Are You Training for a Fight That’s Already Over?

Are You Training for a Fight That’s Already Over?

In our previous post, we explored the Confidence Illusion, the dangerous gap between how ready organizations feel and how ready they actually are. But as a threat researcher, I want to dig into why this is happening. Yes, teams are overestimating their skills, but they’re also often practicing the wrong ones entirely.

Preparing for yesterday’s threats won’t stop tomorrow’s attacks. Yet, the data from our 2025 Cyber Workforce Benchmark Report reveals a stark reality: many organizations are effectively training for a fight that is already over. While attackers are weaponizing AI and laying the groundwork for quantum decryption, defenders are still running the same playbooks for vulnerabilities that made headlines years ago.

So while a workforce might be technically proficient in certain known threats actors and their tactics, they remain dangerously unpracticed for the future.

The Comfort of the Familiar

We’re only human, and we practice what we know. It feels good to run a drill and see green checkmarks across the board. This desire for validation is driving a worrying trend in cyber readiness: a fixation on legacy threats.

Our data shows that 60% of training exercises still focus on vulnerabilities that are more than two years old, such as Log4Shell (2021) and SaltStack (2020). Don't get me wrong, these are still relevant and unpatched systems do exist. But if your team’s primary measure of readiness is how fast they can patch a known vulnerability from 2021, you aren't preparing them for 2026. You’re preparing them for a history exam.

This backward-looking approach contributes directly to the stagnation we’re seeing in resilience scores. The median response time to new Common Vulnerabilities and Exposures (CVEs) has stalled at 17 days. In a world where threat actors can reverse-engineer a patch and weaponize an exploit within hours, 17 days is an eternity.

The Post-Exploitation Blind Spot

We found that teams are heavily over-indexing on early-stage tactics like Initial Access and Defense Evasion. These are the "loud" parts of an attack, the phishing email, the firewall alert. But the data shows a critical lack of practice in the phases where the real damage happens: Collection and Command & Control (C2).

This creates a dangerous blind spot. We are raising a generation of defenders who are excellent at spotting a burglar trying to pick the lock, but have no idea what to do once the burglar is already inside the house. If an attacker bypasses the perimeter (and they will), teams that haven't practiced post-exploitation scenarios are left scrambling to understand how data is being staged for exfiltration or how C2 beacons are blending with legitimate traffic.

The Emerging Threat: AI and the Speed of Exploitation

While we practice against yesterday’s threats, the adversary is evolving. The most significant shift we are seeing isn't just new malware, it's the speed and scale  of it enabled by AI.

Attackers are already using LLMs to generate polymorphic code, automate vulnerability scanning, and craft socially engineered phishing campaigns that are indistinguishable from legitimate communication.

Our data uncovered a paradox here: Veteran practitioners often struggle more with these novel threats than newcomers. Experienced pros rely on pattern recognition built over years. When AI generates an attack that breaks those established patterns, that tendency can become a liability. If your training program doesn’t force your senior analysts to confront AI-generated anomalies or adversarial machine learning tactics, their "expert" status offers a false sense of security.

The Quantum Horizon: Harvest Now, Decrypt Later

Looking slightly further ahead, we face the quantum threat. It’s easy to dismiss quantum computing as a 2030 problem, but for threat researchers, the risk is already here.

Nation-state actors are currently operating on a "Harvest Now, Decrypt Later" strategy and stealing encrypted data today to unlock it once quantum computing breaks current encryption standards (like RSA).

Training for this doesn't require teaching every analyst quantum physics, but rather making sure teams are remaining agile. Can your team identify where your most sensitive encrypted data lives? How quickly could you rotate encryption keys or migrate to post-quantum algorithms if a standard was broken tomorrow? If you are still struggling to patch a 2020 vulnerability, the answer is likely "not fast enough."

Move Beyond the Check-the-Box Mindset

The 2025 Benchmark Report makes one thing clear: Compliance is not capability. Ticking a box that says "Drill Completed" means nothing if the drill didn't challenge your team with modern realities.

To close the gap, organizations need to shift their philosophy:

1. Balance the Diet: Keep the fundamentals, but ensure at least 50% of your training focuses on threats from the last 12 months.
2. Practice the "Boom": Spend more time on post-compromise scenarios. Assume the breach has happened—now stop the bleeding.
3. Simulate the Future: regularly test your teams against AI-driven scenarios and novel attack vectors that break standard playbooks.

You cannot rely on muscle memory for a fight you’ve never experienced. It’s time to stop re-fighting the wars of the past and start preparing for the reality of the present.

Download the full 2025 Cyber Workforce Benchmark Report to see the complete data on emerging threats and readiness gaps

‍