Purple Knight Report 2025: Midsize Companies Are the New Identity Security Battleground

In the cybersecurity world, identity is everything—and most companies still aren’t getting it right. That’s the central takeaway from Semperis’ 2025 Purple Knight Report, which analyzed thousands of scans across hybrid identity systems like Active Directory (AD), Entra ID, and Okta. The average organizational score? A sobering 61 out of 100, down 11 points from just two years ago.

Despite growing awareness and high-profile breaches targeting identity infrastructure, the report paints a picture of widespread fragility. Even more telling: midsized enterprises, those with between 2,001 and 5,000 employees, fared the worst with an average score of just 52—putting them firmly in the crosshairs of identity-based attacks.

That reality has left a dangerous blind spot in the cyber resilience of the global enterprise landscape. Larger organizations, bolstered by deep benches of security talent and budget, scored highest (73), while small businesses with simpler environments weren’t far behind (68). But between those extremes lie thousands of overstretched IT teams juggling the complexity of modern hybrid identity environments with legacy tools and underfunded resources.

Hybrid Identity: A Visibility Crisis

Semperis’ free Purple Knight assessment tool scans for common misconfigurations and weaknesses in AD, Entra ID, and Okta—three pillars of enterprise identity. Of the six vulnerability categories analyzed, the AD Infrastructure category consistently scored the lowest, revealing fundamental weaknesses in the scaffolding of enterprise identity systems. Account security and Kerberos configuration followed close behind.

And attackers are watching. With ransomware gangs, state-sponsored APTs, and insider threats increasingly targeting identity systems as an initial access vector, these weak scores are more than academic—they’re an open invitation.

Industries on the Edge

No sector was spared from the struggle. Government organizations—often hamstrung by legacy systems and procurement red tape—came in dead last with an average score of 46. Retail, transportation, and education weren’t far behind.

Surprisingly, healthcare scored the highest among verticals at 66, perhaps reflecting years of high-stakes breach headlines and regulatory scrutiny finally yielding better practices. Still, as Deuby noted, that’s “still poor” on a 100-point scale.

Reality Check: The D-Minus That Hurts So Good

But there is a silver lining. Organizations that used Purple Knight’s built-in remediation guidance reported an average improvement of 21 points. Some, like global shipping and IT firms, saw gains as high as 61 points after making recommended changes.

The Identity Security Cliff

The 2025 report underscores a broader truth: as organizations double down on cloud transformation, SaaS sprawl, and hybrid work, identity systems are more exposed—and more mission-critical—than ever. Without visibility and regular auditing, organizations risk walking off an invisible cliff.

With identity now the backbone of access control, it’s no longer enough to trust that your AD settings are fine because they haven’t broken anything—yet.

The message from Semperis is clear: scan, fix, repeat. Before someone else does it for you.