Over 5,100 IT and security professionals across 27 countries were asked about their organizations’ approaches to updating and integrating security architecture, detecting and responding to threats, and staying resilient when disaster strikes. (more available)

We identified 50 of the largest multi-party cyber incidents over the past several years in an effort to understand their causes and consequences from beginning to end. (more available)

A continued look at “ripple events” - multi-party security events - examining the size and frequency of these events, firmographics, as well as the velocity of spread of such events. (more available)

A meta-analysis of industry reports on the variety and forms of application exploits used in security incidents.

Get best practices on managing your open source libraries in our State of Software Security v11: Open Source Edition report. Based on 13 million scans of more than 86,000 repositories, SOSS v11: Open Source Edition gives you a unique perspective on the open source libraries in codebases today, how organizations are managing the security of these libraries, and best practices on using open source code securely. (more available)

Endpoint security is the last line of defense. Now more than ever, effective endpoint protection is essential to the success of any cybersecurity program. (more available)

Do exploit code releases help or harm defenders? We decided to put this hotly contested debate to the test. The seventh volume of the Prioritization to Prediction series produced in conjunction with the Cyentia Institute attacks this debate from all angles. (more available)

Every year, enterprises spend millions on security technology and training — only to be caught on the hamster wheel of responding to incidents caused by recurrent human errors. (more available)

Using RiskRecon’s assessment information, explanatory models are built to demonstrate the value of technical information in predicting measures of risk at varying levels of greater technical insight. (more available)

What makes for successful cybersecurity? Is there evidence that security investments result in measurable outcomes? How do we know what actually works and what doesn’t? (more available)

An analysis on the indicators to be derived from detecting Internet of Things (IoT) in organization’s public internet facing profiles.

A deep dive into the nature of the finance sector’s public risk surface. Reviewing subsectors of the finance ecosystem, including supply chains. (more available)

Based on a survey of over 4,800, this report reviews the practices that lead to positive outcomes for security programs. Linking together practices that are more (or less) successful to the characteristics of positive outcomes, this report aims to give guidance for where practitioners can focus their efforts to achieve similar outcomes. (more available)

This sixth volume of the Prioritization to Prediction series combines vulnerability data from Kenna’s customers with additional intelligence from Fortinet and others. (more available)

The IRIS 20/20 Xtreme is a follow-up to the IRIS 20/20 study earlier this year, this time focusing on the 100 largest cyber incidents of the last five years, totaling $18 billion in reported losses and 10 billion compromised records. (more available)

A survey-driven report of over 150 third-party risk practitioners to understand the challenges facing their programs, the actions those professionals are taking to address the challenges, and identify success factors. (more available)

The 2020 edition of this annual report uses results of software scan patterns and results across thousands of global customers. A focus for this edition is the effects of nature (the corporate environment of applications) vs. (more available)

A deep dive into the nature of the healthcare sector’s public risk surface. Reviewing subsectors of the healthcare ecosystem, including supply chains. (more available)

An extension of the Prioritization to Prediction series, this report uses a sample of over 40 manufacturing sector firms to better understand the means and metrics of vulnerability management with the sector. (more available)

An extension of the Prioritization to Prediction series, this report uses a sample of approximately 30 healthcare sector firms to better understand the means and metrics of vulnerability management with the sector. (more available)

An extension of the Prioritization to Prediction series, this report uses a sample of approximately 100 finance sector firms to better understand the means and metrics of vulnerability management with the sector. (more available)