Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO

BLUE REPORT 2025

The Blue Report 2025 uncovers how security controls perform in practice, based on over 160 million attack simulations across real enterprise environments.

blue report 2025

Real-World Effectiveness Is Declining

The 2025 Blue Report reveals a drop in prevention effectiveness to 62%, no improvement in log visibility,
and only a slight uptick in alert generation.

Despite continued investment, many defenses fail to detect or stop today’s most common attacks.

br25-introduction-graph-white
Cracking still works

Password Cracking Threat Intensifies

46% of environments had at least one password hash cracked and converted to cleartext. Weak hashing, poor password hygiene, and stored credentials continue to enable lateral movement and privilege escalation across internal domains.

blue-report-hub-page-1
blue-report-hub-page-2
Data theft goes unchecked

Data Exfiltration Defense Is Getting Worse Despite Rising Risk

Data exfiltration prevention dropped from 9% to just 3%, marking it the weakest vector for the third year in a row. This sharp decline comes as infostealers triple and ransomware groups lean heavily on double extortion, exposing a major gap in defensive readiness.

No progress without validation

Prevention Effectiveness Declines

After a strong improvement in 2024, the average prevention score fell from 69% to 62% in 2025. This drop suggests that many organizations are struggling to keep up with increasingly sophisticated attack techniques and that previously effective controls may be losing their edge without continuous validation and tuning.

blue-report-hub-page-3
blue-report-hub-page-4
Top ransomware still breaking through 

Ransomware Remains a Top Concern

BlackByte continues to be the hardest strain to prevent, with a prevention effectiveness of just 26%, even after its prominence in last year’s findings. BabLock and Maori followed at 34% and 41%, respectively.

mid-strip-gray-mobile mid-strip-gray
EFFECTIVE THREAT EXPOSURE MANAGEMENT

Previous Blue Reports

.png
Blue Report 2024

The State of Threat Exposure Management

DOWNLOAD
Picus-BlueReport2023-mockup
Blue Report 2023

Uncover the Trade-offs Organizations Make When Managing Their Threat Exposure

DOWNLOAD
Pattern-mobile Pattern(1)

See the
Picus Security Validation Platform

Request a Demo

Submit a request and we'll share answers to your top security validation and exposure management questions.

Get a Demo

Get Threat-ready

Simulate real-world cyber threats in minutes and see a holistic view of your security effectiveness.

Free Trial

Frequently Asked Questions

The Picus Blue Report 2025 is an annual research study that analyzes the real-world effectiveness of cybersecurity controls across organizations. Based on over 160 million attack simulations conducted via the Picus Security Validation Platform, the report offers data-driven insights into how well enterprises are able to prevent and detect adversary behaviors across vectors, industries, and regions.

Averaging 14 per sample, with 11,984,156 mapped to the MITRE ATT&CK framework. Out of those techniques, we observed the following top 10 techniques being used in the corresponding order: Process Injection, Command and Scripting Interpreter, Credentials from Password Stores, Application Layer Protocol, Impair Defenses, Data Encrypted for Impact, System Information Discovery, Input Capture, Boot or Logon Autostart Execution, and Data from Local System.

The Blue Report 2025 serves as a practical guide for operationalizing Continuous Threat Exposure Management (CTEM). It helps security teams identify exposure blind spots, assess control effectiveness, and prioritize mitigation based on real-world adversary behaviors. By leveraging Adversarial Exposure Validation (AEV), teams can move beyond theoretical risks to validate which exposures are truly exploitable. This evidence-based approach supports more accurate risk quantification, informed investment decisions, and measurable progress across CTEM stages.
The Picus Platform uses curated adversary behavior chains drawn from real APT and malware campaigns, simulating tactics like credential theft, lateral movement, command and control, and data exfiltration. These simulations are non-disruptive and allow organizations to test whether their current defenses can stop threats as they unfold in production environments.
The key is to validate detection rules through simulated attacks and prioritize quality over quantity. By testing whether specific attacker behaviors are triggering alerts and tuning rules to reduce noise, security teams can ensure alerts are meaningful, reducing fatigue and increasing response speed.
The Blue Report provides objective, simulation-based evidence of which threats are succeeding, which controls are failing, and where security teams should focus next. It’s a valuable benchmark for risk-based decision-making and for tracking progress in exposure reduction year over year.
Password cracking succeeded in 46 percent of environments, nearly doubling from 2024. This rise is largely due to weak internal password policies, outdated hashing algorithms, and the increasing use of credential-harvesting malware. Attackers can now quickly automate password hash cracking and use the resulting credentials for lateral movement and privilege escalation, often without triggering alerts.