10-07-2025
Mid-size firms, government trail in hybrid identity security
The latest Purple Knight Report from Semperis indicates ongoing and worsening security vulnerabilities across hybrid identity systems, including Active Directory, Entra ID, and Okta.
According to the 2025 report, the average identity security score for organisations globally now stands at 61 out of 100, reflecting a 15% drop compared to 2023 figures, which showed an average score of 72. The assessment is based on data from over 45,000 organisations that have downloaded and used the Purple Knight Active Directory security assessment tool.
Mid-size organisations, defined as having between 2,001 and 5,000 employees, reported the lowest average security score, at just 52. The government sector performed worst among industry verticals, scoring an average of 46, with retail, transportation and education following at 51 and 57, respectively. The healthcare sector achieved the highest industry average, though still at a modest 66 out of 100.
Larger organisations with more than 10,000 employees scored highest, averaging 73, while the smallest companies, with up to 500 employees, followed closely with an average of 68. The findings attribute these higher scores to the greater resources of large organisations and the simpler environments of smaller ones. "The largest organisations have more resources, and the smallest organisations often have less-complicated environments to secure," said Sean Deuby, Semperis Principal Technologist, Americas.
Deuby highlighted the particular challenges faced by companies in the mid-size range. "The midsized companies are where the IT pros have to do everything. You don't have full-time AD specialists," he said.
Vulnerabilities by category
The Purple Knight Report reviews six categories of security vulnerabilities. Across these, the AD Infrastructure category recorded the lowest scores, pointing to persistent risks in the configuration and maintenance of directory services. This was followed by vulnerabilities in Account Security, Kerberos, Group Policy, Entra ID, and Okta respectively.
Deuby explained the wider picture driving the results: "Hybrid identity environments are complex, and threat actors know it. Overall, organisations can't protect what they can't see. The lower average scores in the 2025 Purple Knight Report indicate how crucial it is for companies to proactively assess vulnerabilities across their hybrid identity systems so they can close security gaps before attackers exploit them. Purple Knight gives organisations of all sizes the ability to identify vulnerabilities and remediate them before risks become damaging losses because of a compromise," said Deuby.
Remediation impact
Despite the generally low baseline scores, the report shows that organisations using Purple Knight's expert mitigation guidance have seen significant improvements. Users cited an average score increase of 21 points after applying the recommended remediations, with some reporting improvements as high as 61 points.
Real-world feedback from users better illustrates the practical value of the toolkit. Bob G., an infrastructure team lead at a global shipping company, commented: "My company has launched a multi-year project to reorganise the environment, which currently consists of about 30 AD forests. Using Purple Knight to scan those environments helps us understand what might break in our permissions structure or what open security vulnerabilities we need to fix."
Jose G., a global administrator at an IT services company, described how a security incident prompted a reassessment: "We suffered an attack that compromised some of our systems, and we thought we were pretty secure in terms of Active Directory. We learned a lot from that event. Out of curiosity, I ran Purple Knight on the environment, and I found a new world of stuff to fix."
Eric M., senior identity engineer at a global printing company, shared his experience: "I do a pretty good job. And we haven't been breached. But then you see the D-minus on your report card and it's like, wow. There are some things we could do better."
Ongoing challenges
The report highlights the persistent challenges presented by hybrid identity systems, particularly for mid-sized organisations and sectors such as government and retail, where resources may not match the complexity of environments at risk. The findings reinforce the role of continuous assessment and remediation in improving identity security and reducing the risk of compromise.
