Semperis, a provider of AI-powered identity security and cyber resilience, published results from the 2025 Purple Knight Report indicating that organisations continue to struggle to identify and address security vulnerabilities in hybrid identity systems such as Active Directory, Entra ID, and Okta.
Notably, the average score of 61 out of 100 is 11 points lower than the average score of 72 in the 2023 report. But users reported an average improvement of 21 points - and as high as 61 points - after applying Purple Knight’s remediation guidance, developed by Semperis identity security experts.
Purple Knight score averages
Purple Knight score averages were highest among the largest organisations
Purple Knight score averages were highest among the largest organisations (10,000+ employees), with an average score of 73, and the smallest companies (0-500 employees), with an average score of 68 out of 100.
“The largest organisations have more resources, and the smallest organisations often have less-complicated environments to secure,” said Sean Deuby, Semperis Principal Technologist, Americas.
Organisations with between 2,001 and 5,000 employees averaged a score of 52, the worst overall, highlighting the dilemma faced by midsized organisations with complex systems and limited resources for addressing AD security problems.
“The midsized companies are where the IT pros have to do everything. You don’t have full-time AD specialists,” said Deuby.
Lowest scores in AD infrastructure category
The scores were lowest in the AD Infrastructure category, followed by Account Security
Among the six categories of vulnerabilities included in Purple Knight, the scores were lowest in the AD Infrastructure category, followed by Account Security, Kerberos, Group Policy, Entra ID, and Okta.
“Hybrid identity environments are complex, and threat actors know it. Overall, organisations can’t protect what they can’t see. The lower average scores in the 2025 Purple Knight Report indicate how crucial it is for companies to proactively assess vulnerabilities across their hybrid identity systems so they can close security gaps before attackers exploit them,” said Deuby.
“Purple Knight gives organisations of all sizes the ability to identify vulnerabilities and remediate them before risks become damaging losses because of a compromise.” Among industries, the government sector scored the lowest average score of 46, followed by retail at 51 out of 100 and transportation and education at 57 out of 100. Healthcare averaged a score of 66, still poor, but the highest among all verticals.
Value of Purple Knight
Although many users were dismayed by their initial low scores, they applied Purple Knight’s remediation guidance, developed by Semperis AD security experts, to improve their security posture scores by an average of 21 points from their initial score to their top score.
- “My company has launched a multi-year project to reorganise the environment, which currently consists of about 30 AD forests. Using Purple Knight to scan those environments helps us understand what might break in our permissions structure or what open security vulnerabilities we need to fix.” —Bob G., infrastructure team lead at a global shipping company
- “We suffered an attack that compromised some of our systems, and we thought we were pretty secure in terms of Active Directory. We learned a lot from that event. Out of curiosity, I ran Purple Knight on the environment, and I found a new world of stuff to fix.” —Jose G., global administrator at an IT services company
- “I do a pretty good job. And we haven’t been breached. But then you see the D-minus on your report card and it’s like, wow. There are some things we could do better.” —Eric M., senior identity engineer, global printing company
Understand how converged physical and cybersecurity systems can scale protection.
