Security Reports — Threatstealth | Threat Intel & Research
Original cybersecurity research from Threatstealth: phishing resilience, OWASP LLM Top 10 findings, KEV-first patching outcomes, MSSP architecture, SOC 2 automation.
Threatstealth Security Research Reports
Original threat intelligence and security operations research published by the Threatstealth team — covering phishing resilience, AI model security, KEV-first patching, and SOC 2 automation outcomes.
- State of Phishing Resilience 2026 — click rates, training completion, and board-level resilience KPIs
- OWASP LLM Top 10 — field findings from Q1 2026 real-world model security assessments
- KEV-First Patching: Operational Outcomes — data on exposure window reduction using CISA KEV
- MSSP Multi-Tenant Architecture Reference — isolation patterns and per-tenant SLA reporting
- SOC 2 Evidence Automation: 12-Month Audit Outcomes — prep time reduction metrics
Phishing Resilience Research and Measurement Methodology
The Threatstealth phishing resilience research programme runs multi-vector simulations across email, SMS, QR code, and spear-phishing scenarios — collecting click rates, credential submission rates, reporting rates, and training completion data across thousands of simulated targets. The State of Phishing Resilience 2026 report aggregates anonymised campaign data from the Threatstealth platform to provide industry-wide benchmarks that security leaders can use to assess their organisation's resilience against the current threat landscape and justify security awareness investment to boards and risk committees.
- Composite resilience score — weighted metric combining click rate, report rate, repeat-offender rate, and training completion
- Industry benchmarks — anonymised click and report rates segmented by sector, company size, and geography
- Vector comparison — relative effectiveness of email phishing vs SMS spoofing vs QR code attacks by target profile
- Repeat offender analysis — identifying high-risk individuals requiring targeted intervention beyond group training
- Board reporting templates — converting simulation data into executive KPIs with trend lines and peer comparisons
AI and LLM Security Field Findings
The OWASP LLM Top 10 field findings report documents real-world assessment outcomes from security reviews of production LLM deployments conducted by the Threatstealth AI security team. Each finding category includes representative attack scenarios, bypass techniques observed in production models, and the engineering controls that successfully mitigated each risk. The report provides a practical supplement to the OWASP framework document — translating theoretical risk descriptions into concrete attack patterns and measurable defence outcomes that engineering teams can act on immediately.
- Prompt injection prevalence — frequency and severity of direct vs indirect injection findings across assessed deployments
- Data leakage surface — training data extraction techniques and PII discovery rates in tested models
- Jailbreak success rates — effectiveness of DAN variants, adversarial suffixes, and role-play bypasses by model family
- Plugin and tool abuse — privilege escalation paths found through poorly sandboxed LLM tool integrations
- Defence effectiveness — which controls (input filtering, output validation, system prompts) reduced attack success most
KEV-First Patching Operational Outcomes Data
The KEV-First Patching report provides operational data on how adopting a CISA KEV-first prioritisation model changes patching cadence and exposure windows in enterprise environments. Data is drawn from Threatstealth-managed vulnerability management programmes measuring time-to-patch for KEV-flagged CVEs versus non-KEV high-CVSS findings, EPSS score accuracy as a predictor of exploit activity, and the scanner backlog reduction achieved when teams deprioritise non-exploited theoretical risks. Findings are segmented by industry vertical, organisation size, and baseline patch cadence.
- Exposure window reduction — median time-to-patch for KEV-flagged vulnerabilities versus non-KEV high-CVSS findings
- EPSS accuracy validation — correlation between 30-day exploit probability scores and observed exploitation activity
- Scanner backlog reduction — percentage reduction in open findings when CVSS-only prioritisation is replaced by KEV+EPSS
- Industry comparison — patching speed and exposure windows segmented by sector and organisation size
- Remediation SLA compliance — impact of KEV-first policies on SLA adherence across quarterly audit periods
SOC 2 Evidence Automation Outcomes
The SOC 2 Evidence Automation report documents 12-month outcomes for organisations that implemented continuous control monitoring from the start of their audit period versus those using traditional manual evidence collection. Metrics include pre-audit preparation time, auditor query response time, evidence rejection rates, and total engineering hours consumed across the audit cycle. Data shows consistent 80–92 percent reductions in pre-audit preparation time and near-zero evidence rejection rates when continuous collection is implemented correctly with tamper-evident artifact storage.
- Preparation time reduction — median pre-audit engineering hours for continuous vs manual evidence collection approaches
- Evidence rejection rate — frequency of auditor evidence re-requests in continuous monitoring programmes
- Control gap detection — lead time for identifying and remediating control gaps before auditor engagement
- Access review completion rates — percentage completion of quarterly reviewer workflows across organisations
- Cost savings — total audit cycle cost reduction across engineering, legal, and external auditor time