46% of enterprise passwords vulnerable to cracking - Picus Security

Picus Security, a leader in security validation, has unveiled the Blue Report™ 2025, marking its third consecutive year of data-driven insights into cybersecurity performance. This year's findings, assessed through more than 160 million attack simulations, raise significant concerns about the effectiveness of contemporary security measures against evolving threats.

The report illustrates a worrying decline in defensive capacity as cyber-attacks increase in complexity and frequency. One striking revelation is the successful cracking of at least one password hash in 46% of environments tested, a sharp rise from 25% in 2024. Equally troubling is the reduced success in stopping data exfiltration attempts, which have dropped to a mere 3%, down from 9% the previous year.

These stats highlight that a single cracked password can lead to lateral movement and massive data theft. With the persistent emergence of infostealer malware and attackers adeptly bypassing security using legitimate credentials, companies are at soaring risk from seemingly invisible threats.

“We must operate under the assumption that adversaries already have access,” said Dr. Süleyman Ozarslan, co-founder of Picus Security and VP of Picus Labs. “An ‘assume breach’ mindset pushes organisations to detect the misuse of valid credentials faster, contain threats quickly, and limit lateral movement — which requires continuous validation of identity controls and stronger behavioural detection.”

Key discoveries from the report include:

• In 46% of environments, password cracking proved successful—indicative of outdated password practices.
• Stolen credentials were used effectively in 98% of cyber-attacks, emphasising the challenge of detecting such breaches.
• Only 3% of data exfiltration efforts were halted, while double extortion attacks increased.
• Prevention capabilities regressed to 62% in 2025 from 69% in 2024, highlighting waning efficacy in security strategies.
• Alarmingly, just 14% of attacks resulted in alerts despite logging coverage remaining steady at 54%.

The report attributes these challenges to inadequacies in detection rule configuration, gaps in system integration, and missteps in logging management. Consequently, many enterprises remain blind to malicious activities within their networks.