The Confidence Illusion: What Our 2025 Benchmark Report Reveals About True Readiness

A cyber attack is not a scheduled meeting. It doesn’t respect business hours, wait for your key stakeholders to be available, or follow a familiar script. A real attack is a chaotic, high-stress, and fundamentally human event.

So why do we prepare for it with a scheduled, low-stress, theoretical discussion?

For decades, the tabletop exercise has been the gold standard for testing an incident response plan. We gather in a conference room, walk through a PowerPoint, and discuss a hypothetical scenario. At the end, we get an after action report that looks remarkably similar to the one from last year, in which the same gaps in process are highlighted, and we high-fave, walking away feeling confident.

But this confidence is built on a foundation of sand. It’s a dangerous illusion. Theoretical exercises test your plan, but they completely fail to test your people. And in a real crisis, it’s the performance of your people—under pressure, with real tools, in the face of chaos—that determines the outcome.

How do we know? We’ve been measuring the massive gap between what teams think they can do and what they actually do.

The Confidence-Capability Gap

Immersive recently released the 2025 Cyber Workforce Benchmark Report. This research combines findings from a new industry-wide survey of 500 cybersecurity leaders with performance data from millions of real-world exercises on our platform.

The primary finding is unsettling: we are facing a massive confidence-capability gap.

Our survey shows that confidence is soaring. Nearly all organizations believe they can effectively handle a major incident. Yet, our platform data shows that actual performance has completely stalled. Resilience scores and incident response times have flatlined.

This blog is the first in a series dedicated to unpacking why this gap exists. And it all starts with the most fundamental pillar of readiness: Prove.

The Prove pillar is our model for measuring cyber resilience. It’s built on a simple idea: you cannot claim a capability you have not demonstrated. A theoretical exercise, like a tabletop, doesn't prove anything. It’s an audit of your plan. A realistic, hands-on drill is an audit of your performance.

The Harsh Reality of a Live-Fire Drill

When we move teams from the comfortable conference room to a high-pressure "live-fire" simulation, the illusion of readiness shatters. The 2025 Benchmark Report is filled with this data, but a few points stand out.

We conducted a global defensive range benchmark, putting 29 different organizations into a realistic, high-pressure ransomware scenario. These are mature teams that, by all traditional metrics, should have excelled.

The results were a wake-up call:

Average team accuracy against the attack was just 22%.

Let that sink in. This isn't a knowledge gap; it’s a performance gap. It’s the chasm between "knowing" the playbook and being able to execute it under stress, with real tools, against a live adversary.

The failure isn't just in the SOC. In fact, the most critical breakdowns we see are in human decision-making.

A technical drill can test if your team can find and stop malware. But what happens when the exercise simulates a $5 million ransom demand, a leaked legal document, or a call from The Wall Street Journal?

This is where true resilience is proven, and it’s where most organizations are weakest. Our crisis simulation data reveals a consistent and dangerous pattern: teams consistently underperform in critical human-centric decisions, especially in areas like legal mediation and resource management.

But here is perhaps the most alarming finding of all: participants were paradoxically most confident in the exact areas where they performed the worst.

This is the confidence-capability gap in its most dangerous form. Your team isn't just failing; they are confidently failing. They are acing the tabletop and walking away with a false sense of security that will get them crushed in a real incident.

Stop Discussing and Start Proving

As cyber leaders, we have a responsibility to close this gap. We must stop measuring activity and start measuring ability. Stop reporting training completion and start reporting team accuracy under pressure. It’s a common refrain: cybersecurity is everyone's responsibility and is no longer the exclusive domain of technologists. It’s time to start acting like it by preparing our organization to be ready.

The goal is not to pass a tabletop. The goal is to prove, through evidence, that your entire organization, from the SOC to the C-suite to the Legal department, can perform their duties during a high-stakes cyber crisis.

Your board and your executive team think you're ready. It's time to find out if you really are. The only way to do that is to turn the lights on, step out of the conference room, and face a live-fire drill.

Download the full 2025 Cyber Workforce Benchmark Report to get the complete data and insights. In our next post, we’ll explore the Improve pillar and why simply "practicing more" isn't the answer.

‍