New report shows organizations are measuring activity, not resistance, as AI accelerates real-world attack risk
There is a growing disconnect between how security is reported at the executive level and how risk is experienced by those operating security programs day to day, according to new research from Horizon3.ai, the AI-native proactive security leader.
Also Read: CIO Influence Interview with Gihan Munasinghe, CTO of One Identity
That gap is reflected in the data: 97% of CISOs say they are confident their endpoint protection would detect attacker behavior, yet only 12% report testing that capability within the last three months. Just 30% of organizations report patching and then testing to confirm that risk has actually been remediated.
Horizon3.ai announced the findings of its 2026 research report, “The State of Assumed Security: Why Measuring Activity Is Not the Same as Measuring Resistance.” The report surveyed 750 cybersecurity leaders and practitioners across the United States and Europe.
The report highlights how many CISOs believe their organizations would withstand a determined attack, while practitioners report significant exposure, unresolved attack paths, and gaps in validation.
This divide is not theoretical. It shapes how risk is prioritized, how resources are allocated, and how security effectiveness is measured.
“Security programs today are optimized for workflow completion. Scan, patch, rescan, close. That does not mean an attack will fail. As attackers move faster and chain weaknesses across identity, infrastructure, and cloud, the only thing that matters is whether those controls actually stop the attack,” said Snehal Antani, CEO and co-founder of Horizon3.ai.
The report identifies a consistent set of breakdowns across modern security programs:
- Leadership confidence in “low risk” diverges from practitioner reality
- Remediation workflows close tickets without closing attack paths
- Detection is widely trusted but rarely proven under real-world conditions
- Automation is increasing speed faster than validation
- Security metrics track progress, not whether exposure has been eliminated
Together, these breakdowns reinforce what the report defines as “assumed security,” a state where organizations measure activity, but do not consistently confirm whether defenses can withstand real attacker behavior.
This gap becomes more consequential as attackers evolve.
Emerging AI capabilities are reducing the effort required to identify, exploit, and connect vulnerabilities into real-world attack paths. As the path from discovery to impact continues to shrink, the difference between assuming security and proving it becomes critical.
“Security teams don’t struggle to find problems. They struggle to prove those problems are actually gone. Most workflows end at patch and rescan, but attackers don’t operate in isolation. They chain weaknesses into real attack paths. If you’re not validating those paths in your environment, you’re not measuring risk,” said Dan Bird, Field CTO EMEA, Horizon3.ai.
The findings point to a clear shift in how security must be measured. Activity alone is no longer a reliable proxy for risk reduction. What matters is whether defenses actually hold under realistic attack conditions.
Catch more CIO Insights: CIO as Orchestrator of Cross-Functional Digital Strategy
[To share your insights with us, please write to psen@itechseries.com ]
