven insights that can help them improve resilience in the year ahead.”
Key findings from the report include:
- Enterprises consistently prevent loud, payload-centric ransomware attacks, while stealthy, identity-driven campaigns continue to evade enterprise defenses (e.g., Russian GRU tradecraft showed a 28% miss rate).
- Network Inspection and Data Loss Prevention (DLP) controls blocked the most threats, with blockage rates of approximately 65% and 70% respectively, while endpoint controls underperformed with a blockage rate of approximately 53%.
- More than 60% of organizations exposed harvestable credentials, including credentials stored in the Windows Registry and plain-text passwords, enabling rapid privilege escalation once attackers gain a foothold.
- Industries with integrated, centralized security stacks demonstrated stronger resilience, while fragmented IT/OT and endpoint-heavy environments struggled regardless of budget or tool count.
- Organizations that validated, remediated, and re-validated their controls showed rapid, measurable improvement across threat categories, reinforcing that resilience is an operational practice, not a maturity milestone.
For additional insights about enterprise security control performance and expert recommendations about how to improve resilience in 2026, download a full copy of the 2026 State of the Breach Report today.
About SafeBreach
SafeBreach is the leader in enterprise-grade exposure validation, providing the world’s largest brands with safe and scalable capabilities to understand, measure and remediate threat exposure and associated cyber risk. The award-winning SafeBreach exposure validation platform combines pioneering breach and attack simulation and innovative attack path validation capabilities to help enterprise security teams measure and address security gaps at the perimeter and beyond. Backed by a world-renowned original threat research team and world-class support, SafeBreach helps enterprises transform their security strategy from reactive to proactive safely and at scale. To learn more about how SafeBreach helps enterprises with end-to-end exposure visibility, visit www.safebreach.com.
Contacts
Media Contact
KessComm PR
safebreach@kesscomm.com
