rhetenor/awesome-awesomeness
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
master
awesome-awesomeness/terminal/annualsecurityreports2
rhetenor 652812eed0 update
2025-07-18 23:13:11 +02:00

611 lines
355 KiB
Plaintext
Raw Permalink Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
 Awesome Annual Security Reports !Awesome (https://awesome.re/badge-flat2.svg) (https://awesome.re)
▐ A curated list of annual cyber security reports - Centralized annual cybersecurity analysis and industry surveys
Definition: The cybersecurity landscape is constantly evolving, making it hard for CIOs, CISOs, and security leaders to keep up. They're flooded with annual reports from research consultancies, industry working groups, non-profits, and government
agencies, and sifting through marketing material to find actionable insights is a major challenge. This list aims to cut through the noise by providing a vendor-neutral resource for the latest security trends, tools, and partnerships. It curates 
information from trusted sources, making it easier for security leaders to make informed decisions.
Disclaimer: The reports in this collection are limited to content which does not require a paid subscription, membership, or service contract. There are a variety of different business models and drivers that would cause information to be put 
behind a paywall, I would like to respect those companies and individuals. Consult the original authors for licensing of any report content.
Limitations: This is not a repository for project-specific documents such as white papers, intelligence reports, technical specifications, or standards. While all user-submitted uploads or report requests are welcome, we should draw a box around 
this _awesome_ list. 
Accessibility
When possible, all reports will be sourced from their original authors and uploaded to Virus Total (https://virustotal.com/) via GitHub action to provide an added level of confidence. The resulting analysis link will be included in the PDF commit
notes. Additionally, all PDF reports will be converted to Markdown using AI, based on the AI Prompts (/.github/ai-prompts) defined in this repository.
Acknowledgement: I would like to give recognition for other works that inspired this collection. Richard Stiennon (https://it-harvest.com/about/) produces an annual, comprehensive industry analysis that surpasses the scope of this list and 
deserves attention. Additionally, Rick Howard (https://www.linkedin.com/in/rickhoward/)'s cyber cannon list of must-read books is an invaluable resource, catering to both leadership and practitioner levels within the field.
Annual Report Counts: 
!GitHub repo file or directory count (in path) (https://img.shields.io/github/directory-file-count/jacobdjwilson/awesome-annual-security-reports/Annual%20Security%20Reports%2F2020?type=file&style=flat-square&label=2020%20Reports)
!GitHub repo file or directory count (in path) (https://img.shields.io/github/directory-file-count/jacobdjwilson/awesome-annual-security-reports/Annual%20Security%20Reports%2F2021?type=file&style=flat-square&label=2021%20Reports)
!GitHub repo file or directory count (in path) (https://img.shields.io/github/directory-file-count/jacobdjwilson/awesome-annual-security-reports/Annual%20Security%20Reports%2F2022?type=file&style=flat-square&label=2022%20Reports)
!GitHub repo file or directory count (in path) (https://img.shields.io/github/directory-file-count/jacobdjwilson/awesome-annual-security-reports/Annual%20Security%20Reports%2F2023?type=file&style=flat-square&label=2023%20Reports)
!GitHub repo file or directory count (in path) (https://img.shields.io/github/directory-file-count/jacobdjwilson/awesome-annual-security-reports/Annual%20Security%20Reports%2F2024?type=file&style=flat-square&label=2024%20Reports)
!GitHub repo file or directory count (in path) (https://img.shields.io/github/directory-file-count/jacobdjwilson/awesome-annual-security-reports/Annual%20Security%20Reports%2F2025?type=file&style=flat-square&label=2025%20Reports)
Contents
- Overview (#overview)
- Analysis Reports (#analysis-reports)
- **Threat Intelligence** (#threat-intelligence) 
- **Application Security** (#application-security) 
- **Cloud Security** (#cloud-security) 
- **Vulnerabilities** (#vulnerabilities) 
- **Ransomware** (#ransomware) 
- **Data Breaches** (#data-breaches) 
- **Physical Security** (#physical-security) 
- **AI and Emerging Technologies** (#ai-and-emerging-technologies)
- Survey Reports (#survey-reports)
- **Industry Trends** (#industry-trends) 
- **Application Security** (#application-security-1) 
- **Cloud Security** (#cloud-security-1) 
- **Identity Security** (#identity-security) 
- **Penetration Testing** (#penetration-testing) 
- **Ransomware** (#ransomware-1) 
- **Privacy and Data Protection** (#privacy-and-data-protection) 
- **AI and Emerging Technologies** (#ai-and-emerging-technologies-1)
- Resources (#resources)
- **Research Consulting** (#research-consulting) 
- **Standards and Certifications** (#standards-and-certifications) 
- **Threat Intelligence and Incident Response** (#threat-intelligence-and-incident-response)
- **Policy and Advocacy** (#policy-and-advocacy) 
- **Working Groups** (#working-groups) 
- **Government and Non-profits** (#government-and-non-profits) 
- Contributing (#contributing)
Overview
Reports are organized into two main categories based on their data sources:
- Analysis: Generated through quantification and qualification of data from sensor networks or cybersecurity services.
- Survey: Derived from surveys, interviews, or consulting engagements that capture industry sentiment and practices.
The most recent versions of reports are listed below. Older editions are preserved in their corresponding yearly directories. Reports from sources that have not been updated in the last three years will no longer appear in this README.md but will
remain accessible in the respective year's directory.
Reports are organized by their primary focus. Although many reports span multiple topics, this classification provides a clearer structure. Within each topic, reports are listed alphabetically.
Analysis Reports
Threat Intelligence
- ArticWolfLabs (https://arcticwolf.com/arctic-wolf-labs-2025-cybersecurity-predictions/) - Cybersecurity Predictions (Annual%20Security%20Reports/2025/ArticWolfLabs-Cybersecurity-Predictions-2025.pdf) (2025) - Analyzes evolving threat landscapes
and predicts key cybersecurity challenges for 2025. The report highlights the increasing sophistication of social engineering attacks, emphasizing the critical need for robust multi-factor authentication (MFA) implementations and vigilance 
against evolving tactics, techniques, and procedures (TTPs).
- Australian Signals Directorate (https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2023-2024) - Cyber Threat Report (Annual%20Security%20Reports/2024/ASD-Cyber-Threat-Report-2024.pdf) (2024) - 
Analyzes the Australian cyber threat landscape for 2023-2024, focusing on state actors, critical infrastructure attacks, cybercrime, hacktivism, and national resilience efforts. Key findings highlight a significant increase in ransomware attacks 
targeting critical infrastructure and a concerning rise in hacktivism motivated by geopolitical events.
- BD (https://news.bd.com/2024-06-13-BD-Issues-Annual-Product-Security-Report,-Highlighting-Transparency-and-Collaboration) - Product Security Annual Report (Annual%20Security%20Reports/2023/BD-Product-Security-Annual-Report-2023.pdf) (2023) - 
Analyzes the cybersecurity posture of BD's medical device ecosystem and its products. Key findings highlight the importance of collaborative vulnerability disclosure and the implementation of strong cybersecurity controls throughout the product 
lifecycle to mitigate risks within the healthcare sector.
- Blackpoint (https://blackpointcyber.com/resources/cybersecurity-annual-threat-report-2024/) - Annual Threat Report (Annual%20Security%20Reports/2024/Blackpoint-Cyber-Annual-Threat-Report-2024.pdf) (2024) - Analyzes the 2023 cyberthreat 
landscape and emerging trends. Key findings highlight a concerning rise in exploitation of vulnerabilities like Citrix Bleed, alongside shifts in threat actor tactics and industry-specific vulnerabilities.
- CheckPoint (https://www.checkpoint.com/security-report/) - Cybersecurity Report (Annual%20Security%20Reports/2025/CheckPoint-Cybersecurity-Report-2025.pdf) (2025) - Analyzes global cybersecurity events and trends in 2024, offering predictions 
and recommendations for CISOs in 2025. Key findings highlight the impact of AI and cloud advancements on cybercrime, emphasizing the need for proactive security measures and adaptive strategies.
- Cisco (https://umbrella.cisco.com/info/cyber-threat-trends-report) - Cyber Threats Trends Report (Annual%20Security%20Reports/2025/Cisco-Cyber-Threats-Trends-Report-2025.pdf) (2025) - Analyzes current cyber threat trends, focusing on 
information stealers, Trojans, ransomware, RATs, and APTs. Key findings reveal a significant increase in the sophistication and volume of attacks, particularly concerning the use of information stealers and the continued evolution of ransomware 
techniques.
- CrowdStrike (https://www.crowdstrike.com/resources/reports/overwatch-threat-hunting-report/) - Threat Hunting Report (Annual%20Security%20Reports/2024/CrowdStrike-Threat-Hunting-Report-2024.pdf) (2024) - Analyzes 2024 intrusion trends, focusing
on adversary tactics and sectoral targeting. Key findings reveal a significant rise in cloud-based attacks leveraging cloud management agents, alongside a concerning increase in sophisticated insider threats targeting numerous U.S. companies.
- CrowdStrike (https://www.crowdstrike.com/en-us/global-threat-report/) - Global Threat Report (Annual%20Security%20Reports/2025/Crowdstrike-Global-Threat-Report-2025.pdf) (2025) - Analyzes global threat trends and key adversary tactics for 2025.
Significant findings include the increasing use of generative AI by adversaries, the persistent threat of social engineering, and the growing sophistication of cloud-based attacks targeting SaaS platforms.
- DarkTrace (https://darktrace.com/resources/annual-threat-report-2024) - Annual Threat Report (Annual%20Security%20Reports/2024/Darktrace-Annual-Threat-Report-2024.pdf) (2024) - Analyzes the 2024 threat landscape, focusing on ransomware, email 
threats, and state-sponsored espionage. Key findings reveal the persistence of ransomware attacks, the increasing sophistication of LOTL techniques, and a notable rise in threats targeting operational technology and critical infrastructure 
sectors.
- DeepInstinct (https://info.deepinstinct.com/2025_cyber_threat_landscape_report) - Threat Landscape Report (Annual%20Security%20Reports/2025/Deep-Instinct-Cyber-Threat-Landscape-Report-2025.pdf) (2025) - Analyzes global malware trends and 
ransomware attacks in 2024, offering predictions for 2025. Key findings highlight a continued rise in ransomware attacks targeting specific sectors, coupled with the evolving tactics of ransomware groups and the impact of sanctions and 
disclosures on their operations.
- DeepWatch (https://www.deepwatch.com/2024-ati-threat-report/) - Annual Threat Report (Annual%20Security%20Reports/2024/Deepwatch-Annual-Threat-Report-2024.pdf) (2024) - Analyzes 2023 adversary tactics and intelligence, focusing on observed 
trends and key threat actors. Key findings highlight the continued dominance of account compromise and ransomware incidents, alongside the persistent exploitation of critical vulnerabilities in internet-facing systems.
- Department of Homeland Security (https://www.dhs.gov/publication/homeland-threat-assessment) - Threat Assessment (Annual%20Security%20Reports/2025/DHS-Threat-Assessment-2025.pdf) (2025) - Analyzes homeland security threats in 2025, focusing on 
terrorism, transnational crime, and threats to critical infrastructure. Key concerns include the evolving tactics of nation-state actors, the persistent threat of cyberattacks targeting critical infrastructure, and the increasing challenges posed
by transnational criminal organizations.
- DNSFilter (https://explore.dnsfilter.com/2025-annual-security-report) - Annual Security Report (Annual%20Security%20Reports/2025/DNSFilter-Annual-Security-Report-2025.pdf) (2025) - Analyzes 2024 cybersecurity trends, focusing on data breaches 
and their impact across various regions. Key findings reveal a significant increase in threats related to natural disasters and election-related attacks, coupled with an uneven adoption of security measures among Managed Service Providers (MSPs).
- Dragos (https://www.dragos.com/ot-cybersecurity-year-in-review/) - OT Cybersecurity Report A Year in Review (Annual%20Security%20Reports/2025/Dragos-OT-Cybersecurity-Report-A-Year-in-Review-2025.pdf) (2025) - Analyzes the 2025 OT/ICS 
cybersecurity landscape, focusing on adversary tactics and defender progress. Key findings reveal a rise in OT-centric cyber operations fueled by geopolitical tensions, particularly the Ukraine-Russia conflict, and the increasing activity of 
threat groups like KAMACITE and ELECTRUM.
- ENISA (https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024) - Threat Landscape Report (Annual%20Security%20Reports/2024/ENISA-Threat-Landscape-2024.pdf) (2024) - Analyzes the 2024 threat landscape, focusing on evolving trends 
in cyberattacks and vulnerabilities. Key findings highlight the persistent threat of ransomware, the increasing sophistication of social engineering tactics, and a concerning rise in data breaches targeting critical infrastructure.
- Ensign (https://www.ensigninfosecurity.com/resources/threat-insights/cyber-threat-landscape-report-2024) - Cyber Threat Landscape Report (Annual%20Security%20Reports/2024/Ensign-Cyber-Threat-Landscape-Report-2024.pdf) (2024) - Analyzes 
cybersecurity threat trends across the Asia-Pacific region in 2023. Key findings highlight the evolution of ransomware extortion tactics and the increasing sophistication of hacktivist groups, alongside a notable rise in attacks targeting digital
infrastructure.
- Expel (https://expel.com/annual-threat-report/) - Annual Threat Report (Annual%20Security%20Reports/2025/Expel-Annual-Threat-Report-2025.pdf) (2025) - Analyzes cybersecurity trends from 2024, focusing on cloud security, phishing, and other 
threats. Key findings reveal diverse threat actor tactics across various industries, highlighting the need for proactive detection and preventative measures.
- FBI (https://www.ic3.gov/AnnualReport/Reports) - Internet Crime Report (Annual%20Security%20Reports/2024/FBI-Internet-Crime-Report-2024.pdf) (2024) - Analyzes 2024 cybercrime trends and complaint data reported to the Internet Crime Complaint 
Center (IC3). Key findings reveal a significant increase in cyber-enabled fraud complaints across various age groups, with notable regional disparities in reported incidents.
- Flashpoint (https://flashpoint.io/resources/report/flashpoint-2025-global-threat-intelligence-gtir/) - Global Threat Intelligence Report (Annual%20Security%20Reports/2025/Flashpoint-Threat-Intel-Report-2025.pdf) (2025) - Analyzes the 2025 
global cyber threat landscape, focusing on data breaches and information-stealing malware. Key findings reveal significant trends in unauthorized access methods and the evolving tactics used by threat actors, impacting various sectors and 
requiring updated security strategies.
- Fortinet (https://www.fortinet.com/blog/threat-research/key-takeaways-from-the-2025-global-threat-landscape-report) - Global Threat Report (Annual%20Security%20Reports/2025/Fortinet-Global-Threat-Report-2025.pdf) (2025) - Analyzes the evolving 
global threat landscape and attacker tactics. Key findings reveal a surge in cyber reconnaissance activity driven by automated scanning and a significant shift in attacker focus towards cloud environments and post-exploitation techniques.
- Huntress (https://www.huntress.com/resources/2025-cyber-threat-report) - Threat Report (Annual%20Security%20Reports/2025/Huntress-Threat-Report-2025.pdf) (2025) - Analyzes the 2024 cyber threat landscape, focusing on ransomware attacks and 
their impact across various sectors. Key findings reveal a concerning increase in ransomware attacks targeting healthcare and technology sectors, with a notable rise in the use of Remote Monitoring and Management (RMM) tools for lateral movement.
- IBM (https://www.ibm.com/thought-leadership/institute-business-value/en-us/report/2025-threat-intelligence-index) - X Force Threat Intelligence Index (Annual%20Security%20Reports/2025/IBM-X-Force-Threat-Intelligence-Index-2025.pdf) (2025) - 
Analyzes emerging cybersecurity threats and trends for 2025. Key findings highlight the increasing use of AI in attacks, the persistence of info-stealers, and the significant role of phishing and cloud-based infrastructure in successful 
compromises.
- Kela (https://www.kelacyber.com/resources/research/2025-ai-threat-report/) - AI Threat Report (Annual%20Security%20Reports/2025/Kela-AI-Threat-Report-2025.pdf) (2025) - Analyzes the weaponization of AI by cybercriminals, focusing on emerging 
threats and attack vectors. Key findings reveal a 200% increase in mentions of malicious AI in 2024, highlighting the rapid growth of dark AI tools and their use in automated phishing, vulnerability research, and malware development.
- Mandiant (https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2025) - M Trends (Annual%20Security%20Reports/2025/Mandiant-M-Trends-2025.pdf) (2025) - Analyzes global cybersecurity threats and trends in 2025. Key findings include 
insights into ransomware attacks, cloud compromises, and the evolving tactics of various nation-state actors.
- Microsoft (https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/microsoft-digital-defense-report-2024) - Digital Defense Report (Annual%20Security%20Reports/2024/Microsoft-Digital-Defense-Report-2024.pdf) (2024) - 
Analyzes the evolving cybersecurity threat landscape and key developments in threat actor motivations and tactics. Significant findings include the blurring lines between nation-state actors and cybercriminals, along with quantifiable data on 
nation-state threat activity.
- Mimecast (https://www.mimecast.com/resources/ebooks/threat-intelligence-july-december-2024/) - Global Threat Intelligence Report H2 (Annual%20Security%20Reports/2024/Mimecast-Global-Threat-Intelligence-Report-H2-2024.pdf) (2024) - Outlines a 
method for converting technical PDFs into Markdown. The key focus is on complete fidelity, preserving all content, structure, and formatting, including a functional Table of Contents and descriptions of images rather than embedding them.
- National Cyber Security Centre (https://www.ncsc.govt.nz/news/cyber-threat-report-2024) - Cyber Threat Report (Annual%20Security%20Reports/2024/NCSC-Cyber-Threat-Report-2024.pdf) (2024) - Analyzes New Zealand's cyber threat landscape for 
2023-2024, focusing on state actors, critical infrastructure attacks, cybercrime, hacktivism, and national resilience efforts. Key findings highlight a notable increase in ransomware attacks targeting critical infrastructure and a growing 
sophistication of state-sponsored cyber operations.
- NCC Group (https://www.nccgroup.com/us/threat-monitor-report-2024/) - Threat Monitor Report (Annual%20Security%20Reports/2024/NCCGroup-Threat-Monitor-Report-2024.pdf) (2024) - Provides an analysis of current cyber threats, offering insights 
into attack trends, vulnerabilities, and strategies for improving organizational cybersecurity.
- Office of the Director of National Intelligence (https://www.dni.gov/index.php/newsroom/reports-publications/reports-publications-2025/4058-2025-annual-threat-assessment) - Annual Threat Assessment 
(Annual%20Security%20Reports/2025/ODNI-Annual-Threat-Assessment-2025.pdf) (2025) - This assessment analyzes the evolving threat landscape to U.S. national security posed by state and non-state actors. Key concerns include the increasing 
cooperation between adversarial states and the persistent threat from transnational criminal organizations, particularly in the illicit drug trade and extremist activities.
- OrangeCyberDefense (https://www.orangecyberdefense.com/global/security-navigator) - Security Navigator (Annual%20Security%20Reports/2025/OrangeCyberDefense-Security-Navigator-2025.pdf) (2025) - Analyzes the evolving cybersecurity threat 
landscape and proactive mitigation strategies. Key findings reveal a rise in cyber extortion, AI-driven attacks, and threats to operational and mobile networks, necessitating innovative defensive adaptations.
- Picus (https://www.picussecurity.com/red-report) - RedReport (Annual%20Security%20Reports/2025/Picus-RedReport-2025.pdf) (2025) - Analyzes the ten most prevalent MITRE ATT&CK® techniques used by threat actors. Key findings reveal a high 
prevalence of techniques related to process injection, command execution, and credential harvesting, highlighting the persistent reliance on established attack vectors.
- Rapid7 (https://www.rapid7.com/research/report/2024-attack-intelligence-report/) - Attack Intelligence Report (Annual%20Security%20Reports/2024/Rapid7-Attack-Intelligence-Report-2024.pdf) (2024) - Analyzes vulnerability exploitation trends and 
ransomware attack vectors in 2023. Key findings reveal a rise in pre-patch exploitation and the continued prevalence of file transfer protocol vulnerabilities as initial access vectors for ransomware.
- RecordedFuture (https://www.recordedfuture.com/research/2024-annual-report) - Cyber Threat Analysis Report (Annual%20Security%20Reports/2024/RecordedFuture-Cyber-Threat-Analysis-Report-2024.pdf) (2024) - Analyzes the impact of SaaS application 
proliferation on cyberattacks in 2024. Key findings reveal the significant role of stolen credentials and MFA failures in data breaches, alongside the increased use of generative AI in influence operations and a rise in ransomware variants.
- RedCanary (https://redcanary.com/threat-detection-report/) - Threat Detection Report (Annual%20Security%20Reports/2025/RedCanary-Threat-Detection-Report-2025.pdf) (2025) - Analyzes emerging threat detection trends in 2025, focusing on 
ransomware, initial access vectors, and identity-based attacks. Key findings reveal a significant increase in API abuse within cloud environments and the growing sophistication of AI-powered adversary emulation techniques.
- ReliaQuest (https://www.reliaquest.com/resources/research-reports/annual-threat-report-2025/) - Annual Threat Report (Annual%20Security%20Reports/2025/ReliaQuest-Annual-Threat-Report-2025.pdf) (2025) - Analyzes 2024 cyber-threat trends, 
focusing on initial access tactics and their effectiveness. Key findings reveal inadequate logging as the root cause of most breaches, with session hijacking bypassing multi-factor authentication in all successful business email compromise 
incidents.
- Secureworks (https://www.secureworks.com/resources/rp-state-of-the-threat-2024) - State of the Threat (Annual%20Security%20Reports/2024/Secureworks-State-of-the-Threat-Report-2024.pdf) (2024) - Analyzes global cybercrime trends and threat actor
activities throughout the year. Key findings reveal persistent cybercrime growth despite law enforcement efforts, coupled with significant increases in hacktivism and state-sponsored attacks.
- SonicWall (https://www.sonicwall.com/threat-report/) - Cyber Threat Report (Annual%20Security%20Reports/2025/SonicWall-Cyber-Threat-Report-2025.pdf) (2025) - Analyzes the evolving landscape of cyber threats in 2024, focusing on the rise of 
ransomware, BEC attacks, and the impact of AI-powered tools. Key findings highlight a significant increase in ransomware and BEC attacks, coupled with the concerning ease with which threat actors can leverage AI and readily available tools to 
launch sophisticated campaigns.
- Sophos (https://www.sophos.com/en-us/labs/security-threat-report) - Threat Report (Annual%20Security%20Reports/2024/Sophos-Threat-Report-2024.pdf) (2024) - Analyzes the evolving landscape of cybercrime, focusing on its impact on small and 
medium-sized businesses. Key findings reveal ransomware as a persistent major threat, exacerbated by the rise of cybercrime-as-a-service and the increasing sophistication of social engineering tactics.
- Trellix (https://www.trellix.com/advanced-research-center/threat-reports/june-2024/) - Advanced Threat Research Report (Annual%20Security%20Reports/2024/Trelllix-Advanced-Threat-Research-Report-2024.pdf) (2024) - Analyzes global cyber threats 
and nation-state activity in June 2024. Key findings reveal a rise in APT group activity targeting specific regions, utilizing both malicious and non-malicious tools, with a notable focus on Volt Typhoon.
- TrendMicro (https://www.trendmicro.com/vinfo/us/security/news/threat-landscape/trend-2025-cyber-risk-report) - Annual Cybersecurity Threat Report (Annual%20Security%20Reports/2025/TrendMicro-Cybersecurity-Risk-Report-2025.pdf) (2025) - Analyzes
enterprise cyber risk exposure across sectors and regions using telemetry from Trend Vision One's Cyber Risk Index framework. Key findings show the education sector maintained the highest risk throughout 2024, while larger organizations exhibited
greater exposure due to complex infrastructures and expanded attack surfaces.
- Trustwave (https://www.trustwave.com/en-us/resources/library/documents/2024-education-threat-briefing-and-mitigation-strategies/) - Education Sector Threat Landscape 
(Annual%20Security%20Reports/2024/Trustwave-Education-Sector-Threat-Landscape-2024.pdf) (2024) - Analyzes the evolving threat landscape in the education sector in 2024. Key findings highlight the increasing reliance on online learning, a surge in
ransomware attacks targeting educational institutions, and the significant risk posed by third-party vendors.
- Trustwave (https://www.trustwave.com/en-us/resources/library/documents/professional-services-threat-briefing-and-mitigation-strategies/) - Professional Services Sector Threat Landscape 
(Annual%20Security%20Reports/2024/Trustwave-Professional-Services-Sector-Threat-Landscape-2024.pdf) (2024) - Analyzes the 2024 threat landscape for professional services firms. Key findings reveal a significant increase in ransomware attacks 
leveraging supply chain vulnerabilities and phishing campaigns, emphasizing the need for enhanced security awareness training and robust incident response planning.
- Trustwave (https://www.trustwave.com/en-us/resources/library/documents/public-sector-threat-briefing-and-mitigation-strategies/) - Public Sector Threat Landscape 
(Annual%20Security%20Reports/2024/Trustwave-Public-Sector-Threat-Landscape-2024.pdf) (2024) - Analyzes the 2024 public sector threat landscape, focusing on emerging trends and attack vectors. Key findings highlight the increasing convergence of 
IT and OT systems in critical infrastructure, along with a persistent reliance on easily exploitable methods like phishing and vulnerable supply chains.
- Trustwave (https://www.trustwave.com/en-us/en-us/resources/library/documents/2024-technology-threat-briefing-and-mitigation-strategies/) - Technology Sector Threat Landscape 
(Annual%20Security%20Reports/2024/Trustwave-Technology-Sector-Threat-Landscape-2024.pdf) (2024) - Analyzes the 2024 technology threat landscape, focusing on emerging trends and attack vectors. Key findings highlight the persistent threat of 
ransomware, the increasing exploitation of third-party supplier vulnerabilities, and a concerning prioritization of speed over security in software development.
- United States Department of Defense (https://federalnewsnetwork.com/commentary/2024/10/open-source-intelligence-professionalism-distinguishing-osint-from-pro-sint/) - OSINT Strategy 20242028 
(Annual%20Security%20Reports/2024/USDoD-OSINT-Strategy-2024.pdf) (2024) - Outlines the Department of Defense's approach to open-source intelligence (OSINT) as a vital resource for decision-makers and warfighters, emphasizing OSINT's role in 
enhancing situational awareness and operational effectiveness.
- Upstream (https://upstream.auto/reports/global-automotive-cybersecurity-report/) - Global Automotive Cybersecurity Report (Annual%20Security%20Reports/2025/Upstream-Global-Automotive-Cybersecurity-Report-2025.pdf) (2025) - Analyzes the 
expanding cybersecurity gap in the automotive and smart mobility sectors. Key findings reveal a surge in ransomware attacks in 2024 and the increasing vulnerability of critical infrastructure due to the proliferation of smart mobility devices.
- WatchGuard (https://www.watchguard.com/wgrd-resource-center/security-report-q1-2025) - Threat Report (Annual%20Security%20Reports/2025/WatchGuard-Threat-Report-2025.pdf) (2025) - Analyzes network and endpoint threat activity observed across 
WatchGuard security appliances in Q1 2025. Notable findings include a 171% spike in network-detected malware per device and a 712% increase in new, unique endpoint malware samples, signaling a surge in evasive and novel threats.
- United States White House (https://www.whitehouse.gov/oncd/briefing-room/2024/05/07/fact-sheet-cybersecurity-posture-report/) - Cybersecurity Posture of the United States 
(Annual%20Security%20Reports/2024/Whitehouse-Cybersecurity-Posture-of-the-United-States-2024.pdf) (2024) - Analyzes the cybersecurity posture of the United States in 2024. Key findings highlight evolving risks to critical infrastructure, the 
persistent threat of ransomware, and the increasing exploitation of supply chains alongside the growing use of commercial spyware and the implications of artificial intelligence.
Application Security
- BlackDuck (https://www.blackduck.com/resources/analyst-reports/software-vulnerability-trends.html) - Software Vulnerability Snapshot Report (Annual%20Security%20Reports/2024/BlackDuck-Software-Vulnerability-Snapshot-Report-2024.pdf) (2024) - 
Analyzes the 2024 software vulnerability landscape, focusing on the top ten vulnerability classes identified. A significant increase in critical-risk vulnerabilities was observed across multiple sectors, highlighting the urgent need for enhanced 
security testing methodologies.
- Blackduck (https://www.blackduck.com/resources/analyst-reports/open-source-security-risk-analysis.html) - Open Source Risk Analysis Report (Annual%20Security%20Reports/2025/BlackDuck-Open-Source-Risk-Analysis-Report-2025.pdf) (2025) - Analyzes 
open source software risk, detailing findings related to security vulnerabilities, licensing issues, and component maintenance based on audit data. Significant findings reveal open source in nearly all codebases (97%), with a striking 90% 
containing components over four years out-of-date and 64% being untrackable transitive dependencies.
- Chainguard (https://get.chainguard.dev/state-of-hardened-container-images-report) - State of Hardened Container Images Report (Annual%20Security%20Reports/2024/Chainguard-State-of-Hardened-Container-Images-Report-2024.pdf) (2024) - Focuses on 
the security posture of hardened container images, specifically comparing Red Hat UBI variants with Chainguard Images. The analysis reveals key differences in image composition and security practices, highlighting the importance of digital 
signatures and SBOM inclusion for mitigating software vulnerabilities in containerized environments.
- DigitalAI (https://digital.ai/resource-center/whitepapers/2025-application-security-threat-report/) - Application Security Threat Report (Annual%20Security%20Reports/2025/DigitalAI-Application-Security-Threat-Report-2025.pdf) (2025) - 
Quantifies evolving risks in modern application security. Key findings highlight industry trends, attack data categorized by industry and OS (Android vs. iOS), and regional variations in attack rates.
- Escape (https://escape.tech/the-api-secret-sprawl-2024) - State of API Exposure (Annual%20Security%20Reports/2024/Escape-State-of-API-Exposure-2024.pdf) (2024) - Analyzes API security across Fortune 1000 and CAC 40 companies, uncovering 30,000 
exposed APIs and 100,000 API issues, emphasizing risks in large organizations. Key findings reveal the pervasive nature of API security issues and the need for improved security measures.
- GitGuardian (https://www.gitguardian.com/state-of-secrets-sprawl-report-2025) - State of Secrets Sprawl (Annual%20Security%20Reports/2025/GitGuardian-State-of-Secrets-Sprawl-2025.pdf) (2025) - Analyzes the prevalence of secrets sprawl in 2024, 
focusing on the types of secrets exposed and their locations within software development lifecycles. Key findings reveal that generic secrets comprise 58% of all detected leaks, private repositories are eight times more likely to contain secrets 
than public ones, and collaboration tools represent a significantly overlooked source of exposure.
- Grip (https://www.grip.security/saas-security-risks-report-2025) - SaaS Security Risks Report (Annual%20Security%20Reports/2025/Grip-SaaS-Security-Risks-Report-2025.pdf) (2025) - Outlines key security risks associated with the growing adoption 
of SaaS applications, including trends in usage across industries and specific SaaS app statistics. Key findings reveal a significant increase in shadow SaaS deployments and the rapid growth of AI-powered tools, posing substantial and largely 
unmanaged security risks.
- Kodem (https://www.kodemsecurity.com/lp/report/appsec/workflows) - State of AppSec Workflow (Annual%20Security%20Reports/2025/Kodem-State-of-AppSec-Workflow-2025.pdf) (2025) - Analyzes application security workflows, identifying key bottlenecks
and pain points in current practices. The primary bottleneck is remediation, exacerbated by alert fatigue and inefficient vulnerability triage, highlighting the need for increased automation and adaptation to modern development environments.
- LegitSecurity (https://www.legitsecurity.com/blog/announcing-2025-state-of-application-risk-report) - State of Application Risk Report (Annual%20Security%20Reports/2025/LegitSecurity-State-of-Application-Risk-Report-2025.pdf) (2025) - Examines 
the current state of application risk in 2025, focusing on common vulnerabilities and security testing inefficiencies. Key findings reveal significant issues with secrets exposure, AI-related risks, and software supply chain vulnerabilities, 
highlighting a need for improved security practices across the software development lifecycle.
- RunZero (https://www.runzero.com/research-report/) - Research Report (Annual%20Security%20Reports/2024/RunZero-Research-Report-Vol1-2024.pdf) (2024) - Examines a broad range of organizational and network security issues through an innovative 
asset-centric approach, with a focus on "dark matter" in networks, segmentation issues, and unusual asset detection. Key findings highlight the risks associated with unusual assets and the resurgence of older threats alongside emerging 
vulnerabilities, emphasizing the need for specific AI-driven security solutions.
- Salt (https://content.salt.security/state-api-report.html) - State Of API Security (Annual%20Security%20Reports/2025/Salt-State-of-API-Security-2025.pdf) (2025) - Highlights the persistent challenges and evolving landscape of API security, 
driven by rapid digital transformation and cloud migration. Despite widespread API adoption and a nearly universal encounter with security issues, many organizations struggle with accurate inventory, real-time monitoring, and robust posture 
governance, alongside emerging GenAI-driven risks.
- Sonatype (https://www.sonatype.com/resources/whitepapers/2024-open-source-malware-threat-report) - Open Source Malware Threat Report (Annual%20Security%20Reports/2024/Sonatype-2024-in-Open-Source-Malware-Report-2024.pdf) (2024) - Examines the 
proliferation of open source malware, or malicious open source packages posing unprecedented risks in the form of software supply chain attacks. Key highlights include a 156% year-over-year increase in malicious open source packages, highlighting
the growing threat of intentionally crafted malware in software supply chain attacks.
- United States Department of Defense (https://public.cyber.mil/devsecops/) - State of DevSecOps (Annual%20Security%20Reports/2025/USDoD-State-of-DevSecOps-2025.pdf) (2025) - Focuses on the adoption of DevSecOps practices within the United States
Department of Defense. A key finding is the Air Force's launch of a new software directorate, highlighting a move towards integrating security earlier in the software development lifecycle.
- Veracode (https://www.veracode.com/state-of-software-security-report) - State of Software Security (Annual%20Security%20Reports/2024/Veracode-State-of-Software-Security-Report-2024.pdf) (2024) - Examines trends in application security, offering
insights into common vulnerabilities, secure development practices, and strategies for improving software security throughout the development lifecycle. Key findings reveal a high incidence of security flaws, slow remediation times, and a 
correlation between the number of flaws and application size, highlighting the need for proactive security measures.
- Wallarm (https://www.wallarm.com/reports/q1-2025-wallarm-api-threatstats-report) - API Threat Stats Report (Annual%20Security%20Reports/2025/Wallarm-API-Threat-Stats-Report-2025.pdf) (2025) - Examines API security threats in Q1 2025, focusing 
on the impact of agentic AI systems and evolving cloud-native infrastructure. Key findings highlight a rapid increase in API breaches driven by increasingly sophisticated attack vectors and a surge in software supply chain vulnerabilities.
- Wiz (https://www.wiz.io/reports/state-of-code-security-2025) - State of Code Security (Annual%20Security%20Reports/2025/Wiz-State-of-Code-Security-2025.pdf) (2025) - Examines the security posture of code repositories and CI/CD pipelines, 
highlighting the deep connection between code and cloud environments. It reveals that 61% of organizations have secrets exposed in public repositories , with GitHub dominating the VCS landscape but also exhibiting a significantly higher ratio of 
public repositories with insecure workflow permissions and weak branch protection.
Cloud Security
- Censys (https://censys.com/reports/the-2024-state-of-the-internet-report) - State of the Internet (Annual%20Security%20Reports/2024/Censys-State-of-the-Internet-2024.pdf) (2024) - Analyzes the internet exposure of Industrial Control Systems 
(ICS), focusing on the vulnerabilities beyond simple protocol exposure. Key findings reveal a complex security landscape where human-machine interface vulnerabilities and outdated protocols pose significant risks, demanding a more nuanced 
approach to ICS security.
- Google Cloud (https://inthecloud.withgoogle.com/security-threat-intel/subscribe.html) - Threat Horizons Report (Annual%20Security%20Reports/2024/Google-Cloud-Threat-Horizons-Report-H12024.pdf) (2024) - Analyzes the evolving threat landscape for
cloud enterprise users. Key findings highlight the continued dominance of cryptomining attacks stemming from misconfigured cloud environments and the increasing sophistication of ransomware and data theft targeting cloud-based assets.
- Hornet (https://www.hornetsecurity.com/us/cyber-security-report/) - Cybersecurity Report (Annual%20Security%20Reports/2025/Hornet-Cybersecurity-Report-2025.pdf) (2025) - Analyzes the current Microsoft 365 threat landscape, focusing on email 
security trends and attack techniques. Key findings reveal a significant increase in sophisticated attacks utilizing brand impersonation and malicious attachments, with notable variations in threat levels across different business sectors.
- IBM (https://www.ibm.com/security/data-breach/threat-intelligence/) - X-Force Cloud Threat Landscape Report (Annual%20Security%20Reports/2024/IBM-X-Force-Cloud-Threat-Landscape-Report-2024.pdf) (2024) - Analyzes the evolving cloud threat 
landscape and its impact across various industries. Key findings reveal a significant increase in cloud-based attacks targeting SaaS platforms and a concerning rise in security rule failures within cloud environments.
- Sysdig (https://sysdig.com/2025-cloud-native-security-and-usage-report/) - Cloud Native Security and Usage Report (Annual%20Security%20Reports/2025/Sysdig-Cloud-Native-Security-Report-2025.pdf) (2025) - Analyzes cloud-native security trends and
usage patterns in 2025. Key findings reveal a significant increase in the adoption of runtime security tools and a growing focus on securing AI/ML workloads, alongside persistent challenges in managing identities across human and machine 
interactions.
- Wiz (https://www.wiz.io/reports/cloud-data-security-report-2025) - Cloud Data Security Snapshot (Annual%20Security%20Reports/2025/Wiz-Cloud-Data-Security-Snapshot-2025.pdf) (2025) - Analyzes current cloud data security exposure trends. A 
significant finding reveals that 54% of cloud environments have exposed assets containing sensitive data, highlighting the critical need for improved access controls and vulnerability management.
- Wiz (https://www.wiz.io/state-of-ai-in-the-cloud) - State of AI in the Cloud (Annual%20Security%20Reports/2025/Wiz-State-of-AI-in-the-Cloud-2025.pdf) (2025) - Analyzes the current state of AI in cloud environments, focusing on adoption rates, 
security challenges, and governance issues. Key findings reveal DeepSeek's rapid growth and the continued dominance of OpenAI, alongside a rising trend of self-hosted AI deployments and stabilized adoption of AI managed services.
Vulnerabilities
- BeyondTrust (https://www.beyondtrust.com/resources/whitepapers/microsoft-vulnerability-report) - Microsoft Vulnerability Report (Annual%20Security%20Reports/2024/BeyondTrust-Microsoft-Vulnerability-Report-2024.pdf) (2024) - Analyzes the 
vulnerability landscape within the Microsoft software ecosystem in 2024. Key findings reveal a concerning rise in identity-based attacks targeting Microsoft products, alongside persistent vulnerabilities in legacy applications like Internet 
Explorer.
- Chainguard (https://get.chainguard.dev/cost-of-cves-2025-report) - The Cost of CVEs (Annual%20Security%20Reports/2025/Chainguard-The-Cost-of-CVEs-2025.pdf) (2025) - Aanalyzes the financial impact of CVE management on organizations using 
containerized environments. Key findings indicate that mid-market organizations can unlock significant value through decreased risk ($2.8M), increased revenue ($2.2M), and faster innovation ($3.3M) by improving their CVE management practices and 
compliance.
- Edgescan (https://www.edgescan.com/stats-report/) - Vulnerability Statistics Report (Annual%20Security%20Reports/2025/Edgescan-Vulnerability-Statistics-Report-2025.pdf) (2025) - Provides a statistical analysis of full-stack security and 
vulnerability trends across diverse organizations based on 2024 data. Key insights reveal a record 40,009 CVEs published and a 20% increase in publicly exploited vulnerabilities in 2024, highlighting persistent challenges in patching and the 
critical exposure of internal systems.
- Flexera (https://info.flexera.com/SVM-REPORT-Annual-Vulnerability-Review) - Annual Vulnerability Review (Annual%20Security%20Reports/2024/Flexera-Annual-Vulnerability-Review-2024.pdf) (2024) - Provides software vulnerability trends and threat 
intelligence from 2024. Key findings highlight the criticality of advisories and their impact, along with an examination of advisory rejection rates and the prevalence of vulnerabilities across various assets.
- Synack (https://go.synack.com/state-of-vulnerabilities-2024) - State of Vulnerabilities Report (Annual%20Security%20Reports/2024/Synack-State-of-Vulnerabilities-Report-2024.pdf) (2024) - Analyzes trends in software vulnerabilities affecting 
large enterprises and government agencies. Key findings reveal a 180% surge in real-world vulnerability exploitation across five industries (healthcare, financial services, U.S. federal government, technology and manufacturing). 
- Trustwave (https://www.trustwave.com/en-us/resources/library/documents/2024-trustwave-risk-radar-report-financial-services-sector/) - Financial Services Risk Radar Report 
(Annual%20Security%20Reports/2024/Trustwave-Financial-Services-Risk-Radar-Report-2024.pdf) (2024) - Highlights the evolving threat landscape for the financial services sector in 2024. Key trends include the increasing prevalence of insider 
threats, the mainstream adoption of phishing-as-a-service, and the continued targeting of financial institutions by ransomware groups, alongside the emergence of new threats from cryptocurrency and deepfakes.
Ransomware
- Guidepoint (https://www.guidepointsecurity.com/resources/grit-2025-ransomware-and-cyber-threat-report/) - GRIT Ransomware Annual Report (Annual%20Security%20Reports/2025/Guidepoint-Ransomware-Annual_Report-2025.pdf) (2025) - Analyzes ransomware
and cyber threat trends in 2025, focusing on ransomware taxonomy, threat actors, and impacted industries. Key findings include an in-depth look at the RansomHub threat actor and a spotlight on critical infrastructure vulnerabilities, along with 
an analysis of post-compromise detection methods.
- PaloAlto (https://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/) - Ransomware Review (Annual%20Security%20Reports/2024/PaloAlto-Ransomware-Review-2024.pdf) (2024) - Analyzes ransomware trends during the first half of 
2024. Key findings include the impact of law enforcement takedowns on various threat groups, the emergence of fraudulent activities by some groups post-takedown, and the observed retirement or transition of several significant players.
- Veeam (https://www.veeam.com/resources/wp-2024-ransomware-trends-executive-summary-global.html) - Ransomware Trends Report (Annual%20Security%20Reports/2024/Veeam-Ransomware-Trends-2024.pdf) (2024) - Analyzes global ransomware trends in 2024, 
focusing on recovery challenges and the impact of attacks beyond ransom payments. Key findings reveal that 67% of organizations lack a recovery plan, highlighting a significant vulnerability and the substantial, underestimated costs associated 
with ransomware incidents.
- Zscaler (https://www.zscaler.com/campaign/threatlabz-ransomware-report) - ThreatLabz State of Ransomware Report (Annual%20Security%20Reports/2024/Threatlabz-Ransomware-Report-2024.pdf) (2024) - A comprehensive analysis of global ransomware 
trends, examining attack techniques, ransom demands, and strategies for preventing and mitigating ransomware attacks.
Data Breaches
- Cyentia (https://www.cyentia.com/iris2025/) - Information Risk Insights Study (Annual%20Security%20Reports/2025/Cyentia-Information-Risk-Insights-Study-2025.pdf) (2025) - Analyzes incident probability and the increasing risks associated with 
third-party relationships. A key finding is that incident probability has almost quadrupled in the last 15 years, driven in part by threat actors exploiting trusted relationships with external service providers to compromise target organizations.
- IBM (https://www.ibm.com/security/data-breach) - Cost of a Data Breach Report (Annual%20Security%20Reports/2024/IBM-Cost-of-a-Data-Breach-Report-2024.pdf) (2024) - Analyzes the financial impact of data breaches in 2024, detailing costs 
associated with various attack vectors and recovery efforts. Key findings reveal a significant increase in the average cost of a breach, driven primarily by extortion attacks and prolonged recovery times.
- Verizon (https://www.verizon.com/business/resources/reports/dbir/) - Data Breach Investigations Report (Annual%20Security%20Reports/2025/Verizon-Data-Breach-Investigations-Report-2025.pdf) (2025) - Analyzes data breach trends and patterns from 
2025. Key findings reveal a significant increase in social engineering attacks and a persistent reliance on easily exploitable web application vulnerabilities, highlighting the need for improved employee security awareness training and robust 
application security measures.
- Identity Theft Resource Center (https://www.idtheftcenter.org/publication/2024-data-breach-report/) - Annual Data Breach Report (Annual%20Security%20Reports/2024/ITRC-Annual-Data-Breach-Report-2024.pdf) (2024) - Analyzes 2024 data breaches, 
focusing on trends in identity theft and compromise notifications. Key findings reveal a continued high volume of breaches across various sectors, with little impact observed from current data disclosure requirements.
Physical Security
- Genetec (https://www.genetec.com/a/physical-security-report) - State of Physical Security (Annual%20Security%20Reports/2025/Genetec-State-of-Physical-Security-2025.pdf) (2025) - Analyzes the current state of physical security, focusing on 
global trends and challenges in 2025. Key findings reveal persistent recruiting difficulties, fluctuating budgets impacting project timelines, and the growing influence of IT in physical security decisions alongside increasing cloud adoption.
- Security Industry Association (https://www.securityindustry.org/report/security-megatrends-the-2025-vision-for-the-security-industry/) - Security Megatrends (Annual%20Security%20Reports/2025/SIA-Security-Megatrends-2025.pdf) (2025) - This 
report outlines eight key security megatrends for 2025. Significant trends highlighted include the increasing importance of AI-driven security automation, the convergence of IT and OT security, and the democratization of identity and mobile 
credentials.
- Nozomi (https://www.nozominetworks.com/ot-iot-cybersecurity-trends-insights-february-2025) - Networks OT IoT Security Report (Annual%20Security%20Reports/2025/Nozomi-Networks-OT-IoT-Security-Report-2025.pdf) (2025) - Analyzes operational 
technology (OT) and internet of things (IoT) cybersecurity trends in the second half of 2024. Key findings reveal a significant increase in sophisticated attacks targeting industrial control systems, highlighting the growing need for robust 
security measures in critical infrastructure.
- Trustwave (https://www.trustwave.com/en-us/resources/library/documents/2025-trustwave-spiderlabs-research-navigating-cybersecurity-threats-in-manufacturing-complimentary-reports) - Manufacturing Risk Radar Report 
(Annual%20Security%20Reports/2025/Trustwave-Manufacturing-Risk-Radar-Report-2025.pdf) (2025) - Analyzes the evolving threat landscape for the manufacturing sector in 2025. Key findings highlight the increasing convergence of IT and OT systems, a 
persistent rise in ransomware attacks, and the need for enhanced security measures across all attack stages.
AI and Emerging Technologies
- Australian Institute of Company Directors (https://www.aicd.com.au/innovative-technology/digital-business/artificial-intelligence/governance-of-ai.html) - Directors Introduction to AI 
(Annual%20Security%20Reports/2024/AICD-Directors-Introduction-to-AI-2024.pdf) (2024) - Provides an overview of artificial intelligence tailored for directors, highlighting its strategic implications, governance considerations, and best practices 
for AI implementation in organizations.
- Okta (https://www.okta.com/resources/whitepaper-the-secure-sign-in-trends-report/) - Secure Sign in Trends Report (Annual%20Security%20Reports/2024/Okta-Secure-Sign-in-Trends-Report-2024.pdf) (2024) - Analyzes multi-factor authentication (MFA) 
adoption trends and authenticator usage. Key findings reveal variations in adoption rates across regions, industries, and organization sizes, with specific insights into the security and usability of different authenticator types.
- Zimperium (https://www.zimperium.com/global-mobile-threat-report/) - Global Mobile Threat Report (Annual%20Security%20Reports/2024/Zimperium-Global-Mobile-Threat-Report-2024.pdf) (2024) - Analyzes the global mobile threat landscape and the 
increasing prevalence of mobile-first attack strategies. Key findings reveal a surge in mobile phishing (mishing) attacks targeting specific industries, alongside the growing danger of malicious sideloaded applications and sophisticated mobile 
malware.
- Zscaler (https://info.zscaler.com/resources-industry-reports-public-sector-Insights-threatlabz-ai-security-2024) - ThreatLabz AI Security Report (Annual%20Security%20Reports/2024/Threatlabz-AI-Security-Report-2024.pdf) (2024) - Analyzes 
enterprise AI adoption trends and associated security risks. Key findings reveal a dramatic increase in AI transactions, alongside a corresponding rise in blocked transactions, highlighting the growing need for robust AI security measures across 
various industries.
Survey Reports
Industry Trends
- Accenture (https://www.accenture.com/us-en/insights/security/state-cybersecurity-2025) - State of Cybersecurity Resilience (Annual%20Security%20Reports/2025/Accenture-State-of-Cybersecurity-2025.pdf) (2025) - Analyzes the widening gap between 
AI adoption and cybersecurity maturity across global enterprises. Key findings reveal only 13% of organizations possess advanced capabilities to defend against AI-driven threats, while just 10% have reached a proactive security posture that 
significantly reduces attack risk and technical debt.
- Aon (https://www.aon.com/en/insights/reports/2024-intangible-versus-tangible-risks-comparison-report) - Intangible vs. Tangible Risk Report (Annual%20Security%20Reports/2024/Aon-Intangible-vs-Tangible-Risk-Report-2024.pdf) (2024) - Analyzes the
evolving risks associated with intangible assets like AI and intellectual property (IP) in the context of cybersecurity. Key findings reveal that generative AI and cybersecurity are top CEO concerns, and new AI regulations may inadvertently 
increase litigation related to intellectual property rights.
- CompTIA (https://www.comptia.org/content/research/cybersecurity-trends-research) - State of Cybersecurity (Annual%20Security%20Reports/2025/Comptia-State-of-Cybersecurity-2025.pdf) (2025) - Analyzes the current state of cybersecurity, focusing 
on organizational priorities, incident impact, and workforce development needs. Key findings reveal that cybersecurity is a high priority for 59% of organizations, yet 56% experienced significant incident impact, highlighting a critical skills 
gap and the growing influence of generative AI on cybersecurity strategies.
- Deloitte (https://www.deloitte.com/global/en/services/risk-advisory/content/future-of-cyber.html) - Future of Cyber Survey (Annual%20Security%20Reports/2024/Deloitte-Future-of-Cyber-Survey-2024.pdf) (2024) - Explores the evolving role of 
cybersecurity in driving strategic business value. Key findings reveal a growing influence of CISOs within the C-suite and a deepening integration of cybersecurity into technology-driven business programs.
- FERMA (https://www.ferma.eu/publication/global-risk-manager-survey-report-2024/) - Global Risk Manager Survey Report (Annual%20Security%20Reports/2024/FERMA-Global-Risk-Manager-Survey-Report-2024.pdf) (2024) - Analysis of global risk management
practices across 77 countries and six regional associations. Key findings reveal a significantly increased focus on corporate strategy integration and the growing maturity of enterprise risk management models, particularly concerning 
sustainability risks.
- ISC2 (https://www.isc2.org/landing/Cyberthreat-Defense-Report) - Cyberthreat Defense Report (Annual%20Security%20Reports/2024/ISC2-Cyberthreat-Defense-Report-2024.pdf) (2024) - Examines the current state of cyberthreat defense, including 
emerging threats and defense strategies across various industries. Key findings reveal a persistent skills shortage alongside growing concerns about AI's dual impact on cybersecurity, both enhancing defenses and creating new attack vectors.
- KnowBe4 (https://www.knowbe4.com/security-culture-research-report) - Cybersecurity Culture Report (Annual%20Security%20Reports/2024/KnowBe4-Cybersecurity-Culture-Report-2024.pdf) (2024) - Explores the state of cybersecurity culture in 
organizations, highlighting trends and best practices across different sectors. Key findings indicates Security culture greatly varies across the world, indicating a siloed approach is not sustainable.
problem in our fully connected world
- Kong (https://konghq.com/resources/reports/api-security-ai-threats-it-leader-insights-2025) - API Security Perspectives (Annual%20Security%20Reports/2025/Kong-API-Security-Perspectives-2025.pdf) (2025) - Outlines the growing threat of 
AI-enhanced attacks on APIs and emphasizes the need for robust API security measures and the rising risks associated with these new types of threats.
- Norton (https://us.norton.com/blog/emerging-threats/threat-report-q2-2024) - Cyber Safety Insights Report (Annual%20Security%20Reports/2024/Norton-Cyber-Safety-Insights-Report-2024.pdf) (2024) - Provides insights into consumer cyber safety 
trends and challenges across various industries. Key findings reveal that one in four users have been targeted by dating scams, and nearly one-third have experienced catfishing, highlighting the significant prevalence of online dating fraud.
- Proofpoint (https://go.proofpoint.com/Voice-of-the-CISO-Report.html) - Voice of the CISO Report (Annual%20Security%20Reports/2024/Proofpoint-Voice-of-the-CISO-Report-2024.pdf) (2024) - Insights into the perspectives and challenges faced by 
Chief Information Security Officers across different sectors. Key findings reveal persistent concerns around human error and insider threats, coupled with growing confidence in navigating evolving cybersecurity landscapes.
- PwC (https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/global-digital-trust-insights.html) - Global Digital Trust Insights (Annual%20Security%20Reports/2024/PWC-Global-Digital-Trust-Insights-Report-2024.pdf) 
(2024) - Examines global trends in digital trust and cybersecurity across various industries. Key findings reveal cloud security as a top concern despite significant investment, highlighting a persistent gap in effective management and the 
increasing importance of generative AI in cyber defense.
- Salt (https://content.salt.security/OstermanReport_LP.html) - CISO and CIO Investment Priorities (Annual%20Security%20Reports/2025/Salt-CISO-and-CIO-Investment-Priorities-2025.pdf) (2025) - Surveys key cybersecurity investment priorities for 
CISOs and CIOs in 2025, as detailed in a white paper by Osterman Research and sponsored by Salt Security. Key findings highlight shifts in priorities based on evolving threat landscapes and increased focus on incident response and proactive 
security measures.
- SANS (https://www.splunk.com/en_us/resources/sans-2024-threat-hunting-survey.html) - SANS Cyber Threat Hunting Survey (Annual%20Security%20Reports/2024/SANS-Cyber-Threat-Hunting-Survey-2024.pdf) (2024) - Provides insights into the current state
of cyber threat hunting across different sectors. Key findings reveal shifts in attacker tactics, techniques, and procedures (TTPs), along with variations in methodologies and organizational approaches to threat hunting.
- Splunk (https://www.splunk.com/en_us/campaigns/state-of-security.html) - State Of Security (Annual%20Security%20Reports/2025/Splunk-State-of-Security-2025.pdf) (2025) - Examines the evolving challenges and future strategies for Security 
Operations Centers (SOCs). Highlights that inefficiencies, primarily from excessive tool maintenance and alert overload, significantly hinder operations, while AI is becoming a key driver for efficiency despite prevalent trust concerns.
- Vanta (https://www.vanta.com/state-of-trust) - State of Trust Report (Annual%20Security%20Reports/2024/Vanta-State-of-Trust-Report-2024.pdf) (2024) - Explores the growing challenges in building and maintaining trust for organizations, focusing 
on security risks, compliance burdens, and the increasing third-party vendor risks. Key findings reveal the increasing difficulty of managing compliance burdens, third-party risks, and the impact of AI adoption on security posture.
- Verizon (https://www.verizon.com/business/resources/reports/mobile-security-index/) - Mobile Security Index (Annual%20Security%20Reports/2024/Verizon-Mobile-Security-Index-2024.pdf) (2024) - Provides insights into mobile and IoT security risks,
focusing on their amplified impact within critical infrastructure sectors. Key findings reveal a widespread perception of increased risk across all sectors, with significantly higher breach risks and impacts observed in critical infrastructure 
due to high IoT usage.
- World Economic Forum (https://www.weforum.org/publications/global-cybersecurity-outlook-2025/) - Global Cybersecurity Outlook (Annual%20Security%20Reports/2025/WEF-Global-Cybersecurity-Outlook-2025.pdf) (2025) - Provides a global perspective on
cybersecurity trends and challenges exploring the impact of emerging technologies, geopolitical tensions, and cybercrime. Key findings reveal a growing complexity in cyberspace, driven by increased digitalization and interconnectedness, 
necessitating proactive and adaptive security strategies.
Application Security
- BlackDuck (https://www.blackduck.com/resources/analyst-reports/state-of-devsecops.html) - Global State of DevSecOps (Annual%20Security%20Reports/2024/BlackDuck-Global-State-of-DevSecOps-2024.pdf) (2024) - Provides insights into the current 
state of DevSecOps, focusing on the impact of AI-assisted coding and evolving security testing practices. Key findings reveal a significant shift towards AI-driven security testing, alongside challenges in effectively interpreting and acting upon
resulting security test data.
- Checkmarx (https://info.checkmarx.com/future-of-application-security-2024) - Future of Application Security (Annual%20Security%20Reports/2024/Checkmarx-Future-of-Application-Security-2024.pdf) (2024) - Analyizes the current state of application
security and the challenges organizations face. Key findings reveal a growing disconnect between the increasing complexity of applications and the resources dedicated to securing them, highlighting the urgent need for a comprehensive 
"code-to-cloud" security approach.
- Checkmarx (https://info.checkmarx.com/supply-chain-survey) - State of Software Supply Chain Security (Annual%20Security%20Reports/2024/Checkmarx-State-of-Software-Supply-Chain-Security-2024.pdf) (2024) - Provides insights into current trends in
supply chain threats across industries such as banking and finance, insurance, software, technology, engineering, manufacturing, industrial, and public sector. Key findings reveal a significant reliance on Software Composition Analysis (SCA) as a
foundational element, while the adoption of Software Bill of Materials (SBOMs) and broader interdisciplinary SSCS programs lags behind.
- Cycode (https://cycode.com/state-of-aspm-2025/) - State of Application Security Posture Management (Annual%20Security%20Reports/2025/Cycode-State-of-Application-Security-Posture-Management-2025.pdf) (2025) - Examines application security 
challenges and strategies from the perspectives of CISOs, AppSec Directors, and DevSecOps managers across the UK, US, and Germany. Key findings reveal inefficiencies strain the relationship between security and development teams, eroding trust 
and hindering productivity.
- Snyk (https://snyk.io/lp/state-of-open-source-2024) - State of Open Source Security (Annual%20Security%20Reports/2024/Snyk-State-of-Open-Source-Security-2024.pdf) (2024) - Examines the current state of open source security, including trends and
challenges across various industries. Key findings indicate a plateau in OSS security improvements, with concerning declines in several key areas such as dependency tracking and a lack of significant year-over-year progress in supply chain 
security maturity.
- Traceable (https://www.traceable.ai/2025-state-of-api-security) - Global State of API Security (Annual%20Security%20Reports/2025/Traceable-Global-State-of-API-Security-2025.pdf) (2025) - Annual survey gathering insights from 1,548 respondents 
across 100+ countries on the state of API security. Key findings reveal a persistent increase in API-related breaches, the inadequacy of traditional security solutions, and the growing risk posed by bot attacks and the integration of generative 
AI.
Cloud Security
- Crowdstrike (https://www.crowdstrike.com/en-us/resources/reports/frost-sullivan-recognizes-adaptive-shield-saas-security-innovation/) - SaaS Security Posture Management 
(Annual%20Security%20Reports/2025/Crowdstrike-SaaS-Security-Posture-Management-2025.pdf) (2025) - Analyizes the 2024 SaaS Security Posture Management market, benchmarking companies' innovation and growth potential. Key findings highlight a 
competitive landscape with significant growth opportunities and best practices for companies seeking to improve their security posture.
- Fortinet (https://www.fortinet.com/resources/reports/cloud-security) - Cloud Security Report (Annual%20Security%20Reports/2025/Fortinet-Cloud-Security-Report-2025.pdf) (2025) - Examines the state of cloud security, focusing on deployment 
strategies, multi-cloud adoption, and prevalent security concerns. Key findings reveal low confidence in real-time threat detection and a persistent cybersecurity skills gap, highlighting the need for increased investment and improved security 
practices.
- Google (https://cloud.google.com/security/resources/cybersecurity-forecast) - Cybersecurity Forecast 2025 (Annual%20Security%20Reports/2025/Google-Cybersecurity-Forecast-2025.pdf) (2025) - Insights from Google Cloud leaders on emerging 
cybersecurity trends. Key predictions include the continued rise of ransomware and multifaceted extortion, the increasing use of AI by attackers, and the persistent threat from state-sponsored actors like China, Russia, Iran, and North Korea.
- ISC2 (https://cloud.connect.isc2.org/cloud-security-report) - Cloud Security Report (Annual%20Security%20Reports/2024/ISC2-Cloud-Security-Report-2024.pdf) (2024) - Provides insights into 2024 cloud security trends and challenges, focusing on 
multi-cloud environments and the adoption of DevSecOps. Key findings reveal significant barriers to advancing cloud maturity, particularly regarding skills gaps and the complexities of streamlining cloud compliance across multiple platforms.
- PaloAlto (https://www.paloaltonetworks.com/state-of-cloud-native-security) - State of Cloud Native Security Report (Annual%20Security%20Reports/2024/PaloAlto-State-of-Cloud-Native-Security-2024.pdf) (2024) - Examines the current state of 
cloud-native security, including trends, challenges, and best practices across different sectors. Key findings include significant law enforcement actions against several prominent ransomware groups, resulting in arrests, takedowns, and the 
apparent retirement of some actors, alongside the emergence of new groups and fraudulent activities.
- Sonatype (https://www.sonatype.com/state-of-the-software-supply-chain/introduction) - State of Cloud Security Report (Annual%20Security%20Reports/2024/Sonatype-State-of-Cloud-Security-2024.pdf) (2024) - Provides insights into the state of cloud
security and software supply chain management across different sectors. Key findings highlight the increasing sophistication of attacks leveraging shadow downloads to bypass repository managers and the significant number of compromised packages 
discovered.
Identity Security
- Astrix (https://astrix.security/learn/whitepapers/the-state-of-non-human-identity-security/) - State of Non Human Identity (Annual%20Security%20Reports/2024/Astrix-The-State-of-Non-Human-Identity-Security-2024.pdf) (2024) - Highlights growing 
concerns over non-human identities as attack vectors, limited automation and visibility into API and third-party connections. Key findings reveal low confidence in preventing NHI-based attacks, coupled with significant challenges in managing 
basic security controls like permissions and API keys, highlighting a critical need for improved NHI security practices.
- ConductorOne (https://www.conductorone.com/resources/2024-identity-security/) - Identity Security Outlook Report (Annual%20Security%20Reports/2024/ConductorOne-Identity-Security-Outlook-Report-2024.pdf) (2024) - Highlights how increasing 
technological and organizational complexity are driving new identity risks. Key findings reveal increasing budgets for identity and access management, coupled with a growing adoption of zero standing privileges to mitigate escalating 
identity-based threats.
- CyberArk (https://www.cyberark.com/threat-landscape/) - Identity Security Threat Landscape Report (Annual%20Security%20Reports/2024/CyberArk-Identity-Security-Threat-Landscape-2024.pdf) (2024) - Examines the impact of cyberattacks on identity, 
including cyber debt, GenAI, machine identities, and third- and fourth-party risks. Key findings reveal a growing "cyber debt" fueled by these factors, highlighting the need for proactive security strategies.
- CyberArk (https://www.cyberark.com/state-of-machine-identity-security-report/) - State of Machine Identity Security Report (Annual%20Security%20Reports/2025/CyberArk-State-of-Machine-Identity-Security-Report-2025.pdf) (2025) - Focuses on the 
critical and often-overlooked area of machine identity security. Key findings reveal that a significant percentage of organizations are concerned about risks stemming from compromised machine identities (37%) and expired certificates (36%), 
highlighting a lack of visibility and control over secrets management.
- Hypr (https://www.hypr.com/resources/report-state-of-passwordless) - State of Passwordless Identity Assurance (Annual%20Security%20Reports/2025/Hypr-State-of-Passwordless-Identity-Assurance-2025.pdf) (2025) - Focuses on the adoption and impact 
of passwordless identity assurance. Key findings indicate a growing momentum for passwordless authentication in the enterprise, with usage increasing by 10% compared to the previous year.
- IDS Alliance (https://www.idsalliance.org/white-paper/2024-trends-in-securing-digital-identities/) - 2024 Trends in Securing Digital Identities (Annual%20Security%20Reports/2024/IDSA-Trends-in-Identity-Security-2024.pdf) (2024) - Provides 
insights into current plans, historical trends, and approaches to cybersecurity and identity management. Key research found that 22% of businesses see managing and securing digital identities as the number one priority of their security program, 
up from 17% in 2023.
- ManageEngine (https://www.manageengine.com/privileged-access-management/identity-threat-and-security-report-2024.html) - Identity Security Survey (Annual%20Security%20Reports/2024/ManageEngine-Identity-Security-Insights-2024.pdf) (2024) - 
Explores global identity security readiness across industries and roles, examining the rising tide of AI-driven phishing, social engineering, and credential theft. Key findings reveal a significant gap between perceived and actual IT ecosystem 
visibility and control, highlighting the urgent need for improved identity security posture across organizations.
- Omada (https://omadaidentity.com/resources/analyst-reports/state-of-iga/) - State Of Identity Governance (Annual%20Security%20Reports/2025/Omada-State-of-Identity-Governance-2025.pdf) (2025) - Focuses on the state of identity governance in 
large organizations, leveraging insights from a survey of IT and business leaders. Despite increased cybersecurity funding, organizations struggle with high IGA total cost of ownership and persistent excessive access permissions, driving a demand
for modern cloud-based, AI-driven solutions to automate manual processes.
- Orca (https://orca.security/lp/2025-state-of-cloud-security-report/) - State of Cloud Security Report (Annual%20Security%20Reports/2025/Orca-State-of-Cloud-Security-2025.pdf) (2025) - Analyzes security challenges in multi-cloud environments, 
with a focus on AI risk, data exposure, and neglected assets. Key findings reveal that 62% of organizations have at least one vulnerable AI package, 38% expose sensitive databases to the public, and 13% possess a single asset with over 1,000 
potential attack paths.
- PushSecurity (https://pushsecurity.com/resources/2024-identity-attacks) - Identity Attacks (Annual%20Security%20Reports/2024/PushSecurity-Identity-Attacks-2024.pdf) (2024) - Highlights that 2024 is seeing a rise in identity-based attacks, as 
attackers increasingly target vulnerable identities now that identity has become the new security perimeter. Key findings reveal a significant increase in account takeovers via exploited identities, highlighting the evolving attack landscape and 
the substantial financial gains for perpetrators.
- SailPoint (https://www.sailpoint.com/identity-security-adoption) - Horizons of Identity Security (Annual%20Security%20Reports/2024/SailPoint-Horizons-of-Identity-Security-2024.pdf) (2024) - Explores the evolving landscape of identity security, 
emphasizing its role in mitigating cyber risks while enhancing business value and productivity. Key findings highlight the potential for strategic investments to improve security posture and deliver higher returns, particularly among 
organizations demonstrating advanced maturity levels.
- Semperis (https://www.semperis.com/ransomware-holiday-risk-report/) - Ransomware Holiday Risk Report (Annual%20Security%20Reports/2024/Semperis-Ransomware-Holiday-Risk-Report-2024.pdf) (2024) - Focuses on the increased risk of ransomware 
attacks during holidays and times of corporate upheaval. A key finding indicates that 63% of organizations experiencing corporate upheaval also experienced a ransomware attack, highlighting the opportunistic nature of threat actors.
- Semperis (https://www.semperis.com/ransomware-risk-report/) - Ransomware Risk Report (Annual%20Security%20Reports/2024/Semperis-Ransomware-Risk-Report-2024.pdf) (2024) - Analyzes the future challenges and next steps organizations are planning 
to take in response to the current cybersecurity landscape. A key finding is that despite the significant damage caused by ransomware, only 29% of surveyed organizations plan to increase their security budgets in the next year, with notable 
variations across countries (US: 28%, UK: 45%).
- Varonis (https://www.varonis.com/blog/the-identity-crisis-research-report) - The Identity Crisis (Annual%20Security%20Reports/2024/Varonis-The-Identity-Crisis-2024.pdf) (2024) - Analyzes the prevalence of cyberattacks in 2024, focusing on the 
crucial role of stolen identities. The report reveals that credential stuffing and similar methods are the most common attack vectors, enabling attackers to maintain undetected access for extended periods to exploit vulnerabilities and 
exfiltrate sensitive data.
Penetration Testing
- Bugcrowd (https://www.bugcrowd.com/resources/report/the-total-economic-impact-of-bugcrowd-managed-bug-bounty/) - The Total Economic Impact Of Bugcrowd Managed Bug Bounty 
(Annual%20Security%20Reports/2024/Forrester-The-Total-Economic-Impact-Of-Bugcrowd-Managed-BugBounty-2024.pdf) (2024) - Analyzes the economic benefits and impacts of Bugcrowd's managed bug bounty programs, supported by data-driven insights from 
Forrester. Key findings reveal significant cost savings through early vulnerability detection and remediation, exceeding the program's cost by a substantial margin.
- Cobalt (https://resource.cobalt.io/state-of-pentesting-2025) - State of Pentesting (Annual%20Security%20Reports/2025/Cobalt-State-of-Pentesting-2025.pdf) (2025) - Offers an overview of the current state of penetration testing, including trends,
challenges, and best practices across various industries. A key finding reveals a significant increase in manual penetration testing alongside the emergence of AI-driven attacks and vulnerabilities, necessitating a refined pentesting maturity 
model.
- Fortra (https://www.fortra.com/services/consulting/cybersecurity/penetration-testing) - Penetration Testing Report (Annual%20Security%20Reports/2024/Fortra-Pentesting-Report-2024.pdf) (2024) - Provides insights into the current landscape of 
penetration testing, including common vulnerabilities and industry-specific challenges. Key findings reveal a growing reliance on third-party services, coupled with increasing concerns about phishing attacks and the need for more frequent testing
across diverse environments.
- HackerOne (https://www.hackerone.com/resources/reporting/8th-hacker-powered-security-report) - Hacker Powered Security Report (Annual%20Security%20Reports/2024/HackerOne-Hacker-Powered-Security-Report-2024.pdf) (2024) - Explores the state of 
hacker-powered security, including trends in bug bounty programs and vulnerability disclosure across industries. Key findings highlight the expanding expertise of security researchers into AI, APIs, and an emphasis on layered security defenses.
- NCC Group (https://www.nccgroup.com/us/research-blog/ncc-group-s-2024-annual-research-report/) - Annual Research Report (Annual%20Security%20Reports/2024/NCCGroup-Annual-Research-Report-2024.pdf) (2024) - Highlights NCC Group's 25 years of 
research, covering topics from cryptography to hardware and embedded systems. Key highlights include pioneering research, innovative tools, and active community engagement, showcasing a year of significant advancements in the field.
Privacy and Data Protection
- Cisco (https://www.cisco.com/c/en/us/about/trust-center/data-privacy-benchmark-study.html) - Data Privacy Benchmark Study (Annual%20Security%20Reports/2024/Cisco-Privacy-Benchmark-Study-2024.pdf) (2024) - Provides insights into data privacy 
trends, challenges, and breaches across various industries. Key findings reveal strong global support for privacy laws, yet slow progress on transparency and AI readiness alongside growing concerns regarding data usage in Generative AI.
- Code42 (https://www.code42.com/content/2024-data-exposure) - Annual Data Exposure Report (Annual%20Security%20Reports/2024/Code42-Annual-Data-Exposure-Report-2024.pdf) (2024) - Highlights insider threat risks and trends based on insights from 
over 700 security professionals. Key findings reveal a significant increase in insider-driven data loss and the growing influence of emerging technologies on data exposure trends.
- Drata (https://drata.com/resources/reports/grc-trends) - State of GRC (Annual%20Security%20Reports/2025/Drata-State-of-GRC-2025.pdf) (2025) - Focuses on the evolving role of Governance, Risk Management, and Compliance (GRC), transitioning from 
a cost center to a strategic business driver. A key finding highlights the challenges GRC teams face in balancing compliance complexity and business growth, including concerns about AI hallucinations providing improper GRC guidance.
- Hyperproof (https://hyperproof.io/q1-2025-readers-digest-benchmark-report/) - IT Risk and Compliance Benchmark Report (Annual%20Security%20Reports/2025/Hyperproof-IT-Risk-and-Compliance-Benchmark-Report-2025.pdf) (2025) - Examines the state of 
IT risk and compliance, focusing on the maturation of GRC programs and trends in framework adoption. Key findings reveal the maturing of GRC programs, evolving framework adoption, and the increasing significance of third-party risk management as 
a major concern.
- Immuta (https://www.immuta.com/resources/2025-state-of-data-security-report/) - State of Data Security Report (Annual%20Security%20Reports/2025/Immuta-State-of-Data-Security-Report-2025.pdf) (2025) - A survey of 700+ data professionals examines
the current state of data security, including challenges, trends, and best practices across various industries. Key findings reveal that security and access remain top concerns amidst growing data demands, with people, processes, and technology 
all contributing to the complexities.
- ISACA (https://www.isaca.org/resources/reports/state-of-privacy-2025) - State of Privacy (Annual%20Security%20Reports/2025/ISACA-State-of-Privacy-2025.pdf) (2025) - Outlines key trends in global privacy practices, including staffing needs, 
budget constraints, and the increasing integration of AI in privacy operations. Key findings reveal significant skill gaps and difficulties in staff retention, coupled with increasing reliance on AI for privacy initiatives and a growing concern 
over privacy breaches.
- Kiteworks (https://www.kiteworks.com/report-2025-forecast-for-managing-private-content-exposure-risk/) - Forecast for Managing Private Content Exposure Risk 
(Annual%20Security%20Reports/2025/Kiteworks-Forecast-for-Managing-Private-Content-Exposure-Risk-2025.pdf) (2025) - Outlines 12 predictions for managing private content exposure risk, based on cybercrime, cybersecurity, and compliance trends 
focusing on sensitive content communications. Key predictions highlight the evolving global data privacy landscape, the increasing importance of secure content collaboration, and the need for robust API security to manage these risks effectively.
- Proofpoint (https://www.proofpoint.com/us/resources/threat-reports/data-loss-landscape) - Data Loss Landscape (Annual%20Security%20Reports/2024/Proofpoint-Data-Loss-Landscape-2024.pdf) (2024) - Provides an overview of the data loss landscape, 
including trends and challenges faced by organizations across various industries. Key findings reveal significant financial costs associated with data breaches stemming from malicious and negligent insiders, highlighting a critical need for 
improved data loss prevention strategies.
- Proofpoint (https://go.proofpoint.com/2024-Frost-Radar-for-Email-Security.html) - Global Email Security Market Report (Annual%20Security%20Reports/2024/Proofpoint-Global-Email-Security-Market-Report-2024.pdf) (2024) - Benchmarks 21 top email 
security vendors, highlighting growth opportunities and market trends. Key findings highlight the significant pressure on vendors to adapt to the rapidly evolving threat landscape and maintain solution efficacy.
Ransomware
- Cyberreason (https://www.cybereason.com/ransomware-the-true-cost-to-business-2024) - Ransomware The True Cost to Business (Annual%20Security%20Reports/2024/Cyberreason-Ransomware-The-True-Cost-to-Business-2024.pdf) (2024) - Examines the true 
cost of ransomware attacks on businesses across different sectors. Key findings reveal the evolution of ransomware beyond simple data encryption, highlighting its increasingly sophisticated methods and the significant financial and operational 
consequences for victims.
- Sophos (https://www.sophos.com/en-us/content/state-of-ransomware) - State Of Ransomware (Annual%20Security%20Reports/2025/Sophos-State-of-Ransomware-2025.pdf) (2025) - Outlines the state of ransomware in 2025, examining technical and 
operational attack vectors, data handling, and the financial and human costs of incidents. Notably, data encryption rates are at a six-year low of 50%, and median ransom payments dropped by 50%, though exploited vulnerabilities remain the leading
attack vector.
- Spycloud (https://spycloud.com/resource/2024-malware-ransomware-defense-report/) - Ransomware Defense Report (Annual%20Security%20Reports/2024/Spycloud-Ransomware-Defense-Report-2024.pdf) (2024) - Examines malware and ransomware defense 
strategies and trends across different sectors. Key findings reveal a resurgence in ransomware attacks and highlight the increasing sophistication of malware, including stealthy stealers and the significant risk posed by third-party exposures.
AI and Emerging Technologies
- Cisco (https://www.cisco.com/c/en/us/products/security/state-of-ai-security.html) - State of AI Security (Annual%20Security%20Reports/2025/Cisco-State-of-AI-Security-2025.pdf) (2025) - Analyzes the emerging AI security risks and attack vectors 
within the AI threat landscape. Key findings reveal a growing need for proactive AI security research and the development of robust policies to mitigate these risks.
- HiddenLayer (https://hiddenlayer.com/threatreport2024/) - AI Threat Report (Annual%20Security%20Reports/2024/HiddenLayer-AI-Threat-Landscape-Report-2024.pdf) (2024) - Provides insights into the AI threat landscape across various industries. Key
findings highlight the increasing threats of adversarial AI attacks, including deepfakes and data privacy breaches, and the vulnerabilities of AI-based systems to supply chain attacks.
- ICONIQ (https://www.iconiqcapital.com/growth/reports/2025-state-of-ai) - The AI Builders Playbook (Annual%20Security%20Reports/2025/Iconiq-The-AI-Builders-Playbook-2025.pdf) (2025) - Focuses on the "how-to" of conceiving, delivering, and 
scaling AI-powered offerings, including product roadmap, go-to-market strategies, talent, cost management, and internal productivity. Key findings indicate that AI-native companies are rapidly scaling products, with agentic workflows being the 
most common type of AI product built by 80% of AI-native companies, while model accuracy and the increasing importance of cost are top considerations for foundational models.
- Okta (https://spaces.okta.com/story/ai-at-work/page/1) - AI at Work (Annual%20Security%20Reports/2025/Okta-AI-at-Work-2025.pdf) (2025) - Focuses on the perspectives of C-suite executives regarding the transformative impact of artificial 
intelligence (AI) on security, innovation, and efficiency within organizations. Key findings reveal executive sentiment, concerns, and priorities regarding AI implementation, highlighting varying levels of understanding and integration across 
different organizations.
- Wiz (https://www.wiz.io/reports/ai-security-readiness) - AI Security Readiness (Annual%20Security%20Reports/2025/Wiz-AI-Security-Readiness-2025.pdf) (2025) - Analyzes the current state of AI security readiness among cloud architects, engineers,
and security leaders, highlighting critical gaps. Key findings reveal widespread AI adoption is significantly outpacing the development of in-house security expertise and the implementation of AI-specific posture management tools, leading to 
substantial visibility challenges like shadow AI.
Resources
Annual reports are the result of a collaborative effort, combining research from both paid and non-profit sources, drawn from within the organization and the broader cybersecurity community. These reports rely on the contributions of various 
organizations that help shape the field by setting standards, offering certifications, conducting research, and influencing policy.
The categories below highlight the diverse roles these organizations play in building cybersecurity programs and advancing best practices. By exploring these groups, readers can gain insight into the ecosystem that underpins the development of 
annual reports and drives progress in the industry.
Research Consulting (#research-consulting): These are organizations that offer paid research services, market analysis, and consulting in the field of information technology and cybersecurity.
Standards and Certifications (#standards-and-certifications): Organizations involved in setting cybersecurity standards, providing certifications, and creating frameworks for best practices.
Threat Intelligence and Incident Response (#threat-intelligence-and-incident-response): Organizations focused on sharing threat intelligence, coordinating cyber incident responses, and combating cyber threats.
Policy and Advocacy (#policy-and-advocacy): Institutions shaping cybersecurity policies, regulations, and public awareness on a national or international scale.
Working Groups (#working-groups): These are collaborative organizations or professional associations that conduct research, share information, and develop best practices in cybersecurity.
Government and Non-profits (#government-and-non-profits): This category includes government agencies and non-profit organizations dedicated to cybersecurity research, policy development, and public awareness.
Research Consulting
- 451 Research (https://www.451research.com/) - A technology research and advisory firm specializing in emerging technology segments including cybersecurity market analysis and trends.
- ABI Research (https://www.abiresearch.com/) - A technology market intelligence company providing strategic guidance on transformative technologies, including cybersecurity and digital security.
- Forrester Research (https://www.forrester.com/) - An advisory company that offers paid research, consulting, and event services specialized in market research for information technology.
- Frost & Sullivan (https://www.frost.com/) - A consulting firm offering market research and analysis in cybersecurity, with particular focus on emerging technologies and market opportunities.
- Gartner (https://www.gartner.com/) - A technology research and consulting firm which offers private paid consulting as well as executive programs and conferences.
- GigaOm (https://gigaom.com/) - A research firm offering practical, hands-on, practitioner-driven research for businesses.
- International Data Corporation (IDC) (https://www.idc.com/) - A global provider of market intelligence and advisory services.
- KuppingerCole (https://www.kuppingercole.com/) - A global analyst company specializing in information security, identity & access management, and risk management.
- Omdia (https://omdia.tech.informa.com/) - A global technology research powerhouse focusing on cybersecurity market analysis and digital transformation.
Standards and Certifications
- American Institute of CPAs (https://us.aicpa.org/) - The AICPA SOC2 is a framework for managing and safeguarding customer data based on five trust service criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
- The Information Security Forum (ISF) (https://www.securityforum.org/) - A global, independent organization dedicated to benchmarking and sharing best practices in information security.
- The International Organization for Standardization (ISO) (https://www.iso.org/) - An international organizational body composed of representatives which conduct closed research for creation of standards.
- The Information Systems Audit and Control Association (ISACA) (https://www.isaca.org/) - An international professional association focused on IT governance, which conducts research for and on behalf of the members.
- The International Information System Security Certification Consortium (ISC)² (https://www.isc2.org/) - An American not-for-profit organization which conducts research for consumers of their cybersecurity training and certifications.
- SANS Institute (https://www.sans.org/) - A private U.S. for-profit company which conducts research for consumers of their cybersecurity training and certifications.
- Trusted Computing Group (TCG) (https://trustedcomputinggroup.org/) - Develops and promotes open standards for hardware-enabled security.
Threat Intelligence and Incident Response
- The Anti-Phishing Working Group (APWG) (https://apwg.org/) - A global coalition focused on unifying the global response to cybercrime.
- The Cyber Threat Alliance (CTA) (https://www.cyberthreatalliance.org/) - An industry-driven group of cybersecurity organizations that share threat intelligence and conduct collaborative research to combat cyber threats.
- The Forum of Incident Response and Security Teams (FIRST) (https://www.first.org/) - Provides platforms, means and tools for incident responders to always find the right partner and to collaborate efficiently.
- The Global Cyber Alliance (GCA) (https://globalcyberalliance.org/) - An international, cross-sector effort dedicated to reducing cyber risk.
- The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) (https://www.m3aawg.org/) - Focuses on operational issues of Internet abuse including botnets, malware, spam, viruses, and mobile messaging abuse.
- Ponemon Institute (https://www.ponemon.org/) - Considered the pre-eminent research center dedicated to privacy, data protection and information security policy.
Policy and Advocacy
- The Rand Corporation (https://www.rand.org/) - An American not-for-profit organization which conducts research and analysis on various aspects of cybersecurity and cyber policy focused on national security.
- Center for Strategic and International Studies (CSIS) - Technology Policy Program (https://www.csis.org/programs/technology-policy-program) - A think tank with a Technology Policy Program that conducts research and provides insights into 
technology and cybersecurity policies.
- Electronic Frontier Foundation (EFF) (https://www.eff.org/) - A non-profit organization defending civil liberties in the digital world, including privacy and cybersecurity issues.
- The Internet Security Alliance (ISA) (https://isalliance.org/) - A multi-sector trade association focused on thought leadership, policy advocacy, and standards development for cybersecurity.
- World Economic Forum (Centre for Cybersecurity) (https://www.weforum.org/centre-for-cybersecurity) - A global initiative that brings together stakeholders from industry, government, and academia to improve cybersecurity globally and secure the 
digital economy.
Working Groups
- The Cloud Security Alliance (CSA) (https://cloudsecurityalliance.org/) - Promotes best practices for providing security assurance within cloud computing.
- The Internet Engineering Task Force (IETF) (https://www.ietf.org/) - Develops and promotes internet standards, including those related to security.
- The Open Web Application Security Project (OWASP) (https://owasp.org/) - A professional community that produces research concerning web application security, made freely available to the online community.
- Industrial Control Systems Joint Working Group (ICSJWG) (https://www.cisa.gov/icsjwg) - Facilitates information sharing and collaboration for cybersecurity in industrial control systems.
- The Open Source Security Foundation (OpenSSF) (https://openssf.org/) - A cross-industry collaboration to improve the security of open source software.
- Web Application Security Consortium (WASC) (http://www.webappsec.org/) - An international group of experts, industry practitioners, and organizational representatives who produce security standards and research.
Government and Non-profits
- Australian Cyber Security Centre (ACSC) (https://www.cyber.gov.au/) - Provides cyber security advice and support to Australian businesses and individuals.
- Canadian Centre for Cyber Security (https://cyber.gc.ca/en/) - Canada's national authority on cybersecurity.
- Center for Internet Security (CIS) (https://www.cisecurity.org/) - An American non-profit organization that provides cybersecurity solutions and best practices.
- Cybersecurity and Infrastructure Security Agency (CISA) (https://www.cisa.gov/) - A U.S. government agency responsible for enhancing the security and resilience of the nation's critical infrastructure.
- Cybersecurity Forum Initiative (CSFI) (https://www.csfi.us/) - An American non-profit organization that promotes cybersecurity awareness and research.
- Cyber Peace Institute (https://cyberpeaceinstitute.org/) - A non-profit organization focused on reducing the impact of cyberattacks on civilians and promoting peace in cyberspace by supporting international cooperation and collective action.
- European Union Agency for Cybersecurity (ENISA) (https://www.enisa.europa.eu/) - A European Union agency that contributes to EU cybersecurity policy, enhances trust in digital services, and supports incident response capabilities across Europe.
- Europol - European Cybercrime Centre (EC3) (https://www.europol.europa.eu/activities-services-main/areas-interest/european-cybercrime-centre-ec3) - A strategic alliance focused on combating cybercrime within the European Union.
- German Federal Office for Information Security (BSI) (https://www.bsi.bund.de/) - Germany's national cyber security authority providing IT security services and guidance.
- Internet Security Research Group (ISRG) (https://www.abetterinternet.org/) - A non-profit organization focused on reducing financial, technological, and educational barriers to secure communication over the Internet.
- Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) (https://www.nisc.go.jp/eng/) - Japan's central organization for national cybersecurity strategy and incident response.
- Korean Internet & Security Agency (KISA) (https://www.kisa.or.kr/eng/) - South Korea's government agency dedicated to promoting cybersecurity and a safer internet environment.
- MITRE Corporation (https://www.mitre.org/) - An American not-for-profit organization which conducts research and development supporting various U.S. government agencies.
- National Cyber Security Centre (NCSC) (https://www.ncsc.gov.uk/) - The UK's technical authority for cyber incidents.
- National Cyber Security Centre - Netherlands (NCSC-NL) (https://www.ncsc.nl/english) - The Dutch national cyber security center providing guidance and incident response.
- National Institute of Standards and Technology (NIST) (https://www.nist.gov/cybersecurity) - A U.S. agency that develops cybersecurity standards and guidelines.
- Norwegian National Security Authority (NSM) (https://nsm.no/en/) - Norway's expert body for information and object security, providing guidance and incident response capabilities.
- Singapore Cyber Security Agency (CSA) (https://www.csa.gov.sg/) - Singapore's national agency overseeing cybersecurity strategy and development.
Contributing
Please refer to the guidelines at CONTRIBUTING.md for details (CONTRIBUTING.md).
annualsecurityreports Github: https://github.com/jacobdjwilson/awesome-annual-security-reports
Reference in New Issue View Git Blame Copy Permalink