The Permiso Security State of Identity Security Report (2024) offers a comprehensive analysis of cloud identity and access management practices across global organizations. This study, encompassing over 500 entities, unveils critical trends and challenges shaping the future of identity security. 93% of organizations can inventory identities across all environments, as well as track keys, tokens, certificates and any modifications that are made to any environment.

1Password’s 2022 State of Access Report, an annual survey of North American workers’ sentiments and behaviors around cybersecurity and other critical aspects of modern work, reveals that the acute burnout detected in last year’s survey has paved the way for a widespread sense of distraction in a time of “permacrisis.” When security protocols and practices aren’t automated, even the most well-intentioned employees can unwittingly cause a breach.

1Password Business is an encrypted password solution that provides users with secure access via autofill logins, autogenerated strong passwords, and vault features. For the purposes of this study, Forrester aggregated the interviewees’ experiences and combined the results into a single composite organization. Forrester took a multistep approach to evaluate the impact that 1Password can have on an organization.

The OffSec Shift Report reveals how organizations are adapting to bring both defensive and offensive strategies to the cybersecurity battle. The past year was hard on cybersecurity teams. The persistent economic downturn led to 39% of organizations deprioritizing their cybersecurity strategy.

The State of Attacks on GenAI delivers cutting-edge insights into real-world attacks on generative AI systems, based on telemetry data from over 2,000 LLM applications. Prompt leaking has emerged as the primary method for exposing sensitive information in successful attacks. This unintended disclosure can reveal proprietary business data, application logic, and PII, leading to significant privacy breaches and security vulnerabilities.

This report seized the opportunity to do something different; it now focuses on highlighting what’s next for the hacking community. From neurodiversity in the hacking community to the rise of hacking influencer platforms, we’ve examined a broad spectrum of important topics. Now, most security professionals not only understand the difference between threat actors and hackers, but they actually have personal experience with ethical hacking.

Reporting over the course of 2023 and 2024, ETL highlights findings on the cybersecurity threat landscape during a yearlong geopolitical escalation. Throughout the latter part of 2023 and the initial half of 2024, there was a notable escalation in cybersecurity attacks, setting new benchmarks in both the variety and number of incidents, as well as their consequences.

This 10-year anniversary edition of the report dissects the 2022 Microsoft vulnerabilities data and highlights some of the key shifts since the inaugural report. This report will spotlight some of the most significant CVEs of 2022, break down how they are leveraged by attackers, and explain how they can be prevented or mitigated. The way Microsoft classifies the severity rating for a vulnerability is distinct from the likelihood of exploitation.

The report has delivered a holistic annual view of the vulnerabilities within Microsoft’s platforms and products, and has established an undeniable business case for the importance of removing admin rights to reduce risk. In this report, we will examine how these vulnerability trends, along with cloud security adoption, collectively influence how we should think about cybersecurity and risk management in 2022 and beyond.

In its 8th year, the Microsoft Vulnerabilities Report has proven to be a valuable asset for many organizations who wish to gain a holistic understanding of the evolving threat landscape. The report provides a 12-month, consolidated view and analysis of Microsoft Patch Tuesdays, as well as exclusive insights from some of the world’s top cybersecurity experts. This analysis not only reveals evolving vulnerability trends, but also identifies the Critical vulnerabilities that could be mitigated if admin rights were removed.

The Microsoft Vulnerabilities Report has garnered over 16,000 downloads and helped thousands of users leverage its detailed data analysis and expert findings to improve their cyber defenses. This year’s edition of the report not only dissects the 2023 Microsoft vulnerabilities data, but also assesses how these vulnerabilities are being leveraged in identity-based attacks. The report also spotlights some of the most significant CVEs of 2023, breaks down how they are leveraged by attackers, and explains how they can be mitigated.

In this report we begin by examining the prevalence of those vulnerabilities across assets to determine which ones are most common. Then we measure how quickly those vulnerabilities are remediated and what factors speed up or slow down that process. We’ll begin our foray into the wilds of the vulnerability landscape by examining the product vendors that shape it. This is important because these technologies are commonly used, thus vulnerabilities affecting them can have a widespread impact on cyber risk posture.

In this report, we’ll delve into insights drawn from an analysis of over 16 billion authentications in the last year (and over 44B in the last 4 years), spanning nearly 52 million different browsers, on 58 million endpoints and 21 million unique phones across regions. Authenticator apps like Duo mobile appeal to both demand for higher security and ease-of-use. Last year, access to remote access applications fell to nearly 25% of authentications after peaking in 2020.

This is the sixth year in a row Tidelift has conducted a survey about open source and the third time it focused exclusively on the maintainers who create and maintain the open source projects we all depend on. The most cited stat from that previous survey was that 60% of maintainers described themselves as unpaid hobbyists. We asked the same question again this year to see if things had changed.

Common Vulnerabilities and Exposures (aka CVEs) in containers, at least according to the interviews conducted for this study, are a pain (in the vuln). Chainguard conducted ten interviews with software professionals at a range of companies that build or operate containers. The interview questions dealt with the processes and workflows that these professionals use to identify, triage, and remediate CVEs in containers. Many of the questions either involved a request for a time estimate of each step of the process or probed the “why” behind the process or workflow.

This report focuses on the security of deployed AI models in cloud services and environments. Our research indicates that more than half of organizations have adopted AI models for custom applications. More than half of organizations are deploying their own AI models. Default AI settings are often accepted without regard for security.

Non-human identities (NHIs) such as bots, API keys, service accounts, OAuth tokens, and secrets are indispensable for automating tasks, enhancing efficiency, and driving innovation within organizations. The survey provides insights into their opinions about their current NHI security, the obstacles they’re facing, and the strategies and tools they’re using. The aim is to shed light on the current state of NHI security and identify areas for improvement.

In the ever-evolving landscape of cybersecurity, the significance of security testing cannot be overstated. As we delve into the 2023 trends, it’s clear that penetration testing remains the cornerstone of a robust security strategy. we’ve observed a substantial 31% increase in manual pentest engagements, highlighting a growing reliance on this building block of security.

To understand the current state of software supply chain security (SSCS) we surveyed 900 AppSec professionals in US, Europe and APAC based organizations across a wide range of industries. The findings show an increased sense of awareness with more than half of respondents acknowledging that SSCS is a top or significant area of focus. However, only 7% have already purchased and implemented an SSCS-specific product.

This report looks back at the major cyber security events of 2023, offering insights and analysis to help understand and prepare for the challenges ahead. Our goal is to provide valuable information to organizations, policy makers, and cyber security professionals, helping them to build stronger defenses in an increasingly digital world. Check Point Research reports that threat actors in hacking forums have started making use of AI tools like ChatGPT, in order to create malware and attack tools such as info-stealers and encryptors.

This year’s report introduces results from the Attack Path Validation (APV) and Detection Rule Validation (DRV) products on the Picus platform, offering deeper observations into organizational preparedness against automated penetration tests and the effectiveness of detection rules in SIEM systems. It provides perspective into the current state of cybersecurity and recommends Continuous Threat Exposure Management (CTEM) for those working to adopt a holistic approach.