Financial institutions are operating in one of the most heavily targeted and scrutinised cyber environments in the world. They handle vast numbers of transactions, flows of sensitive personal data and have high-value digital infrastructures. Therefore, it is no surprise that the sector has invested heavily in technology. The aim is to ensure visibility of threats, including monitoring platforms, telemetry, alerting systems and threat intelligence. Yet, despite these investments, the visibility is not always translating into effective containment.
The Hack The Box Global Cyber Skills Benchmark 2025 analysed performance from 795+ teams and over 4,500 players. Carried out across 40 real-world Capture The Flag challenges, highlights this imbalance.
According to the report, in simulated attacks, finance teams had a strong 37.6% average solve rate. Outperforming sectors like healthcare, education and government. They demonstrated great investigation skills, scoring 71% in OSINT, 54.6% in forensics and 51.4% in coding. These figures are all good indications that financial sector cybersecurity teams are able to effectively identify and analyse suspicious activity.
However, the report also shows there is significant underperformance in the skills required to stop attackers once they are inside. This means the gap is not in detection skills; it is in depth of capability.
Cyber Attackers Get Further Than They Should
The weakest scores are being recorded in the areas where adversaries could inflict the most damage.
According to the report, persistence scored just 21.1%, privilege escalation 20.3% and collection just 10.8% across financial cybersecurity teams. These are the tactics that determine how attackers entrench themselves, escalate access and gather sensitive data before exfiltrating it. They are central to adversarial movement inside financial networks.
Emerging threat vectors showed even more vulnerability. Blockchain security challenges, DeFi (Decentralized Finance) and smart contract–related vulnerabilities were only solved by the teams 10.1% of the time. And in exploit development, the teams averaged just 3.9%. This exposes weaknesses in exploit awareness, with the attackers increasingly using zero-day and near-zero-day vulnerabilities.
The combination of strong investigative skills and weaker adversarial resilience suggests that current capabilities are more focused on post-incident analysis than on preventing or containing attacks in real time.
Visibility Doesn’t Equal Control
Financial institutions have one of the most mature cybersecurity monitoring ecosystems across any industry. They deal with enormous volumes of logs, run highly tuned detection pipelines and leverage advanced SIEM and SOAR tooling. But this visibility on its own clearly does not equal security.
The benchmark report found that reconnaissance and initial access had solve rates between 23.8% and 28.4%, which indicates that many attacks will not be effectively blocked. From there, attackers are often able to succeed with their persistence, privilege escalation and lateral movement tactics because defenders do not have the technical depth to disrupt the attack chain at critical points.
In practice, this means teams may be able to see an attack unfold, but they will struggle to break it apart before data is collected for exfiltration. Even though exfiltration itself scored a relatively high at 53.4%, a low collection score suggests most teams are not catching malicious activity upstream, when intervention matters most.
A Depth Problem, Not A Monitoring Problem
This skills imbalance stems from how training and capability development have historically been structured. Much of the financial sector’s cybersecurity readiness has been shaped by compliance, audit frameworks and classroom-style instruction. While these approaches fulfil important governance functions, they do not by themselves produce the hands-on adversarial fluency that simulation-based training supports.
Financial teams must move beyond compliance checklists and legacy training models because they do not provide the attacker-aligned, hands-on experience required to strengthen deeper-layer defensive capabilities.
Attackers do not operate in silos and neither should defenders. A phishing foothold becomes privilege escalation, which becomes persistence, which becomes lateral movement – all in a matter of minutes. Without having continuous practice in this full attack flow, teams will continue to be strong in analysis and weak in action.
Continuous, scenario-based upskilling is the clearest path to addressing this imbalance. The benchmark data in the report demonstrates the need for a cyber readiness model that is based on realistic adversarial simulation. These simulations don’t just replicate individual techniques; they replicate entire attack chains. This forces security teams to detect, respond, contain and mitigate in real time.
Learn more at hackthebox.com
- Blockchain & Crypto
- Cybersecurity in FinTech