Cyber threats are evolving faster than ever, and security leaders can’t afford to fall behind. That’s why we created the 2025 Fortra State of Cybersecurity Survey—to provide valuable insights that help SOCs, CISOs, and other cybersecurity decision-makers shape their strategies for the year ahead.
The report compiles insights from 12 key cybersecurity roles —analysts, developers, architects, directors, and executives) spanning 24 industries worldwide, drawing from Fortra’s 25,000+ global customers.
For security leaders, staying ahead of these trends is critical. The survey provides a data-driven look at the biggest risks organizations face, helping you make informed decisions, allocate resources effectively, and strengthen your cyber resilience.
Instead of diving into every statistic, let’s focus on some of the most compelling findings from this year’s survey.
Risks & Challenges: The Evolving Cyber Threat Landscape
Social engineering, phishing, and smishing attacks remain the top concern for cybersecurity practitioners this year. Advancements in Generative AI (Gen AI) are amplifying these threats, making them more sophisticated and harder to detect. Fortra’s email security and data risk teams are also seeing an increased volume of Gen AI actively leveraged in next-generation phishing, smishing, and social engineering attacks. Given the explosion of sites, tools, and services leveraging emerging technologies like GenAI, it’s not surprising that the number of security professionals identifying evolving technologies as a primary security threat has increased from 35% to 50% YoY. Security leaders are increasingly worried about AI-powered attacks targeting their organizations and the ability of their defenses to counter AI-driven threats. Businesses rushing to adopt AI must ensure data scientists and consultants are not inadvertently exposing sensitive data, leading to compliance violations or reputational risks.
The perceived risk of zero-day attacks has decreased 12% from last year. Does this mean zero days are disappearing? Absolutely not. Just last month, both Apple and Microsoft released patches for critical zero-day vulnerabilities. The difference is how the industry has evolved. Years ago, zero-days caused chaos. Today, security teams have well-defined playbooks to mitigate the impact, making responses faster and more effective.
Top Cybersecurity Initiatives for 2025
When asked about their top security initiatives for the coming year, 77% of security experts said that identifying and closing security gaps was first on their list. This initiative is a foundational defense strategy to strengthen cybersecurity posture. Security teams can’t predict when or how they will be attacked, but they can proactively reduce their attack surface.
Improving security awareness and culture took the number two spot, increasing to 75% from 66% last year. Employees remain the weakest link in cybersecurity, with industry reports (e.g., Verizon Data Breach Investigation Report) highlighting phishing and credential theft as top attack vectors. Looking ahead, AI-powered phishing campaigns demand that cybersecurity awareness training be stronger than ever.
Cloud security prioritization may no longer be a top initiative, down to 54% from 63% last year. This should not be taken to mean that organizations are ignoring cloud security. Cloud is now a standard operating environment, with 91% of respondents already using cloud in some form. It is also embedded into vulnerability management, attack surface monitoring, prevention, detection, and response—rather than being treated as a standalone priority.
Challenges in Implementing These Initiatives
Budgetary constraints increased to 59% this year from 54% last year, remaining one of the top challenges organizations face. To make the most of their cybersecurity budget, organizations need to spend wisely. This means focusing on tools that strengthen security, cutting out the unnecessary, and aligning efforts with business goals to reduce risks and stay ahead of threats without overspending. Organizations can optimize security spending by:
- Assessing: Where does the organization stand in the cybersecurity maturity model? Regular evaluations help identify gaps and areas for improvement.
- Preventing & Detecting: Identifying strengths and weaknesses in the security stack. A proactive approach ensures threats are mitigated before they cause harm.
- Optimizing & Consolidating: Eliminating redundant tools and evaluating ROI on security investments. Streamlining security solutions enhances efficiency and reduces costs.
- Responding: Building scalable security programs aligned with business goals. A well-structured response strategy minimizes disruption and strengthens resilience.
Tools & Vendors: The Case for Security Consolidation
Security vendor consolidation is accelerating, with over 70% of respondents reducing their number of vendors to less than 10, a significant shift from the 30+ vendors many organizations relied on a few years ago.
Organizations consolidating vendors should ask:
- Are we covering the full kill chain?
- Are redundant tools eliminated?
- Are compliance requirements met (especially for regulated industries)?
Security tool sprawl is a real problem for many organizations. As companies grow, they often end up with too many tools that overlap, making it harder to manage effectively. This not only leads to higher costs but can also create gaps in protection. Streamlining security tools is key to improving efficiency and ensuring better coverage. Consolidation can:
- Reduce costs
- Improve efficiency
- Strengthen security outcomes
Staffing: The Need for Specialized Security Talent
Don’t spread your security budget too thin. Cybersecurity is not a “peanut butter” budget problem and resources must be allocated strategically. Certain functions, like penetration testing, require deep expertise and specialized skills.
60% of respondents report outsourcing penetration testing. This is a smart approach because it provides:
- A fresh, outside-in perspective on vulnerabilities
- Advanced expertise not available in-house
- Cost savings compared to hiring full-time specialists
Security services will continue to grow, with email security and vulnerability management (VM) being the next major areas outsourced, in addition to penetration testing. The security services market is projected to generate as much revenue as security products in the coming years.
Outsourcing security services gives organizations the chance to tap into expert help and resources that make security stronger and more efficient. By working with outside providers, businesses can stay on top of new threats without stretching their teams too thin. It helps fill in any gaps, speeds up response times, and scales as needed, all while letting companies focus on what they do best.
- Outsourcing security services provides:
- 24/7 security coverage
- Faster incident response times
- Hybrid models where some functions remain in-house while others are outsourced
Final Thoughts: A Call to Action for Cybersecurity Leaders
The cyber threat landscape is evolving faster than ever, driven by AI-initiated attacks, social engineering, and cloud-based vulnerabilities. To protect against these threats, organizations must strengthen security awareness programs, optimize security tool investments, and address staffing shortages. Security leaders must not only defend against today’s threats but also prepare for the threats of tomorrow—because in cybersecurity, complacency is the biggest risk of all.
About the Author
Rohit Dhamankar is the Vice President of Product Strategy at Fortra’s Alert Logic. Rohit has more than 20 years of security industry experience across product strategy, threat research, product management and development, and customer solutions. Dhamankar holds a Master of Science in Electrical Engineering from the University of Texas Austin and a Master of Science in Physics from IIT in Kanpur, India.
He has worked in leading and advisory roles for many successful start-ups and Texas based VCs. Rohit has spoken at RSA, Black Hat and other cybersecurity industry conferences. In addition, he worked with the SANS Institute for many years authoring industry-driving reports and newsletters.
