SIEM Detection Failures Highlighted in Picus Blue Report 2025
Summary
Hide ▲
Show ▼
The Picus Blue Report 2025, based on over 160 million attack simulations, reveals that organizations detect only 1 out of 7 simulated attacks. This indicates significant gaps in threat detection and response capabilities, primarily due to log collection failures, misconfigured detection rules, and performance issues. These failures leave networks vulnerable to compromise, escalation of privileges, and data exfiltration. The report identifies key issues such as log source coalescing, unavailable log sources, and inefficient filtering as major contributors to SIEM rule failures. Continuous validation of SIEM rules is essential to maintain effectiveness against evolving threats. The report also shows that prevention dropped from 69% to 62% in one year, and that 54% of attacker behaviors generated no logs, making entire attack chains unfold with zero visibility. Only 14% of attacker behaviors triggered alerts, and data exfiltration was stopped just 3% of the time, leaving a critical stage effectively unprotected. The report highlights the need for Breach and Attack Simulation (BAS) to validate security defenses continuously.
Timeline
-
26.09.2025 14:22 1 articles · 3d ago
BAS Validation Highlighted as Critical for Security Defenses
The article emphasizes the importance of Breach and Attack Simulation (BAS) in validating security defenses. It highlights how BAS can transform security from assumptions into measurable outcomes, providing proof of defense rather than just posture. The report details the benefits of BAS in reducing false positives, improving remediation times, and providing a validated risk picture for executives.
Show sources
- Crash Tests for Security: Why BAS Is Proof of Defense, Not Assumptions — thehackernews.com — 26.09.2025 14:22
-
25.08.2025 14:50 2 articles · 1mo ago
Picus Blue Report 2025 Reveals SIEM Detection Gaps
The Picus Blue Report 2025, based on over 160 million attack simulations, shows that organizations detect only 1 out of 7 simulated attacks. This indicates significant gaps in threat detection and response capabilities, primarily due to log collection failures, misconfigured detection rules, and performance issues. The report highlights the need for continuous validation and simulation of real-world attacks to maintain effective SIEM defenses. Additionally, the report shows that prevention dropped from 69% to 62% in one year, and that 54% of attacker behaviors generated no logs, making entire attack chains unfold with zero visibility. Only 14% of attacker behaviors triggered alerts, and data exfiltration was stopped just 3% of the time, leaving a critical stage effectively unprotected.
Show sources
- Why SIEM Rules Fail and How to Fix Them: Insights from 160 Million Attack Simulations — thehackernews.com — 25.08.2025 14:50
- Crash Tests for Security: Why BAS Is Proof of Defense, Not Assumptions — thehackernews.com — 26.09.2025 14:22
Information Snippets
-
SIEM systems are crucial for detecting suspicious activity in enterprise networks.
First reported: 25.08.2025 14:501 source, 2 articlesShow sources
- Why SIEM Rules Fail and How to Fix Them: Insights from 160 Million Attack Simulations — thehackernews.com — 25.08.2025 14:50
- Crash Tests for Security: Why BAS Is Proof of Defense, Not Assumptions — thehackernews.com — 26.09.2025 14:22
-
Only 1 out of 7 simulated attacks were detected by organizations in the Picus Blue Report 2025.
First reported: 25.08.2025 14:501 source, 2 articlesShow sources
- Why SIEM Rules Fail and How to Fix Them: Insights from 160 Million Attack Simulations — thehackernews.com — 25.08.2025 14:50
- Crash Tests for Security: Why BAS Is Proof of Defense, Not Assumptions — thehackernews.com — 26.09.2025 14:22
-
50% of detection rule failures were due to log collection issues.
First reported: 25.08.2025 14:501 source, 1 articleShow sources
- Why SIEM Rules Fail and How to Fix Them: Insights from 160 Million Attack Simulations — thehackernews.com — 25.08.2025 14:50
-
13% of rule failures were attributed to misconfigurations in detection rules.
First reported: 25.08.2025 14:501 source, 1 articleShow sources
- Why SIEM Rules Fail and How to Fix Them: Insights from 160 Million Attack Simulations — thehackernews.com — 25.08.2025 14:50
-
24% of detection failures were related to performance problems.
First reported: 25.08.2025 14:501 source, 1 articleShow sources
- Why SIEM Rules Fail and How to Fix Them: Insights from 160 Million Attack Simulations — thehackernews.com — 25.08.2025 14:50
-
Log source coalescing, unavailable log sources, and inefficient filtering are significant issues impacting SIEM rule effectiveness.
First reported: 25.08.2025 14:501 source, 1 articleShow sources
- Why SIEM Rules Fail and How to Fix Them: Insights from 160 Million Attack Simulations — thehackernews.com — 25.08.2025 14:50
-
Continuous validation of SIEM rules is necessary to counteract evolving adversary tactics.
First reported: 25.08.2025 14:501 source, 1 articleShow sources
- Why SIEM Rules Fail and How to Fix Them: Insights from 160 Million Attack Simulations — thehackernews.com — 25.08.2025 14:50
-
The Picus Blue Report 2025 shows that prevention dropped from 69% to 62% in one year.
First reported: 26.09.2025 14:221 source, 1 articleShow sources
- Crash Tests for Security: Why BAS Is Proof of Defense, Not Assumptions — thehackernews.com — 26.09.2025 14:22
-
54% of attacker behaviors generated no logs, making entire attack chains unfold with zero visibility.
First reported: 26.09.2025 14:221 source, 1 articleShow sources
- Crash Tests for Security: Why BAS Is Proof of Defense, Not Assumptions — thehackernews.com — 26.09.2025 14:22
-
Only 14% of attacker behaviors triggered alerts, indicating most detection pipelines failed silently.
First reported: 26.09.2025 14:221 source, 1 articleShow sources
- Crash Tests for Security: Why BAS Is Proof of Defense, Not Assumptions — thehackernews.com — 26.09.2025 14:22
-
Data exfiltration was stopped just 3% of the time, leaving a critical stage effectively unprotected.
First reported: 26.09.2025 14:221 source, 1 articleShow sources
- Crash Tests for Security: Why BAS Is Proof of Defense, Not Assumptions — thehackernews.com — 26.09.2025 14:22
-
The Picus Blue Report 2025 demonstrates the need for continuous validation of security defenses through Breach and Attack Simulation (BAS).
First reported: 26.09.2025 14:221 source, 1 articleShow sources
- Crash Tests for Security: Why BAS Is Proof of Defense, Not Assumptions — thehackernews.com — 26.09.2025 14:22
Similar Happenings
CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.
Continuous Threat Exposure Management (CTEM) Emphasizes Prioritization and Validation
Continuous Threat Exposure Management (CTEM) is a framework that prioritizes and validates security exposures based on real business impact. It addresses the limitations of traditional vulnerability management, which often leads to chasing irrelevant alerts and ignoring critical threats. CTEM focuses on the handful of exposures that truly matter and validates them against specific environments to prove defense effectiveness. CTEM is designed to handle the increasing volume of vulnerabilities and non-technical exposures, such as misconfigured SaaS apps and human errors. It uses Adversarial Exposure Validation (AEV) technologies, including Breach and Attack Simulation (BAS) and Automated Penetration Testing, to provide continuous validation and an attacker's perspective at scale.
Authentication Bypass Vulnerabilities in Wondershare RepairIt
Two critical authentication bypass vulnerabilities in Wondershare RepairIt expose user data and AI models. The flaws, identified as CVE-2025-10643 and CVE-2025-10644, allow attackers to bypass authentication and execute arbitrary code on customer endpoints. The vulnerabilities stem from insecure handling of cloud access tokens and lack of encryption, potentially leading to supply chain attacks and data breaches. The issues were disclosed by Trend Micro researchers in September 2025. Wondershare has not yet responded to the disclosure, and users are advised to restrict interaction with the product until a fix is available.
GeoServer RCE Exploit Used in Federal Agency Breach
A U.S. federal civilian executive branch (FCEB) agency was breached in July 2024 after attackers exploited an unpatched GeoServer instance. The attackers gained initial access through a critical remote code execution (RCE) vulnerability (CVE-2024-36401) and moved laterally within the network, deploying web shells and scripts for persistence and privilege escalation. The breach remained undetected for three weeks until the agency's Endpoint Detection and Response (EDR) tool alerted the Security Operations Center (SOC). The attackers exploited the vulnerability in GeoServer, which was patched in June 2024 but remained unpatched in the agency's environment. They used brute force techniques for lateral movement and privilege escalation, accessing service accounts and deploying web shells like China Chopper. The breach highlights the importance of timely patching, continuous monitoring of EDR alerts, and comprehensive incident response plans. The attackers discovered the vulnerable GeoServer instances by conducting network scanning with Burp Suite. They exploited the vulnerability to gain access to a public-facing GeoServer instance and downloaded open-source scripts and tools for lateral movement. On July 24, 2024, the attackers exploited the same vulnerability to gain access to a second GeoServer instance and moved laterally to a Web server and SQL server, where they dropped web shells, including China Chopper. The attackers also used Stowaway for command-and-control (C2) traffic and attempted to exploit CVE-2016-5195 for privilege escalation. The agency's incident response plan was inadequate, and some public-facing resources lacked endpoint protection, allowing the breach to remain undetected for three weeks.
Critical deserialization flaw in GoAnywhere MFT (CVE-2025-10035) patched
Fortra has disclosed and patched a critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere Managed File Transfer (MFT) software. This flaw, rated 10.0 on the CVSS scale, allows for arbitrary command execution if the system is publicly accessible over the internet. The vulnerability was actively exploited in the wild as early as September 10, 2025, a week before public disclosure. Fortra has released patches in versions 7.8.4 and 7.6.3. The flaw impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit. The vulnerability was discovered during a security check on September 11, 2025. Fortra advised customers to review configurations immediately and remove public access from the Admin Console. The Shadowserver Foundation is monitoring over 470 GoAnywhere MFT instances, but the number of patched instances is unknown. The flaw is highly dependent on systems being externally exposed to the internet. The exploitation sequence involved creating a backdoor account and uploading additional payloads, originating from an IP address flagged for brute-force attacks.