94% of organizations believe they’re prepared for a major cyber incident, yet real-world data shows only 22% accuracy and 29 hours to containment

BOSTON & BRISTOL, England: Immersive, the leader in cyber resilience, is revealing a widening gap between confidence and capability in cybersecurity. Despite record investment, heightened board oversight, and nonstop training, measurable readiness has flatlined. While nearly every organization believes it can handle a major incident, the data tells a different story.

According to Immersive’s analysis, average decision accuracy is just 22%, and the average containment time is 29 hours. Meanwhile, Resilience Scores remain statistically flat to lower year-over-year (with an average decline of -3%) since 2023, showing that belief in preparedness continues to outpace proven performance.

“Readiness isn’t a box to tick, it’s a skill that’s earned under pressure,” said James Hadley, Founder and Chief Innovation Officer at Immersive. “Organizations aren’t failing to practice; they’re failing to practice the right things. True resilience comes from continuously proving and improving readiness across every level of the business, so when a real crisis hits, your confidence is backed by evidence, not assumption.”

The findings reveal that readiness breaks down in predictable ways. From how teams measure success, to what they choose to practice, and who they involve in the process, Immersive’s data exposes systemic patterns that prevent organizations from achieving demonstrable resilience. These are the fault lines where confidence diverges from capability, and where the work to truly be ready must begin.

Among the report’s most significant findings:

Confidence Without Capability

• 94% of organizations believe they could effectively detect, respond to, and recover from a major incident.
• In practice, teams achieved only 22% decision accuracy and took 29 hours to contain simulated attacks.
• Resilience Scores have remained statistically flat since 2023, and the median response time of 17 days to complete the latest cyber threat intelligence labs hasn’t improved despite increased spending and executive oversight. Confidence is climbing. Capability isn’t.

Practicing the Past

• 60% of all training still focuses on vulnerabilities more than two years old, leaving teams overprepared for yesterday’s threats.
• The most common exercises remain fundamental-level labs (36%), limiting progression into intermediate and advanced readiness.
• The result: stalled maturity and shrinking adaptability as organizations master outdated playbooks while new attack techniques evolve.

Excluding the Business

• Only 41% of organizations include non-technical roles (such as Legal, HR, Communications, or Executives) in simulations, even though 90% believe cross-functional coordination is strong.
• The data proves otherwise: when crises hit, unpracticed collaboration slows response and amplifies impact.
• True readiness demands rehearsed coordination across every function, not just the security team.

New Risks, Old Habits

• Veteran practitioners outperform newcomers on known threats, achieving roughly 80% accuracy in classic incident-response labs.
• But when faced with AI-enabled or novel attacks, those same experts lag behind. Senior participation in AI-scenario labs dropped 14% year over year, exposing a growing adaptability gap as adversaries weaponize AI.

“Experience teaches what to do next, until the next thing has never happened before,” added Hadley. “Even the most seasoned teams must evolve as fast as the threats they face.”

Download the full 2025 Cyber Workforce Benchmark Report here.

Methodology

Immersive’s report draws from:

• An Immersive commissioned survey with Osterman Research of 500 cybersecurity leaders and practitioners in the U.S. and U.K. (August–September 2025), capturing how organizations perceive and measure readiness.
• Anonymized performance data within the Immersive One platform (July 2024–June 2025), representing millions of hands-on labs across industries.
• Results from Immersive’s “Orchid Corp” crisis simulation, involving 187 professionals across 11 drills in 9 cities, measuring real-world decision-making and containment under pressure.
• Analysis of the Immersive Resilience Score, a benchmark that quantifies readiness across people, process, and technology by measuring decision accuracy, response time, framework alignment, and adaptability to new threats. The score applies to all Immersive users, subject to eligibility, as customers must have the relevant product to be evaluated on each corresponding factor.

About Immersive

Immersive, the leader in cyber resilience, helps your organization continuously prove and improve its ability to prevent and respond to cyber threats. Tailored to individual roles, our approach ensures your organization is always ready for an ever-evolving threat landscape, including the opportunities and challenges posed by AI. With a relentless focus on evidence, Immersive provides unmatched visibility into your cyber resilience. Through a single enterprise platform for individuals, teams, and the entire workforce, we empower your organization to Be Ready for what’s next.

Immersive is trusted by the world’s largest organizations and governments, including Citi, Pfizer, Humana, HSBC, the UK Ministry of Defence, and the UK National Health Service. We are backed by Goldman Sachs Asset Management, Summit Partners, Insight Partners, Citi Ventures, Ten Eleven Ventures, and Menlo Ventures.

Fonte: Business Wire