44% of security professionals say a human should always remain in the loop for security decisions.

16% of security professionals say supply chain and third-party risk is the boardroom cyber priority boards ask about most.

15% of security professionals say cloud and infrastructure exposure is the boardroom cyber priority boards ask about most.

60% of UK cybersecurity professionals say threats are already moving beyond email

66% of UK cybersecurity professionals believe employees are more likely to trust messages received through internal collaboration platforms

50% of UK organizations lack strong confidence in detecting threats across messaging and social platforms

Only 41% of organizations regularly train employees on threats beyond email

There were 6,420 excess CVEs recorded through April 2026, representing a 46.3% cumulative drift above the February forecast.

Annual vulnerability disclosures are on pace to approach 70,000 for the first time in history.

GitHub Security Advisory (GHSA) volume increased 449% year-over-year.

VulnCheck CNA-of-Last-Resort activity increased 3,119%.

Mozilla CNA Q1 CVE disclosures spiked 164% due to AI-assisted tooling against the Firefox engine.

The CISA KEV catalog contained 1,587 entries as of May 1, 2026.

EPSS had scores for 329,934 CVEs as of May 1, 2026.

Actual CVE disclosures are running 46.3% above projections published four months earlier.

21% of security professionals say the volume of threat intelligence information often creates more noise than clarity.

27% of security professionals would prioritise automating the conversion of threat intelligence into actionable priorities.

38% of security professionals would trust AI only for low-risk, routine security decisions.

11% of security professionals are still experimenting with AI-driven decision-making.

28% of security professionals say their organisation has a continuous, proactive exposure management programme in place.