Annual Report · 2026

The State of Enterprise Cybersecurity

Aggregate findings from 400+ penetration tests, 120+ cloud security audits, and emerging research from Project OffSecAI — across UK and US clients between January 2025 and April 2026.

Executive Summary

Three patterns dominate our findings in 2025-2026. First, traditional Active Directory attacks remain devastatingly effective: Kerberoasting, DCSync via Azure AD Connect, and PRT token theft compromise a substantial majority of engagements. Second, cloud misconfigurations cluster around the same seven patterns regardless of organisation size or sector, suggesting governance failures rather than awareness gaps. Third, LLM applications deployed in 2025-2026 are uniformly vulnerable to indirect prompt injection, with material gaps in input validation and tool-call allowlisting.

All statistics on this page are anchored — link directly to a specific figure for citation. Data is released under CC BY 4.0 for academic, journalistic, and commercial use with attribution.

Key Findings

85%
of enterprise AD engagements yielded crackable service account hashes

Across 40 enterprise penetration tests in 2025-2026, Kerberoasting yielded crackable service account hashes in 34 of 40 engagements.

Source: Secureware engagement data, January 2025 – April 2026

79%
of hybrid identity engagements allowed PRT token theft

Primary Refresh Token theft was reproduced successfully in 11 of 14 hybrid Entra ID / Active Directory engagements conducted since January 2026.

Source: Secureware engagement data, January 2026 – April 2026

7
critical AWS misconfigurations found in nearly every enterprise audit

Across 120+ AWS cloud security audits, seven specific misconfigurations appear with near-perfect consistency: wildcard IAM policies, public S3 buckets, long-lived access keys, CloudTrail gaps, unencrypted Parameter Store secrets, permissive security groups, and IMDSv1.

Source: Secureware cloud audit aggregate findings, 2023-2026

92%
of tested LLM applications were vulnerable to indirect prompt injection

Of 24 LLM applications assessed under the OffSecAI framework in 2025-2026, 22 contained indirect prompt injection vulnerabilities allowing data exfiltration or tool-call hijacking.

Source: Secureware OffSecAI engagement data, 2025-2026

68%
of mobile applications had certificate pinning bypassed with standard tooling

In testing against 28 mobile applications across banking, healthcare, and enterprise categories, Objection's standard commands bypassed certificate pinning in 19 of 28 applications without customisation.

Source: Secureware mobile security testing data, 2025

61%
of supply chain breaches traced to CI/CD pipeline compromise

Analysis of 38 supply chain incidents across UK and US organisations identified CI/CD pipeline compromise as the primary vector in 61% of successful breaches.

Source: Secureware H1 2026 supply chain analysis

100%
of Cyber Essentials Plus-certified organisations we audited had domain admin attainable

In every internal penetration test conducted within 90 days of the client's Cyber Essentials Plus assessment, we obtained domain admin via AD-specific attack paths not covered by the CE+ scheme.

Source: Secureware engagement data, 2024-2026

£3,000
achievable budget for SME Zero Trust foundational implementation

A 90-day SME Zero Trust implementation covering identity, network segmentation, device trust, and SIEM is achievable for approximately £3,000 (~$3,800) in one-time investment plus modest ongoing operational cost.

Source: Secureware SME Zero Trust Implementation Workbook, 2026

80%
of hybrid environments allowed DCSync via Azure AD Connect

In hybrid environments assessed in 2025-2026, the MSOL_ account or AAD Connect service account permitted DCSync attacks succeeding in roughly 80% of audits.

Source: Secureware Active Directory engagement data, 2025-2026

400+
total penetration tests delivered across UK and US clients

Secureware has delivered over 400 penetration tests since founding, across financial services, healthcare, SaaS, manufacturing, and public sector clients in the United Kingdom and United States.

Source: Secureware engagement records

Methodology

Statistics are aggregated from anonymised engagement findings across our UK and US client base. Engagement scope, sector distribution, and client identity are not disclosed. Where specific numbers are cited (e.g. "34 of 40 engagements"), they refer to discrete engagements meeting the stated criteria. Percentages are rounded to nearest whole percent.

We do not extrapolate from our findings to industry-wide claims. Our client base skews toward mid-market and enterprise organisations actively investing in security, which likely biases our findings toward better-than-average baseline posture. Real-world distributions in less-mature environments are likely worse.

Engage with Secureware

If the patterns in this report match concerns about your own environment, we offer penetration testing, cloud security audits, and AI security assessments across the UK and USA. Start with a free scoping call to identify the highest-impact assessment for your situation.