89% of monitored SMBs have at least one user with confirmed credential compromise at any given time.

69% of healthcare and manufacturing security leaders demand identity-based controls in any modern solution.

Session hijacking incidents increased by 23% over a 180-day period.

31% of users in monitored SMB environments are exposed to compromised passwords each month.

Machine identities outnumber human users by 25:1 in Microsoft 365 environments.

276 million of the credentials indexed in 2025 included active session cookies.

50% more credentials were identified in the second half of 2025 than in the first half of the year.

Over half of all credentials (53%) were indexed within one week of exfiltration, and 36.4% within 24 hours.

90% more credentials were identified in the last three months of 2025 than in the first three months

Of the 7 million credentials indexed with identifiable authorization URLs, 63.2% were tied to authentication systems.

Each compromised device yielded an average of 87 stolen credentials.

21% of cybersecurity intrusions investigated involved actors leveraging stolen human and non-human identities for initial access.

3.3 billion compromised credentials and cloud tokens make identity the primary exploit vector.

Identity weaknesses play a material role in nearly 90% of investigated incidents.

Only 12% of cybersecurity professionals in the United Kingdom reported that their organizations are fully prepared to handle AI-enhanced attacks in 2025.

45% of cybersecurity professionals in the United States cited phishing as their greatest risk in 2025.

28% of cybersecurity professionals in Germany reported that their organizations are fully prepared to handle AI-enhanced attacks in 2025.

16% of cybersecurity professionals in the United States reported that their organizations are fully prepared to handle AI-enhanced attacks in 2025.

43% of cybersecurity professionals in the United Kingdom reported that Multi-Factor Authentication (MFA) is not consistently enforced for privileged accounts in 2025.

40% of cybersecurity professionals in the United States reported that Multi-Factor Authentication (MFA) is not consistently enforced for privileged accounts in 2025.