Article Details

Overconfidence is the new zero-day as teams stumble through cyber simulations. Readiness metrics have flatlined since 2023, with most sectors slipping backward as teams fumble crisis drills. Teams that think they're ready for a major cyber incident are scoring barely 22 percent accuracy and taking more than a day to contain simulated attacks, according to new data out Monday. Immersive's latest Cyber Workforce Benchmark, which draws on 1.8 million exercises from the Immersive One platform and a survey of 500 cybersecurity leaders, paints a picture of an industry that has become more confident but no more capable. Immersive says 94 percent of organizations believe they can "effectively detect, respond to, and recover from a major incident," yet real-world performance in controlled drills has remained stubbornly flat.  According to the report, resilience scores haven't improved since 2023, with the median response time to complete critical cyber threat intelligence labs still coming in at 17 days – despite what Immersive describes as "record investment" and growing pressure from boards and cyber insurance carriers.  James Hadley, Immersive founder and chief innovation officer, argues that organizations are failing not for lack of effort, but because they are training for the wrong fights. "Readiness isn't a box to tick, it's a skill that's earned under pressure," he says in the report. "Organizations aren't failing to practice; they're failing to practice the right things."  Across the company's crisis-simulation drills, which involved 187 professionals in 11 global exercises, performance was consistently poor. Participants achieved just 22 percent accuracy, averaged 60 percent confidence, and took 29 hours to contain an infection, a combination the report describes as evidence that "when tested under pressure, most teams didn't fail for lack of knowledge, they failed for lack of practiced coordination."  The data also shows no improvement in the industry's basic readiness metrics. Immersive says more than 60 percent of sectors actually experienced slower response times year-over-year, and that confidence scores for "OK," "Good," and "Great" answers averaged the same (around 42.5 percent), suggesting teams cannot accurately judge their own performance despite expressing strong self-belief. Much of the stagnation, the report argues, comes from practicing outdated threat scenarios. Immersive found that 60 percent of all training activity still focuses on vulnerabilities more than two years old, leaving teams "over-prepared for yesterday's threats" while new attacker techniques continue to evolve. Fundamental-level labs remain the most common exercises at 36 percent of usage, which the company says limits progression to intermediate and advanced readiness. Another systemic issue is participation. Only 41 percent of organizations include non-technical roles such as legal, HR, communications, or senior executives in their cyber-response simulations. This is despite 90 percent of respondents believing their cross-functional communication during an incident is effective. Immersive's data shows the opposite: when business functions aren't rehearsed under pressure, collaboration falters and response times worsen.  Industry habits also contribute to the readiness illusion. Immersive reports that organizations overwhelmingly rely on training completion rates to measure preparedness even though completion "is not competence." Only 46 percent use resilience scores, and only 42 percent measure the number of simulations conducted, creating what the report calls "false metrics" that mask real-world capability gaps.  The report highlights a widening adaptability problem as well. Experienced practitioners perform strongly on familiar threats (roughly 80 percent accuracy in classic incident-response labs) but fall behind when faced with AI-enabled or novel attacks. Senior participation in AI-scenario labs dropped 14 percent year-over-year, while non-technical managers increased participation by 41 percent. As Immersive puts it: "Experience teaches what to do next – until the next thing has never happened before." Training completion itself remains inconsistent. The report notes an average completion rate of 81 percent, meaning nearly one in five participants do not finish the exercises they start. Hadley argues the industry must shift from confidence built on assumptions to readiness grounded in evidence. "True resilience comes from continuously proving and improving readiness across every level of the business, so when a real crisis hits, your confidence is backed by evidence, not assumption." "Experience teaches what to do next, until the next thing has never happened before," added Hadley. "Even the most seasoned teams must evolve as fast as the threats they face."