HTB's 2025 benchmark tested 796 security teams. Only 21% passed web security challenges.
Security certifications line your walls. Compliance audits come back clean. Your team assures leadership that web applications are secure. Everything looks good on paper.
Then comes the test. Hack The Box's 2025 Global Cyber Skills Benchmark put 796 corporate security teams through real-world scenarios mirroring actual attacker methodologies. These weren't fresh graduates or understaffed IT departments. These were elite corporate teams with dedicated security professionals, competing for significant prize money, motivated to demonstrate their capabilities. The result reveals an uncomfortable truth about the gap between security theater and security capability: only 21.1% could successfully identify and mitigate common web vulnerabilities under test conditions.
This performance gap matters because it exposes a systemic failure in how organizations build and measure security capability. We've created an industry where passing compliance audits and earning certifications has become divorced from the ability to defend against real attacks. The implication? Most organizations are operating under a dangerous illusion of security, validated by credentials that don't correlate with defensive capability when it counts.
The benchmark brought together 4,549 security professionals from companies across the globe. These were corporate teams competing for $50,000 in prizes, facing 66 challenges across 16 technical categories.
21.1% Web security challenge solve rate
18.7% Secure coding challenge solve rate
21.3% Cloud security challenge solve rate
Web applications have become the primary attack surface for modern businesses. Industry data consistently shows that application-layer vulnerabilities account for the majority of successful breaches, yet the benchmark reveals that even motivated security professionals struggle to identify these flaws under test conditions. The secure coding score of 18.7% is particularly revealing. Education's 0% performance in this category exposes a fundamental problem: we're training tomorrow's developers without embedding security as a core competency. The result is a continuous cycle where vulnerabilities are architected into systems from inception, only to be discovered in production when attackers find them first.
The performance patterns across industries reveal an uncomfortable disconnect between investment, regulation, and actual security capability:
Healthcare (15.6%): Despite HIPAA compliance requirements and significant security spending, healthcare organizations demonstrate below-average defensive capability. The complexity of legacy systems integrated with modern applications creates attack surfaces that compliance frameworks don't adequately address. When patient data breaches occur, it's rarely because organizations lacked compliance documentation.
Finance (19.2% web, 10.1% blockchain): Financial institutions operate under the heaviest regulatory scrutiny in business, yet barely outperform the overall average. The blockchain score is particularly telling. Organizations have invested heavily in emerging technology without building corresponding security expertise. Regulation creates minimum baselines; it doesn't build capability.
Retail (20.3%): Slightly above average, but consider the implications. One in five retail security professionals can identify common web vulnerabilities. The other four can't reliably protect the payment systems and customer data that represent the business's trust foundation.
Education (7.8% web, 0% secure coding): The institutions training tomorrow's technology workforce demonstrate the weakest performance. This isn't just ironic; it's structurally problematic. We're perpetuating skill gaps at the source.
Energy & Utilities (6.7%): Critical infrastructure operators demonstrate the lowest web security capability. These organizations protect systems where security failures have physical-world consequences beyond data breaches, yet show the weakest performance in defending web-accessible interfaces to operational technology.
The pattern is clear: traditional security approaches based on compliance, tool acquisition, and certification don't translate to defensive capability when tested against realistic attack scenarios. Organizations across every sector are investing in security without building the practical skills needed to apply it effectively.
Security certifications have become currency in hiring and advancement, yet they predict nothing about an individual's ability to identify and mitigate actual vulnerabilities. The disconnect is structural: certifications test knowledge retention and theoretical understanding through multiple-choice formats. The HTB benchmark tested applied skill under conditions mirroring how real attacks unfold. Attackers don't present multiple-choice questions. They probe, experiment, iterate, and exploit. Organizations have built hiring, training, and advancement structures around credentials that validate the wrong things.
This creates a perverse incentive structure. Security professionals optimize for certification acquisition because that's what employers reward. Employers rely on certifications because they need some basis for evaluating candidates. Everyone operates rationally within a system that produces teams capable of passing exams but struggling with the practical application of security principles under realistic conditions.
The 18.7% secure coding solve rate exposes a gap between security rhetoric and reality. Every organization claims to practice DevSecOps and shift security left in the development lifecycle. The benchmark results suggest most of this is aspirational rather than operational. Secure coding isn't a tool you integrate into your pipeline. It's a competency that must be developed in your development team. Most organizations have implemented security automation without building security capability.
The result is predictable: automated tools identify vulnerabilities, but developers lack the expertise to properly evaluate false positives, understand attack vectors, or architect resilient solutions. Security becomes a checkbox in the CI/CD pipeline rather than a practice embedded in how teams think and work. Vulnerabilities introduced during development are exponentially more expensive to remediate in production, and they represent systemic risk because they reflect fundamental gaps in how teams approach building software.
The OWASP Top 10 has been publicly available and widely referenced for nearly two decades. These aren't zero-day vulnerabilities requiring sophisticated exploitation techniques. They're well-documented, frequently discussed, common vulnerability patterns. The benchmark essentially asked: can your security team identify and mitigate the most predictable, well-known vulnerabilities that attackers routinely exploit? For most organizations, the answer is no.
This failure has direct business implications. Retail teams scoring 20.3% means one in five can identify vulnerabilities in payment processing flows or customer data handling. The other four can't, which means security reviews likely miss exploitable flaws. Financial institutions at 19.2% means online banking platforms, mobile apps, and transaction systems undergo security assessments by teams that miss common vulnerabilities four times out of five. Healthcare at 15.6% means patient portals, electronic health records integrations, and medical device interfaces likely contain exploitable vulnerabilities that internal security reviews don't catch.
Organizations invest in security tools, hire security professionals, conduct security reviews, and maintain compliance. Yet when tested on the ability to identify common, well-documented vulnerabilities under realistic conditions, most teams fail. The problem isn't lack of investment. It's misallocation of investment into credentials, tools, and processes that don't build the practical skills required to defend against actual attacks.
The benchmark data reveals that top-performing organizations approach security fundamentally differently from their peers. The gap isn't about budget, tools, or headcount. It's about how they build and validate capability. Organizations in the top quartile share common characteristics that distinguish them from the average performers struggling with basic vulnerability identification.
Top performers moved beyond using certifications and compliance as proxy measures for security capability. They implemented performance-based validation that tests whether their teams can actually identify and mitigate vulnerabilities under realistic conditions. This shift from credential-based to capability-based assessment changes how organizations invest in security talent development. When you measure practical skill application instead of certification completion, you optimize for different outcomes.
The concept of Continuous Threat Exposure Management (CTEM) reflects this philosophy. Rather than treating security validation as a periodic event (annual penetration tests, quarterly scans), high performers maintain continuous assessment cycles that validate defensive capability against evolving attack techniques. This creates feedback loops where teams learn from realistic scenarios and develop practical pattern recognition that translates to improved defensive performance.
The secure coding performance gap reveals where most organizations fail: at the source. Top performers recognized that security team training doesn't fix vulnerabilities introduced during development. They invested in building security competency within development teams themselves. This isn't about tools or automation. It's about developing developers who understand security as a core aspect of their craft, not an external constraint imposed by the security team.
This requires fundamentally different approaches to developer education. Instead of one-time security awareness training, high performers provide regular, hands-on practice with security scenarios relevant to the applications teams actually build. Security becomes part of the development feedback loop rather than a gate at the end of the process. Code reviews explicitly evaluate security implications. Architecture discussions include threat modeling. Security expertise diffuses throughout the development organization rather than remaining concentrated in a separate security team.
The HTB 2025 Global Cyber Skills Benchmark accomplished something rare: it measured actual defensive capability under realistic conditions rather than accepting credentials and compliance as proxies. The results reveal an uncomfortable gap between how organizations think about security and the practical reality of their defensive capabilities. This gap matters because attackers don't care about your compliance posture or your team's certifications. They care about whether your defenses can detect and respond to exploitation attempts.
Start measuring practical ability instead of credentials. The correlation between certifications and defensive capability is weak at best. Organizations need assessment methods that test whether teams can identify and mitigate real vulnerabilities under realistic conditions. This doesn't mean abandoning certifications entirely, but it does mean recognizing them as baseline knowledge indicators rather than capability predictors. Build evaluation and advancement criteria around demonstrated skill application.
Invest in capability development, not just tool acquisition. Security tools are valuable, but they're only as effective as the teams operating them. High performers in the benchmark didn't succeed because they had better tools. They succeeded because their teams had developed pattern recognition and practical skills through continuous practice against realistic scenarios. Shift training budgets from certification bootcamps to hands-on practice environments where teams can safely fail, learn, and develop intuition about security.
Build security competency where vulnerabilities are introduced. The 18.7% secure coding score shows that most organizations haven't successfully diffused security expertise into their development teams. Security can't remain the exclusive domain of a separate security team. Development teams need embedded security competency. This requires changing how developers are educated, how code is reviewed, how architecture is evaluated, and how success is measured. Make security capability part of what it means to be a developer, not an external constraint developers work around.
Web applications have become the primary interface between businesses and their customers, partners, and operations. Application security isn't an IT concern; it's a business continuity issue with direct implications for revenue, reputation, and regulatory exposure. Organizations that continue operating under the illusion that compliance equals security will continue experiencing the gap between their security theater and their actual defensive capability.
The benchmark data suggests most organizations are operating in this gap. The difference between high performers and average organizations isn't resources or budget. It's a fundamental difference in how they approach building and validating security capability. Moving from average to high performance requires acknowledging that traditional approaches (certifications, compliance, tool acquisition) don't build the practical skills required to defend against real attacks.
The opportunity is significant. Organizations that invest in building genuine defensive capability rather than just accumulating security credentials will develop competitive advantages. They'll ship more secure products, respond more effectively to incidents, make better architecture decisions, and reduce the business risk that comes from having security teams that can't reliably identify common vulnerabilities.
The choice is whether to continue optimizing for compliance and certifications while accepting the capability gap, or to embrace the harder work of building practical security skills throughout your organization. Attackers are betting most organizations will choose the former. The benchmark data suggests they're probably right.
Suzu Labs specializes in web application security assessments and penetration testing that go beyond compliance. We measure real defensive capability through performance-based validation.
1. https://www.hackthebox.com/business/reports/cyber-skills-benchmark-2025