Recent analysis by Immersive highlights a significant gap between perceived confidence and actual capability in cybersecurity resilience.
Despite increased investments, enhanced board scrutiny, and comprehensive training programs, organisations' preparedness has shown minimal improvement.
Although most organisations express confidence in managing major security incidents, data from Immersive suggests otherwise.
Cybersecurity confidence vs. capability
According to Immersive's research, decision accuracy averages at a low 22%, and containment times are typically around 29 hours. Despite expectations of improved Resilience Scores, these have remained flat or decreased by an average of 3% since 2023.
James Hadley, Immersive's Founder and Chief Innovation Officer, said, "Readiness isn’t a box to tick, it’s a skill that’s earned under pressure... True resilience comes from continuously proving and improving readiness across every level of the business."
Key findings on readiness
Immersive's report identifies several systemic issues affecting cybersecurity preparedness
Immersive's report identifies several systemic issues affecting cybersecurity preparedness. These issues highlight gaps where confidence does not match capability, marking areas for improvement.
For example, while 94% of organisations believe they can detect and respond to major incidents, the data shows that only 22% achieve decision accuracy in simulations, with containment taking an average of 29 hours.
Despite heightened investment and oversight, response times and Resilience Scores have not progressed.
Outdated training practices
Training methods appear misaligned with current threats. A significant 60% of training focuses on vulnerabilities over two years old, leading to outdated preparedness. As a result, teams are over-prepared for past threats while inadequate against emerging ones.
Most training exercises are fundamental level, limiting teams from advancing to more complex readiness stages. This stagnation in training maturity results in organisations mastering obsolete tactics while newer threat methodologies emerge.
Integration of non-technical roles
The absence of rehearsed multi-functional collaboration tends to slow response times
The research shows that only 41% of organisations involve non-technical roles such as Legal and HR in their simulations, despite 90% believing in strong cross-functional coordination.
The absence of rehearsed multi-functional collaboration tends to slow response times and magnify the impact during actual crises.
Effective readiness requires coordinated efforts across an organisation, not just within technical security teams.
Navigating new threats
Veteran security practitioners tend to perform well in familiar incident-response scenarios, with around 80% accuracy. However, they struggle against novel attacks, such as those enabled by AI.
Participation in AI scenario labs by senior staff has dropped by 14% year over year, revealing an adaptability gap. James Hadley commented, "Experience teaches what to do next, until the next thing has never happened before... seasoned teams must evolve as fast as the threats they face."
Methodology behind the findings
Immersive's findings are based on a survey commissioned with Osterman Research, involving 500 cybersecurity practitioners from the U.S. and U.K., conducted between August and September 2025.
Additionally, the analysis utilises anonymised performance data from the Immersive One platform and results from the "Orchid Corp" crisis simulation. The latter involved 187 professionals participating in 11 drills across nine cities, measuring performance in real-world scenarios.
Immersive, the pioneer in cyber resilience, is revealing a widening gap between confidence and capability in cybersecurity. Despite record investment, heightened board oversight, and nonstop training, measurable readiness has flatlined. While nearly every organisation believes it can handle a major incident, the data tells a different story.
According to Immersive’s analysis, average decision accuracy is just 22%, and the average containment time is 29 hours. Meanwhile, Resilience Scores remain statistically flat to lower year-over-year (with an average decline of -3%) since 2023, showing that belief in preparedness continues to outpace proven performance.
“Readiness isn’t a box to tick, it’s a skill that’s earned under pressure,” said James Hadley, Founder and Chief Innovation Officer at Immersive. “Organisations aren’t failing to practice; they’re failing to practice the right things. True resilience comes from continuously proving and improving readiness across every level of the business, so when a real crisis hits, your confidence is backed by evidence, not assumption.”
Most significant findings
The findings reveal that readiness breaks down in predictable ways. From how teams measure success, to what they choose to practice, and who they involve in the process, Immersive’s data exposes systemic patterns that prevent organisations from achieving demonstrable resilience. These are the fault lines where confidence diverges from capability, and where the work to truly be ready must begin.
Among the report’s most significant findings:
Confidence without capability
- 94% of organisations believe they could effectively detect, respond to, and recover from a major incident.
- In practice, teams achieved only 22% decision accuracy and took 29 hours to contain simulated attacks.
- Resilience Scores have remained statistically flat since 2023, and the median response time of 17 days to complete the latest cyber threat intelligence labs hasn’t improved despite increased spending and executive oversight. Confidence is climbing. Capability isn’t.
Practicing the past
- 60% of all training still focuses on vulnerabilities more than two years old, leaving teams overprepared for yesterday’s threats.
- The most common exercises remain fundamental-level labs (36%), limiting progression into intermediate and advanced readiness.
- The result: stalled maturity and shrinking adaptability as organisations master outdated playbooks while new attack techniques evolve.
Excluding the business
- Only 41% of organisations include non-technical roles (such as Legal, HR, Communications, or Executives) in simulations, even though 90% believe cross-functional coordination is strong.
- The data proves otherwise: when crises hit, unpracticed collaboration slows response and amplifies impact.
- True readiness demands rehearsed coordination across every function, not just the security team.
New risks, old habits
- Veteran practitioners outperform newcomers on known threats, achieving roughly 80% accuracy in classic incident-response labs.
- But when faced with AI-enabled or novel attacks, those same experts lag behind. Senior participation in AI-scenario labs dropped 14% year over year, exposing a growing adaptability gap as adversaries weaponise AI.
“Experience teaches what to do next, until the next thing has never happened before,” added Hadley. “Even the most seasoned teams must evolve as fast as the threats they face.”
Methodology
Immersive’s report draws from:
- An Immersive commissioned survey with Osterman Research of 500 cybersecurity pioneers and practitioners in the U.S. and U.K. (August–September 2025), capturing how organisations perceive and measure readiness.
- Anonymised performance data within the Immersive One platform (July 2024–June 2025), representing millions of hands-on labs across industries.
- Results from Immersive’s “Orchid Corp” crisis simulation, involving 187 professionals across 11 drills in 9 cities, measuring real-world decision-making and containment under pressure.
- Analysis of the Immersive Resilience Score, a benchmark that quantifies readiness across people, process, and technology by measuring decision accuracy, response time, framework alignment, and adaptability to new threats. The score applies to all Immersive users, subject to eligibility, as customers must have the relevant product to be evaluated on each corresponding factor.
