Annual Report · 2026
The State of Enterprise Cybersecurity
Aggregate findings from 400+ penetration tests, 120+ cloud security audits, and emerging research from Project OffSecAI — across UK and US clients between January 2025 and April 2026.
Executive Summary
Three patterns dominate our findings in 2025-2026. First, traditional Active Directory attacks remain devastatingly effective: Kerberoasting, DCSync via Azure AD Connect, and PRT token theft compromise a substantial majority of engagements. Second, cloud misconfigurations cluster around the same seven patterns regardless of organisation size or sector, suggesting governance failures rather than awareness gaps. Third, LLM applications deployed in 2025-2026 are uniformly vulnerable to indirect prompt injection, with material gaps in input validation and tool-call allowlisting.
All statistics on this page are anchored — link directly to a specific figure for citation. Data is released under CC BY 4.0 for academic, journalistic, and commercial use with attribution.
Key Findings
Across 40 enterprise penetration tests in 2025-2026, Kerberoasting yielded crackable service account hashes in 34 of 40 engagements.
Source: Secureware engagement data, January 2025 – April 2026
Primary Refresh Token theft was reproduced successfully in 11 of 14 hybrid Entra ID / Active Directory engagements conducted since January 2026.
Source: Secureware engagement data, January 2026 – April 2026
Across 120+ AWS cloud security audits, seven specific misconfigurations appear with near-perfect consistency: wildcard IAM policies, public S3 buckets, long-lived access keys, CloudTrail gaps, unencrypted Parameter Store secrets, permissive security groups, and IMDSv1.
Source: Secureware cloud audit aggregate findings, 2023-2026
Of 24 LLM applications assessed under the OffSecAI framework in 2025-2026, 22 contained indirect prompt injection vulnerabilities allowing data exfiltration or tool-call hijacking.
Source: Secureware OffSecAI engagement data, 2025-2026
In testing against 28 mobile applications across banking, healthcare, and enterprise categories, Objection's standard commands bypassed certificate pinning in 19 of 28 applications without customisation.
Source: Secureware mobile security testing data, 2025
Analysis of 38 supply chain incidents across UK and US organisations identified CI/CD pipeline compromise as the primary vector in 61% of successful breaches.
Source: Secureware H1 2026 supply chain analysis
In every internal penetration test conducted within 90 days of the client's Cyber Essentials Plus assessment, we obtained domain admin via AD-specific attack paths not covered by the CE+ scheme.
Source: Secureware engagement data, 2024-2026
A 90-day SME Zero Trust implementation covering identity, network segmentation, device trust, and SIEM is achievable for approximately £3,000 (~$3,800) in one-time investment plus modest ongoing operational cost.
Source: Secureware SME Zero Trust Implementation Workbook, 2026
In hybrid environments assessed in 2025-2026, the MSOL_ account or AAD Connect service account permitted DCSync attacks succeeding in roughly 80% of audits.
Source: Secureware Active Directory engagement data, 2025-2026
Secureware has delivered over 400 penetration tests since founding, across financial services, healthcare, SaaS, manufacturing, and public sector clients in the United Kingdom and United States.
Source: Secureware engagement records
Methodology
Statistics are aggregated from anonymised engagement findings across our UK and US client base. Engagement scope, sector distribution, and client identity are not disclosed. Where specific numbers are cited (e.g. "34 of 40 engagements"), they refer to discrete engagements meeting the stated criteria. Percentages are rounded to nearest whole percent.
We do not extrapolate from our findings to industry-wide claims. Our client base skews toward mid-market and enterprise organisations actively investing in security, which likely biases our findings toward better-than-average baseline posture. Real-world distributions in less-mature environments are likely worse.
Engage with Secureware
If the patterns in this report match concerns about your own environment, we offer penetration testing, cloud security audits, and AI security assessments across the UK and USA. Start with a free scoping call to identify the highest-impact assessment for your situation.