Cymulate Releases Findings from Over One Million Security Assessments

Cymulate’s 2022 Cybersecurity Effectiveness Report reveals that organizations are leaving common attack paths exposed in their quest to combat emergent threats.


NEW YORK – March 28, 2023 – Cymulate, the leader in cybersecurity risk validation and exposure management, today released the company’s “2022 Cybersecurity Effectiveness Report” which analyzed the results of over a million security posture validation assessments, including 1.7 million hours of offensive cybersecurity testing within Cymulate’s production environments.

The report provides critical insights in global cybersecurity effectiveness, critical findings and top attack tactics, techniques, and procedures (TTPs). The report delves into the efficacy of different security controls, the most concerning threats as tested by organizations worldwide, and top cybersecurity best practices for 2023.

Report key takeaways include:

•Many organizations are testing for trending threats at the expense of ones they are more likely to experience – organizations are actively testing against threats seen in the news, likely from pressure to report on their exposure risk to emergent threats. This is a good, up to the point where it takes away from assessing threats and exposures that are more likely actively targeting the business. Businesses that used scheduled and full kill-chain testing demonstrated the broadest testing coverage and the most in- depth validation when they added advanced scenario testing to their programs.

• Known and cataloged industry-wide security issues remain unaddressed – 40% of the top 10 CVEs identified most by Vulnerability Management platforms were over two years old yet remain unpatched. A significant number of organizations are not testing against more widely recognized threats such as ProxyNotShell and Emotet that continue to persist and are apt to cause the most harm if not remediated.

• The effectiveness of data protection measures has declined – jumping from 30 to 44 in 2022, the average data exfiltration risk score has worsened considerably. Network and Group Policies have had a positive impact on prevention of data exfiltration, which has driven attackers to resort to alternative exfiltration methods.

• 92% of the top 10 exposures are related to domain and email security – in 2022, the top 10 exposures detected by Cymulate’s External
Attack Surface Management (EASM) module showed most detected exposures were spread across domain security (59.3%) and email security (32.8%).

Breach and Attack Simulation has had a significant positive impact on cyber resiliency. 

When comparing the anonymized data between the first Endpoint Security assessment completed and the most recent assessments completed, significant improvements in risk reduction were seen when BAS testing was regularly performed. The improvements were seen consistently across customers of various industries and sizes.

“It’s understandable that organizations want to protect themselves against the major threats making headlines today,” said Carolyn Crandall, Chief Security Advocate for Cymulate. “But the findings of the Cybersecurity Effectiveness Report underscore the fact that many attackers aren’t using advanced new strategies— they’re continuing to find success using known tactics. Organizations need to shift their vulnerability management strategies to address these gaps by implementing Attack Surface Management tools for exposure assessment, Breach and Attack Simulation for security control efficacy validation, and Continuous Automated Red Teaming for more frequent penetration testing.”

“Organizations must understand their security posture to identify vulnerabilities and protect against cyber threats,” said David Neuman, senior analyst at TAG Cyber. “Cymulate’s release of findings from over one million security assessments and 1.7 million hours of testing provides valuable insights into common weaknesses and areas for improvement in cybersecurity. This data highlights the need for continuous security testing and risk assessments to stay ahead of emerging threats.”

The full Cymulate 2023 Cybersecurity Effectiveness Report can be found here.

Register for a webinar of the findings

About Cymulate
The Cymulate cybersecurity risk validation and exposure management solution provides security professionals with the ability to continuously challenge, validate and optimize their on-premises and cloud cyber-security posture with end-to-end visualization across the MITRE ATT&CK® framework. The platform provides automated, expert, and threat intelligence-led risk assessments that are simple to
deploy, and easy for organizations of all cybersecurity maturity levels to use. It also provides an open framework for creating and automating red and purple teaming exercises by generating tailored penetration scenarios and advanced attack campaigns for their unique environments and security policies. For more information, visit

Media Contact
Katrina Porter, Sr. Manager,
Marketing Communications at Cymulate
[email protected]