Cyber chiefs trust controls, but few have tested them

Horizon3.ai has published research highlighting a gap between confidence in cyber defences and recent validation of those controls. The survey suggests senior security leaders often rely on assumed security.

For its report, The State of Assumed Security, the company surveyed 750 security leaders and practitioners across Europe and the US. It found that 97% of chief information security officers believe their security controls would detect lateral movement or privilege escalation, yet only 12% said those controls had been validated within the past three months.

The figures also showed weak follow-through after patching. Just 30% of respondents said they test whether vulnerabilities have actually been eliminated after patches are applied.

The findings suggest many organisations still judge cybersecurity work by operational activity such as scanning, patching and ticket closure, rather than by whether an attacker could still move through systems and compromise assets. That distinction has become more urgent as artificial intelligence is used to speed up reconnaissance, exploitation and attack automation.

Validation gap

The research adds to a wider debate in the cybersecurity market over whether traditional testing cycles are keeping pace with faster, more automated attack methods. Security teams have long relied on periodic assessments, vulnerability scans and patch management programmes, but those processes do not always show whether a real attacker could still exploit a path into critical systems.

The issue is not necessarily a lack of controls, but a lack of recent proof that those controls work in practice. The survey results indicate a mismatch between executive confidence and the evidence available to support it.

Horizon3.ai is using those findings to support its position on proactive security testing. Its main product, NodeZero, is designed to simulate attacker behaviour to identify exploitable pathways across an organisation's environment and verify whether remediation has closed them.

Horizon3.ai describes NodeZero as an AI hacker and says it is used by large companies, banks, pharmaceutical groups, semiconductor manufacturers and critical infrastructure operators. More than 5,500 customers have carried out over 250,000 production-safe penetration tests using the platform, according to the company.

AI pressure

The report comes against a security backdrop in which AI tools are reducing the time and effort needed to prepare and launch attacks. In practice, that means defenders are under pressure not only to detect incidents more quickly, but also to check continuously whether known weaknesses remain exploitable.

That shift is changing the language used by suppliers and practitioners alike. Rather than treating security as a static control framework, firms increasingly argue that organisations need repeated validation of the attack paths available to an adversary.

Dan Bird, Field CTO, EMEA at Horizon3.ai, is one of the company's senior executives advancing that argument. He is set to discuss how AI is changing both offensive and defensive cyber tools, focusing on the idea that security is becoming a contest between automated attack methods and automated defensive validation.

His presentation will examine how attackers are already using AI to automate reconnaissance and accelerate exploitation. It will also address why many organisations still depend on human-led testing models that may struggle to keep pace.

Market context

Horizon3.ai operates in a crowded cybersecurity sector, where vendors are competing to define the next phase of testing and exposure management. The company was founded by former US Special Operations members and industry specialists and is headquartered in San Francisco.

Its customer references include four of the Fortune 10, according to Horizon3.ai. Those claims reflect a strategy focused on large enterprises and highly regulated sectors, where the cost of undetected weaknesses can be severe.

The report comes at a time when boards and security leaders face growing scrutiny over whether cyber spending is delivering measurable reductions in risk. Confidence in controls may still be high, but the survey suggests many organisations have not checked recently enough whether those controls would withstand an actual intrusion attempt.

For security teams, the practical challenge is less about adding another dashboard and more about establishing whether an attacker can still chain together weaknesses despite patching and monitoring tools. The survey's central finding is that many believe they are protected, while far fewer have tested that assumption in recent months.