Nearly half of enterprises tested had passwords cracked in Picus Security report

Spread the love

A new report out today from cybersecurity validation startup Picus Security Inc. reveals that nearly half of enterprise environments had at least one password cracked during testing, a dramatic increase from last year and that attacks using valid credentials succeeded 98% of the time.

The data comes from the Picus Security Blue Report 2025 and is based on more than 160 million simulated attacks. The report, now in its third year, provides a data-driven assessment of how well security controls perform against today’s threats.

The report details a worrying decline in defensive performance, with overall prevention effectiveness dropping from 69% in 2024 to 62% this year. Data exfiltration prevention rates were also found to have fallen to just 3%, down from 9% last year, making it the least prevented attack vector for the third year in a row.

On the ransomware front, BlackByte was found to remain the hardest ransomware to stop, with only a 26% prevention rate, followed by BabLock at 34% and Maori at 41%. Discovery tactics such as System Network Configuration Discovery and Process Discovery were blocked less than 12% of the time, underscoring persistent blind spots in early detection.

Detection performance was found to remain a weak link as while log coverage held steady at 54%, only 14% of simulated attacks generated alerts. 50% of detection rule failures stemmed from logging issues, with other problems tied to configuration errors and performance bottlenecks.

The report wasn’t all doom and gloom, however. Domain administrator compromises fell from 24% to 19% and access to domain admin accounts dropping from 40% to 22%, reflecting stronger lateral movement defenses and better network segmentation. MacOS endpoint security was also saw rapid improvement, jumping from 23% to 76% prevention effectiveness, outpacing Linux at 69% and closing in on Windows at 79%.

The report recommends that organizations include enforcing stronger password policies, improving outbound data monitoring, fine-tuning detection pipelines and testing ransomware scenarios that include encryptionless extortion.

“We must operate under the assumption that adversaries already have access,” said Dr. Süleyman Ozarslan, co-founder of Picus Security and vice president of Picus Labs. “An ‘assume breach’ mindset pushes organizations to detect the misuse of valid credentials faster, contain threats quickly and limit lateral movement, which requires continuous validation of identity controls and stronger behavioral detection.”

Image: SiliconANGLE/Reve

Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.

15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.

About SiliconANGLE Media

SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.