50% of MSSPs lack confidence in their training. What does it say about security’s skill gap?

Findings from our research on Cyber readiness in Professional Services suggest that a significant contributor to the lack of talent with skills is, in fact, a lack of skills development for existing talent. 

This research draws on insights from the Hack The Box (HTB) Business CTF 2024 and its post-event survey of security leaders in the Professional Services sector, which includes service-based IT & security consulting firms like MSSPs.

Confidence in threat-aligned training is concerning 

Our post-event survey aimed to measure confidence in threat-aligned training programs by asking: 

“How well do your organization’s training programs align with the latest cybersecurity threats and technologies?” 

Responses were then grouped into two categories:

• Low confidence (50%): respondents who rated their program’s alignment with modern threats as moderately well (32.8%), slightly well (10.9%), or not at all (6.1%).

• High confidence (50%): those we classified as confident rated their programs as either extremely well (15.3%) or very well (34.9%) aligned.

This reveals a stark divide in how MSSPs perceive their performance. While half of MSSPs feel their training is up to the challenge, the other half have doubts—raising critical concerns about whether security teams are fully prepared to defend against today’s threats.

Solve rates reveal the skills service providers may lack 

The next section dives deeper into event performance data for specific challenges within Business CTF. 

Comparing solve rates for challenges helps benchmark security skills by testing a team’s ability to detect, respond, and manage real-world attacks. 

Most Professional Services teams were relatively stronger in categories like fullpwn, cloud and web application security, but they still lagged behind global averages in those domains when compared to other industries.

We’ll assess how teams in the Professional Services—like MSSPs—underperformed against global averages and what this means for the clients they protect.

Forensics 

Teams scored 31% below the industry average in forensic analysis, highlighting a critical weakness in their ability to investigate and respond to security incidents effectively. 

The lack of robust detection and response capabilities impacts a team’s ability to perform breach triage, root cause analysis, and evidence preservation—all essential components of strong incident response capabilities. 

Without strengthening forensic capabilities, service providers risk slower incident response times and ineffective post-breach support for their clients. 

Several regulatory bodies—including the US’s Federal Trade Commission (FTC) and the European Union—have recently taken the decision of whether to disclose breaches out of organizations’ hands, instituting strict breach reporting requirements.

These new requirements give organizations little time to investigate and triage breaches before the reporting deadline. 

This means that today’s security teams need to have strong core incident investigation and response capabilities to meet compliance and crucial legal reporting requirements mandated by regulations like SEC and NIS2.

Hardware security

Cybersecurity threats to banks and corporate networks are serious—but imagine the stakes when the targets are critical infrastructure like power plants, trains, or water systems.

Industrial control system (ICS) pentesting probes the very protocols that keep essential machinery running. 

Power generators, railway controllers, and even oil pipelines to name a few. A single vulnerability here could lead to devastating, real-world consequences.

Yet, the 16.1% solve rate in hardware security, compared to the 23% category average, reveals a critical area where improvement is needed for client-serving teams managing an increasing number of critical IoT and edge device ecosystems, often embedded within operational environments. 

Failure to secure such hardware could lead to breaches targeting payment systems, industrial control systems, or even medical devices for healthcare clients.

Cloud security

Professional Services teams lag 35% below industry benchmarks in cloud security, underscoring critical gaps in protecting multi-cloud environments. 

With threat actors taking advantage of outdated cloud security tactics, the growing complexity of cloud architectures and reliance on hybrid and multi-cloud strategies reflect a need for more advanced cloud security skills. Particularly in cloud misconfigurations, identity and access management (IAM), and API security. 

Cyber readiness in Professional Services

READ THE EXECUTIVE REPORT

 

ENTER THE GLOBAL CYBER SKILLS BENCHMARK 2025

Can’t hire more talent? Give your people the time and resources to upskill

For teams who provide IT & security services, every hour spent training is an hour not spent on billable client work. 

And let’s be real, between managing client security operations, responding to incidents, and keeping up with an expanding attack surface, the idea of structured training often gets pushed to the back burner. 

But what happens when an untrained team encounters a new, sophisticated attack? 

The real cost of inadequate training is downtime, missed detections, and eroded client trust.

The takeaway from our research is clear: If budgets are tight, start with time. 

Allocating even small, frequent windows for regular assessments on essential skills gaps can transform how your team responds and stays ahead of threats in client environments.

Want a structured approach to benchmarking your team’s threat-aligned skills? 

Register for the Benchmarking masterclass webinars 

Sign your team up for the Global Cyber Skills Benchmark 2025