Midmarket firms overconfident as cyber tools fall short
Midmarket cybersecurity leaders in the UK and US report high confidence in their ability to manage critical risks. Many also say they lack suitable tools and have teams struggling to keep up, according to new research from Intruder.
The survey of 502 security decision-makers at companies with 400 to 6,000 employees and at least USD $50 million in revenue found a disconnect between stated assurance and operational strain. While 94% said they were confident they could identify and remediate critical risks before attackers exploit them, 42% described their teams as stretched, overwhelmed, or consistently behind.
Tooling mismatch
The research highlights what Intruder called a "security middle child problem" for organisations that sit between small businesses and large enterprises. Nearly half of respondents said they do not have the right technology for their needs.
Enterprise platforms were a poor fit for 46%, who said these products assume more staff, budget, or complexity than they can support. Meanwhile, 29% said tools aimed at small and medium-sized businesses no longer meet their needs.
Midmarket operational challenges included limited visibility into exposed assets (28%). Another 26% said they had too many tools to navigate, while 24% said they struggled to prioritise work.
Intruder framed the issue as structural rather than a failure of in-house execution.
"Midmarket companies are being treated as the middle child when it comes to cybersecurity solutions. They are overlooked by vendors focused on Fortune 500s or SMBs, while they are just as important and just as vulnerable to attackers," said Chris Wallis, CEO and founder of Intruder.
"This is a structural problem: the majority of solutions available to midmarket security teams were never built for the position they're now in," Wallis added.
Zero-day timing
Speed of response emerged as a specific weakness. About 51% of respondents said it would take roughly a week to assess their exposure to a critical zero-day vulnerability.
That timeline contrasts with the report's observation that exploitation can follow disclosure within 24 to 48 hours. The gap raises questions about how quickly teams can translate confidence in controls into action when new vulnerabilities emerge.
Confidence gap
Confidence also varied by seniority. C-suite respondents were the most assured, with 65% saying they were very confident in their ability to catch critical threats. Confidence fell among those closer to day-to-day operations: 55% of directors, 46% of senior managers, and 35% of middle managers said they were very confident.
Budget and staffing signals looked more positive on the surface. About 89% said budgets were increasing. Around 70% said headcount had kept pace with growth in their digital estate, and 64% felt their security posture had scaled appropriately as their organisations grew.
However, staffing growth did not always match expanding estates. Some 91% said their digital estate had grown over the past 24 months, with 38% reporting significant growth. Only 30% said headcount grew faster than their digital estate. Another 17% said headcount grew more slowly, and nearly 10% said staffing stayed flat.
Stack strain
Technology choices also appeared to add pressure for many teams. Some 44% said their stack had been outgrown or had become fragmented, with organisations relying on multiple point solutions without a unified view.
Respondents linked that fragmentation to day-to-day friction. Navigating too many security tools was a top challenge for 26%. Too many alerts with poor prioritisation was cited by 24%, and 20% pointed to an inability to measure and report on cyber hygiene.
Despite these findings, planned investment leaned towards more technology. AI and automation topped 2026 priorities for 49% of respondents. Adding new solutions followed at 33%, while headcount was a priority for 17%.
AI pentesting also featured in the data, with 41% reporting adoption. The survey noted the category emerged in the past 12 to 18 months and suggested respondents may not be using a consistent definition. Adoption was higher among better-resourced organisations: AI pentesting ranked among the five most-adopted tools only for companies with more than USD $500 million in revenue. Use also increased with team size, with 49% of organisations with 11 or more security staff reporting use, versus 25% of teams with two to five people.
Sector differences
Pressure varied across industries, with healthcare showing the most strain. Only 51% of healthcare respondents said headcount kept pace with digital-estate growth, and 26% said headcount grew more slowly.
In SaaS, 86% said headcount kept pace and 10% said it grew more slowly. The survey highlighted the contrast given the risks associated with healthcare systems and data.
Boardroom visibility
Cyber-risk governance also appeared limited. Only 9% said cyber risk was discussed at board level. Another 34% said it reached executive leadership. Most respondents (51%) said discussions stayed within security and IT leadership, while 7% said it was confined to the security team alone.
Intruder Head of Security Dan Andrew said these trends could widen the gap between perception and reality inside organisations.
"The data in this report doesn't point to a single problem. It points to four compounding ones: estates growing faster than teams, confidence highest where visibility is lowest, stacks that are increasingly fragmented. And the relevant conversations aren't reaching the people who need to hear it," Andrew said.
"Until that changes, the gap between how these teams present themselves and how they actually operate will keep widening," he added.