Immersive has uncovered a significant gap between confidence and capability in the cybersecurity sector.
The report indicates that despite substantial investments and intensified board oversight, measurable preparedness remains stagnant. While a majority of organizations express confidence in managing major incidents, the data reveals a different scenario.
The company's analysis highlights a decision accuracy average of just 22%, with containment taking an average of 29 hours. Furthermore, since 2023, Resilience Scores have either flatlined or declined by an average of 3%, suggesting that the belief in preparedness outstrips actual performance.
Key Findings
The report shows predictable shortcomings in readiness. Immersive’s data points to systemic patterns that hinder true resilience, affecting how teams measure success, select practices, and involve participants. These patterns create gaps where confidence overshadows capability, highlighting areas needing immediate attention.
Confidence Without Capability
Despite 94% of organizations expressing confidence in their ability to effectively handle incidents, operational results showed only 22% decision accuracy with attack containment averaging 29 hours.
Resilience Scores have remained unchanged, with a median response time of 17 days in cyber threat intelligence labs, suggesting that increased spending has not translated to improved outcomes. While confidence rises, capability does not.
Practicing the Past
Data reveals that 60% of training concentrates on vulnerabilities over two years old, preparing teams for outdated threats. The prevalence of basic labs accounts for 36% of all training exercises, restricting advancements into more sophisticated readiness stages.
This focus on past threats has led to halted maturity and reduced adaptability amid evolving attack methods.
Excluding the Business
Only 41% of organizations engage non-technical roles in simulations, despite 90% believing in strong cross-functional collaboration. However, when crisis situations arise, the lack of practiced coordination slows responses and amplifies impacts.
Comprehensive readiness requires rehearsed collaboration beyond the security team.
New Risks, Old Habits
Veterans performed better than novices in managing known threats, achieving approximately 80% accuracy in traditional incident-response labs. However, these experienced individuals struggled with AI-enabled or novel attacks.
Participation in AI-scenario labs by senior staff declined by 14% in the past year, highlighting an increasing gap in adaptability as adversaries employ AI technology.
James Hadley, Founder and Chief Innovation Officer at Immersive, emphasized, "Experience teaches what to do next until the next thing has never happened before. Even the most seasoned teams must evolve as fast as the threats they face."
Methodology
The report stems from a survey by Osterman Research conducted on behalf of Immersive, involving 500 cybersecurity professionals in the U.S. and U.K. between August and September 2025.
The study captures perceptions and measures of readiness within organizations. Additionally, anonymized performance data from Immersive One, comprising millions of labs conducted across industries between July 2024 and June 2025, complements these insights.
The findings also include real-world assessments from the "Orchid Corp" crisis simulation, which involved 187 professionals across 11 drills in 9 cities. Evaluation through the Immersive Resilience Score provides a benchmark for readiness across people, processes, and technology.
Immersive, the pioneer in cyber resilience, is revealing a widening gap between confidence and capability in cybersecurity. Despite record investment, heightened board oversight, and nonstop training, measurable readiness has flatlined. While nearly every organization believes it can handle a major incident, the data tells a different story.
According to Immersive’s analysis, average decision accuracy is just 22%, and the average containment time is 29 hours. Meanwhile, Resilience Scores remain statistically flat to lower year-over-year (with an average decline of -3%) since 2023, showing that belief in preparedness continues to outpace proven performance.
“Readiness isn’t a box to tick, it’s a skill that’s earned under pressure,” said James Hadley, Founder and Chief Innovation Officer at Immersive. “Organizations aren’t failing to practice; they’re failing to practice the right things. True resilience comes from continuously proving and improving readiness across every level of the business, so when a real crisis hits, your confidence is backed by evidence, not assumption.”
Most significant findings
The findings reveal that readiness breaks down in predictable ways. From how teams measure success, to what they choose to practice, and who they involve in the process, Immersive’s data exposes systemic patterns that prevent organizations from achieving demonstrable resilience. These are the fault lines where confidence diverges from capability, and where the work to truly be ready must begin.
Among the report’s most significant findings:
Confidence without capability
- 94% of organizations believe they could effectively detect, respond to, and recover from a major incident.
- In practice, teams achieved only 22% decision accuracy and took 29 hours to contain simulated attacks.
- Resilience Scores have remained statistically flat since 2023, and the median response time of 17 days to complete the latest cyber threat intelligence labs hasn’t improved despite increased spending and executive oversight. Confidence is climbing. Capability isn’t.
Practicing the past
- 60% of all training still focuses on vulnerabilities more than two years old, leaving teams overprepared for yesterday’s threats.
- The most common exercises remain fundamental-level labs (36%), limiting progression into intermediate and advanced readiness.
- The result: stalled maturity and shrinking adaptability as organizations master outdated playbooks while new attack techniques evolve.
Excluding the business
- Only 41% of organizations include non-technical roles (such as Legal, HR, Communications, or Executives) in simulations, even though 90% believe cross-functional coordination is strong.
- The data proves otherwise: when crises hit, unpracticed collaboration slows response and amplifies impact.
- True readiness demands rehearsed coordination across every function, not just the security team.
New risks, old habits
- Veteran practitioners outperform newcomers on known threats, achieving roughly 80% accuracy in classic incident-response labs.
- But when faced with AI-enabled or novel attacks, those same experts lag behind. Senior participation in AI-scenario labs dropped 14% year over year, exposing a growing adaptability gap as adversaries weaponize AI.
“Experience teaches what to do next, until the next thing has never happened before,” added Hadley. “Even the most seasoned teams must evolve as fast as the threats they face.”
Methodology
Immersive’s report draws from:
- An Immersive commissioned survey with Osterman Research of 500 cybersecurity pioneers and practitioners in the U.S. and U.K. (August–September 2025), capturing how organizations perceive and measure readiness.
- Anonymized performance data within the Immersive One platform (July 2024–June 2025), representing millions of hands-on labs across industries.
- Results from Immersive’s “Orchid Corp” crisis simulation, involving 187 professionals across 11 drills in 9 cities, measuring real-world decision-making and containment under pressure.
- Analysis of the Immersive Resilience Score, a benchmark that quantifies readiness across people, process, and technology by measuring decision accuracy, response time, framework alignment, and adaptability to new threats. The score applies to all Immersive users, subject to eligibility, as customers must have the relevant product to be evaluated on each corresponding factor.
