Organisations are investing heavily in cyber security, yet many are still judging success by the wrong measures. That is the central finding of a new global survey from cyber security company Horizon3.ai. The report is based on a survey of 750 IT security professionals across Europe and the United States, including both senior security leaders and frontline practitioners. It was commissioned to examine the gap between executive confidence and operational reality.

The findings suggest many organisations continue to treat busy security programmes as evidence of security. Assets are scanned, alerts are generated, patches are deployed and dashboards are updated. Yet these activities do not always confirm whether exploitable weaknesses have been removed or whether defences would withstand real-world attacker behaviour.

High confidence but limited validation

The report called The State of Assumed Security 2026 suggests that confidence in existing controls is high among senior decision-makers. According to the survey, 93% of CISOs say they could demonstrate that their organisation had taken reasonable, validated steps to prevent a breach. Meanwhile, 97% are confident their endpoint protection would detect lateral movement or privilege escalation, while 96% believe their Security Operations Centre (SOC) could identify an attacker operating inside the environment.

However, day-to-day operational practice tells a different story. Only 30% of CISOs say their organisations patch vulnerabilities and then test to confirm that risk has been properly remediated. Nearly half patch systems and simply rerun a vulnerability scanner instead. Just 12% report validating the effectiveness of their Endpoint Detection and Response (EDR) tools within the past three months, while only 26% use red team exercises or penetration testing to assess the detection capability of their SOC. Among frontline practitioners, one third assume scanner findings are accurate without further testing, while 17% do not validate findings at all.

Deliberate shift in behaviour - Proof over assumption

Horizon3.ai says the study points to a wider shift in cyber security priorities. In the future, success will be defined less by how many controls or actions are implemented, and more by whether those measures can be shown to work in practice. Organisations now face the challenge of aligning security strategies more closely with realistic attack scenarios and regularly testing whether their systems can withstand them.

As the report concludes: The findings do not point to a lack of effort. Security programmes are active, instrumented, and increasingly automated. The gap lies in confirmation. Security maturity depends on how clearly organisations can demonstrate that their actions reduce real exposure. Moving from assumed security to demonstrated resilience requires deliberate shifts in behaviour.