Organizations are continuing to struggle to identify and address security vulnerabilities in hybrid identity systems such as Active Directory, Entra ID, and Okta.
This is among the findings of a new report, from AI-powered identity security and cyber resilience company Semperis, which is based on results from Purple Knight a free Active Directory security assessment tool by Semperis that has been downloaded by 45,000+ organizations.
It finds an average score of 61 out of 100 which is 11 points lower than the average score of 72 in the 2023 report. Interestingly Purple Knight score averages are highest among the largest organizations (10,000+ employees), with an average score of 73, and the smallest companies (0-500 employees), with an average score of 68 out of 100.
“The largest organizations have more resources, and the smallest organizations often have less-complicated environments to secure,” says Sean Deuby, Semperis principal technologist, Americas. Organizations with between 2,001 and 5,000 employees averaged a score of 52, the worst overall, highlighting the dilemma faced by midsized organizations with complex systems and limited resources for addressing AD security problems. “The midsized companies are where the IT pros have to do everything. You don’t have full-time AD specialists,” adds Deuby.
Among the six categories of vulnerabilities included in Purple Knight, the scores are lowest in the AD Infrastructure category, followed by Account Security, Kerberos, Group Policy, Entra ID, and Okta.
“Hybrid identity environments are complex, and threat actors know it. Overall, organizations can’t protect what they can’t see. The lower average scores in the 2025 Purple Knight Report indicate how crucial it is for companies to proactively assess vulnerabilities across their hybrid identity systems so they can close security gaps before attackers exploit them,” says Deuby. “Purple Knight gives organizations of all sizes the ability to identify vulnerabilities and remediate them before risks become damaging losses because of a compromise.”
Breaking the results down by industry, the government sector scores the lowest average score of 46, followed by retail at 51 out of 100 and transportation and education at 57 out of 100. Healthcare averaged a score of 66, still poor, but the highest among all verticals.
The full report is available from the Semperis site.
Image credit: vchalup2/depositphotos.com
![why-active-directory-remains-a-popular-target-for-attackers-and-what-to-do-about-it-[q&a]](https://thetechbriefs.com/wp-content/uploads/2025/07/37287-why-active-directory-remains-a-popular-target-for-attackers-and-what-to-do-about-it-qa.jpg)
