24/7 Emergency – (888)-287-5858

Main attack vectors found by penetration testers are not perceived as essential elements contributing to cybersecurity professionals’ perception of the security maturity of their organization.

La Jolla, CA – GoSecure, a leading provider of Managed Detection and Response (MDR) market, services, and a predictive Endpoint Detection and Response (EDR) platform, today released a new research report, Cybersecurity Perceptions Versus Reality, which revealed a disconnect between defenders’ perceptions of how best to protect their organizations, what has been implemented, and what is needed based on what GoSecure penetration testers see in the real world.

“This report illustrates what cybersecurity professionals perceive as important to an organization’s overall security maturity,” said Neal Creighton, CEO of GoSecure. “It also highlights that the reality of what is implemented can be vastly different. The perceptions of what is important align well for defending some of the most common attack techniques used by penetration testers. Yet our pentesters continue to identify missing controls or highlight critical findings related to each survey topic.”

To distinguish perception from reality, GoSecure’s research team developed a survey in collaboration with Serene-risc, a knowledge mobilization network in cybersecurity. The survey focused on the importance of specific security measures or controls and whether they are implemented. Security measures called out in the survey include multi-factor authentication, password policies, specific security measures, patch management, products’ features enabled by default, asset inventories, and endpoint visibility. The results of the survey were then cross-referenced against findings from the GoSecure penetration testing team.

Key findings include:

  • Multi-Factor Authentication is valued by security professionals, as 93% of survey respondents rated MFA as “important” or “very important.” Unfortunately, only 47% have fully implemented MFA, with 13% having zero MFA. GoSecure penetration testing identified MFA as a missing control in 36% of engagements.
  • Password Policies are well established but vary in complexity. Passwords over six characters in length are supported by 56.3% of respondents, while 74.8% said that passwords need to be a mix of letters, numbers, and special characters. However, the requirement for regular password changes was mixed with 43.7% saying it is important and 43.7% disagreeing. Interestingly, 40% of respondents have not, or have only partially, implemented their perceived “ideal” password policy. And for all the talk of password policies and complexities, GoSecure penetration testers are still successful 25% of the time cracking passwords using password spraying, a fairly basic password cracking technique.
  • Patch Management is rated as “important” or “very important” by 90% of respondents. The reality, though, is 52.6% of respondents say it takes weeks, months, or even years to apply patches. GoSecure penetration testing experience highlighted that while Microsoft Windows patching was generally well managed owing to the abundance of free tools, this is not the case for the rest of line-of-business applications. Crucial applications, such as Java, Flash, or non-Microsoft browsers, are usually less well maintained and account for many vulnerabilities.

Overall, the report’s outcomes concluded that although there are concerted efforts in the industry to protect systems, significant security gaps continue to exist. In addition to highlighting the disconnects, the report includes actionable insights and pro tips from GoSecure pentesters to remedy the security gaps uncovered in the research.

“Cybersecurity teams are under constant pressure, and, as this report illustrates, sometimes the simplest changes are missed.” Creighton continued, “As a member of the cybersecurity community, we are proud to offer this insight along with actionable recommendations. Every small step incrementally increases an organization’s security maturity, which, ultimately, is required to stay ahead of today’s attackers.”


French Version (PDF)

About GoSecure
GoSecure is a recognized cybersecurity leader, delivering innovative managed security solutions and expert advisory services. GoSecure Titan® managed security solutions deliver multi-vector protection to counter modern cyber threats through a complete suite of offerings that extend the capabilities of our customers’ in-house teams. GoSecure Titan Managed Detection & Response (MDR) offers a best in class mean-time-to-respond, with comprehensive coverage across customers’ networks, endpoints and inboxes. For over 10 years, GoSecure has been helping customers better understand their security gaps, improve organizational risk and enhance security posture through advisory services provided by one of the most trusted and skilled teams in the industry.

    Media Contact


GoSecure Titan® Managed Extended Detection & Response (MXDR)​

GoSecure Titan® Managed Extended Detection & Response (MXDR)​ Foundation

GoSecure Titan® Vulnerability Management as a Service (VMaaS)

GoSecure Titan® Managed Security Information & Event Monitoring (SIEM)

GoSecure Titan® Managed Perimeter Defense​ (MPD)

GoSecure Titan® Inbox Detection and Response (IDR)

GoSecure Titan® Platform

GoSecure Professional Security Services

Incident Response Services

Security Maturity Assessment

Privacy Services

PCI DSS Services

Penetration Testing Services​

Security Operations


GoSecure MXDR for Microsoft

Comprehensive visibility and response within your Microsoft security environment


Cyber Risks

Risk-Based Security Measures

Sensitive Data Security

Safeguard sensitive information

Private Equity Firms

Make informed decisions

Cybersecurity Compliance

Fulfill regulatory obligations

Cyber Insurance

A valuable risk management strategy


Combat ransomware with innovative security

Zero-Day Attacks

Halt zero-day exploits with advanced protection

Consolidate, Evolve & Thrive

Get ahead and win the race with the GoSecure Titan® Platform


GoSecure Titan® Endpoint Detection and Response (EDR)

GoSecure Titan® Next Generation Antivirus (NGAV)

GoSecure Titan® Network Detection and Response (NDR)

GoSecure Titan® Inbox Detection and Reponse (IDR)

GoSecure Titan® Intelligence


GoSecure is a recognized cybersecurity leader and innovator, pioneering the integration of endpoint, network, and email threat detection into a single Managed Extended Detection and Response (MXDR) service. For over 20 years, GoSecure has been helping customers better understand their security gaps and improve their organizational risk and security maturity through MXDR and Professional Services solutions delivered by one of the most trusted and skilled teams in the industry.




24/7 Emergency – (888)-287-5858