New report from cybersecurity validation startup Picus Security reveals that nearly half of enterprise environments had at least one password cracked during testing, a dramatic increase from last year and that attacks using valid credentials succeeded 98% of the time. The report details a worrying decline in defensive performance, with overall prevention effectiveness dropping from 69% in 2024 to 62% this year. Data exfiltration prevention rates were also found to have fallen to just 3%, down from 9% last year, making it the least prevented attack vector for the third year in a row. On the ransomware front, BlackByte was found to remain the hardest ransomware to stop, with only a 26% prevention rate, followed by BabLock at 34% and Maori at 41%. Discovery tactics such as System Network Configuration Discovery and Process Discovery were blocked less than 12% of the time, underscoring persistent blind spots in early detection. Detection performance was found to remain a weak link as while log coverage held steady at 54%, only 14% of simulated attacks generated alerts. 50% of detection rule failures stemmed from logging issues, with other problems tied to configuration errors and performance bottlenecks. Domain administrator compromises fell from 24% to 19% and access to domain admin accounts dropping from 40% to 22%, reflecting stronger lateral movement defenses and better network segmentation. MacOS endpoint security was also saw rapid improvement, jumping from 23% to 76% prevention effectiveness, outpacing Linux at 69% and closing in on Windows at 79%.