Hack The Box Report: Build Cyber Skills, Not Just Compliance

Hack The Box (HTB), a leader in gamified cybersecurity skills development, has released three sector-specific cyber skills reports covering MSSPs, finance, and healthcare. Across these reports, HTB found that technical capability—not just compliance—has become the true benchmark for cybersecurity resilience and readiness.

Skill gaps found in highly regulated sectors

HTB’s Global Cyber Skills Benchmark 2025 analyzed performance data from more than 4,500 cybersecurity professionals across 795 security teams worldwide, all of whom completed 40 practical challenges. 

The research identified persistent skills gaps that leave critical systems vulnerable—even in sectors with high compliance and security requirements. It also found that a significant number of organizations lack the technical depth needed for effective prevention and recovery from modern cyberattacks, despite excelling at threat detection and visibility.

“Cyber threats evolve daily, yet many organizations still measure readiness through compliance alone,” said Haris Pylarinos, chief executive officer and founder of HTB. 

“What the data shows is that resilience comes from capability. We need to rethink how we prepare our teams, not just how we audit them.”

Findings by sector show commonalities and key differences

Summarized findings and links to the three reports, covering the MSSP, healthcare, and finance sectors, are outlined below.

MSSP Sector Report

• Strong breadth of monitoring, but offensive security and threat emulation lack depth.
• AI serves as a force multiplier, yet secure coding remains a blind spot.
• MSSPs are proficient generalists, but struggle with domain-specific expertise.

Healthcare Sector Report

• Strong OSINT and detection capabilities, but prevention remains weak.
• AI readiness shows promise, but lacks secure deployment practices.
• Persistence and lateral movement represent high-risk exposure points following a breach.

Finance Sector Report

• Financial institutions excel in threat visibility, but lack the depth to neutralize threats effectively.
• Emerging vulnerabilities around blockchain and smart contract environments.
• SOC teams require enhanced oversight of detection progress and response metrics.

MSSP report: Strong detection with lacking preventive capabilities

In the MSSP-specific report, HTB found that MSSPs performed well in detection and monitoring but showed critical gaps in offensive readiness. Client-specific specialization also emerged as a limiting factor.

Across 40 practical challenges, HTB identified the strengths and weaknesses among MSSPs (with IT services and business services teams examined as the closest proxies):

Strengths:

• OSINT: 64.5% (IT services)
• Forensics: 62.8% (business services)
• Coding: 53.3% (IT services)

Weaknesses:

• Secure Coding: 18.7% (global average)
• Web Security: 21.1% (global average)
• Pwn: 9.8% (IT services)
• ICS/OT: 28.2% (IT services)
• Hardware: 29.7% (IT services)

According to HTB, these findings reflect MSSPs’ strengths in scaling detection and monitoring across clients. However, they also show that many still need deeper preventive and adversary simulation capabilities to effectively handle sophisticated threats.

HTB’s Cyber Skills Benchmark 2025 report helps organizations understand how technical capabilities drive cyber resilience. It highlights real-world performance across sectors to provide clarity on strengths and weaknesses, aiming to identify where strategic investment is most needed to address emerging threats and evolving security demands.

In September, Hack The Box acquired the blue team upskilling platform LetsDefend. Read more to learn how the acquisition establishes a unified cyber workforce development solution for enterprises and MSSPs.