Almost half of enterprise environments tested this year had at least one password cracked. Picus Security’s Blue Report 2025, based on over 160 million live attack simulations, found a 46% cracking rate, almost double the 25% recorded in 2024.
Weak complexity rules, outdated hashing methods and re-used credentials continue to give attackers a way in. The company’s Red Report also recorded credential theft tools in 25% of malware samples. These tools often target stored logins in browsers and password managers.
Once stolen, logins were extremely effective. Attacks using valid accounts succeeded 98% of the time, and the prevention rate for this method was only 2%. So most attackers using legitimate credentials were able to operate unnoticed for long periods.
Picus said the continued reliance on weak password practices makes it easy for cybercriminals to gain a foothold and carry out lateral movement across networks. This can lead to far greater breaches if not addressed through stronger password rules and regular security validation.
Why Is Data Theft Harder To Stop Now?
Defences against data theft have weakened… The prevention rate for stopping exfiltration attempts fell from 9% last year to only 3% in 2025. Picus linked this drop to poor data loss prevention tools, weak outbound traffic filtering and limited behavioural monitoring.
The fall comes during a surge in more aggressive attack methods. Infostealer malware activity has tripled, while ransomware groups are increasingly using double extortion methods such as stealing sensitive files and threatening to leak them if payment is not made.
Blocking ransomware itself is also proving difficult. BlackByte was the most successful strain against defences, with a prevention rate of just 26%. BabLock came in at 34% and Maori at 41%. Picus warned that without stronger detection of data leaving the network, these attacks will continue to cause damage even when encryption is avoided.
More from News
- How Can Graduates Adapt To AI In The Workplace?
- What Is Google’s AI Mode And How Does It Work?
- The Clash AI Startups: How Are Competitors Backed By The Same Companies?
- Is AI Influencing Gen Z Spending Habits?
- What Do Experts Have To Say About The Recent Interest Rate Cut?
- Report Reveals Tool Overload Driving Fatigue and Missed Threats in MSPs
- Cat Food Brand Fuzzball Celebrates Winning The Largest Prize In E-Commerce History
- What Is Truth Social, And Who Uses It?
Are General Defences Getting Weaker?
Average prevention scores fell from 69% in 2024 to 62% this year. Picus said security controls often lose effectiveness over time unless they are tested and adjusted regularly. This shows that initial success in deploying tools is not enough if they are left untouched.
Logging performance stayed at 54% but only 14% of attacks generated alerts. That means the majority of recorded malicious activity was not acted upon. Detection rules failed in half of cases because logging data was incomplete.
Other failures were caused by performance problems, configuration errors and broken or unavailable log sources. This leaves attackers with more opportunities to work without triggering alerts.
There was improvement in containing lateral movement. Domain administrator compromise dropped from 24% to 19% and admin account access went from 40% to 22%. Better network segmentation and use of security validation insights were credited for these gains.
Is There Any Platform That Are Doing Better?
Apple’s macOS showed the largest improvement with prevention rates going from 23% last year to 76% in 2025. This puts it ahead of Linux at 69% and close to Windows at 79%. More investment is going into protecting Apple devices, which have often been less of a focus in the past.
That aside, many common attack techniques are still effective. Methods used to identify network settings or run process discovery commands had prevention rates under 12%. Tactics for avoiding detection, such as execution guardrails and data encoding, scored just 8% and 3% respectively.
These methods often look like normal user actions, making them difficult to catch without more advanced monitoring and identity-based detection. Picus said early identification of such activity is essential for stopping attackers before they escalate access.
What Actions Does Picus Recommend?
Picus called for more regular testing of security tools using real-world attack simulations. This would help find gaps caused by poor configuration, outdated rules and missing logs. It also advised stronger password policies, better detection pipelines and tighter control of outbound data flows.
The company also brought up encryptionless extortion, where attackers steal data and threaten to release it without using encryption. This makes traditional ransomware defences less effective. Testing scenarios that combine theft and extortion can help measure readiness.
The 2025 findings show some improvements, such as better macOS protection and reduced domain administrator compromise. Even so, falling prevention rates and declining data theft defences leave organisations open to breaches that are hard to detect and even harder to stop once in progress.
