Overconfidence Is the New Cyber Risk: Immersive’s 2025 Cyber Workforce Benchmark Report Exposes a Global Readiness Illusion

BOSTON & BRISTOL, England–(BUSINESS WIRE)–Immersive, the leader in cyber resilience, is revealing a widening gap between confidence and capability in cybersecurity. Despite record investment, heightened board oversight, and nonstop training, measurable readiness has flatlined. While nearly every organization believes it can handle a major incident, the data tells a different story.

According to Immersive’s analysis, average decision accuracy is just 22%, and the average containment time is 29 hours. Meanwhile, Resilience Scores remain statistically flat to lower year-over-year (with an average decline of -3%) since 2023, showing that belief in preparedness continues to outpace proven performance.

James Hadley, Founder and Chief Innovation Officer of Immersive, remarked, “Readiness isn’t something you check off; it’s a skill you learn under pressure.” “Companies aren’t failing to practice; they’re failing to practice the right things.” True resilience comes from constantly proving and enhancing readiness at all levels of the business. This way, when a true crisis happens, your confidence is based on facts, not guesses.

The results show that preparation falls apart in ways that are easy to foresee. Immersive’s data shows systemic patterns that keep businesses from being truly resilient. These patterns affect how teams assess success, what they choose to practice, and who they include in the process. These are the places where confidence and ability don’t match up, and where the work to really be ready must start.

Some of the most important things the report found are:

• 94% of organizations believe they could effectively detect, respond to, and recover from a major incident.
• In practice, teams achieved only 22% decision accuracy and took 29 hours to contain simulated attacks.
• Resilience Scores have remained statistically flat since 2023, and the median response time of 17 days to complete the latest cyber threat intelligence labs hasn’t improved despite increased spending and executive oversight. Confidence is climbing. Capability isn’t.

Practicing the Past

• 60% of all training still focuses on vulnerabilities more than two years old, leaving teams overprepared for yesterday’s threats.
• The most common exercises remain fundamental-level labs (36%), limiting progression into intermediate and advanced readiness.
• The result: stalled maturity and shrinking adaptability as organizations master outdated playbooks while new attack techniques evolve.

Excluding the Business

• Only 41% of organizations include non-technical roles (such as Legal, HR, Communications, or Executives) in simulations, even though 90% believe cross-functional coordination is strong.
• The data proves otherwise: when crises hit, unpracticed collaboration slows response and amplifies impact.
• True readiness demands rehearsed coordination across every function, not just the security team.

New Risks, Old Habits

• Veteran practitioners outperform newcomers on known threats, achieving roughly 80% accuracy in classic incident-response labs.
• But when faced with AI-enabled or novel attacks, those same experts lag behind. Senior participation in AI-scenario labs dropped 14% year over year, exposing a growing adaptability gap as adversaries weaponize AI.

Hadley said, “Experience tells you what to do next, until the next thing happens that has never happened before.” “Even the most experienced teams need to change as quickly as the threats they face.”

Methodology

Immersive’s report draws from:

• An Immersive commissioned poll with Osterman Research of 500 cybersecurity leaders and practitioners in the U.S. and U.K. (August–September 2025), capturing how organizations view and assess readiness.
• Performance data that has been anonymized on the Immersive One platform (July 2024–June 2025), which includes millions of hands-on labs from different fields.
• Results from Immersive’s “Orchid Corp” crisis simulation, which involved 187 professionals in 11 drills in 9 cities and measured how well they made decisions and handled pressure in real life.
• The Immersive Resilience Score is a benchmark that measures how ready people, processes, and technology are by looking at how accurate decisions are, how quickly they respond, how well they fit into the framework, and how well they can handle new threats. The score is for all Immersive users who are eligible, since consumers must have the right product to be evaluated on each factor.

About Immersive

Immersive, the best company for cyber resilience, enables your business keep proving and improving its ability to stop and deal with cyber threats. Our method is tailored to each person’s job, so your company is constantly ready for a threat landscape that is continually changing, including the benefits and problems that AI brings. Immersive gives you the best view of your cyber resilience since it always looks at the facts. We give your business the tools it needs to Be Ready for what’s coming by giving everyone, from individuals to teams to the whole workforce, access to a single enterprise platform.

The UK Ministry of Defence, the UK National Health Service, Citi, Pfizer, Humana, and HSBC are just a few of the world’s biggest companies and governments that trust Immersive. Goldman Sachs Asset Management, Summit Partners, Insight Partners, Citi Ventures, Ten Eleven Ventures, and Menlo Ventures are all behind us.