Skip to main content
The Panaseer logo shows a white square and a yellow square around the initial P. To the right of the P there is the copy written ‘anaseer’.
Get a demo
Show main menu Hide main menu

Why toxic combinations are a cause for real concern in 2025

“A staggering 92% of security leaders agree that toxic combinations are a cause for real concern.” – Panaseer Security Leaders Peer Report 2025.

One of the key themes of our latest Security Leaders Peer Report is hidden risk. A key risk that we’ve seen become more prevalent in the market is toxic combinations. It’s a phrase we’ve seen in a few places, but now we’re seeing it applied to cybersecurity controls.

Contents

    Barnaby Clarke
    read

    What are toxic combinations in cybersecurity controls?

    The term “toxic combinations” originates in pharmacology, where two drugs can combine to inadvertently harm the patient.

    In the context of cybersecurity controls, it means risks that are compounded by the presence of other significant risks affecting the same asset. Typically, it is a combination of (potentially) acceptable risks that together create a bigger risk that’s unacceptable. For example, a laptop with a critical vulnerability that doesn’t have endpoint protection.

    The term has previously been used in the context of privilege, but we’re branching out. For more on that, though, here’s an interview with Andy Jaquith, one of the world’s leading cybersecurity measurement experts.

    Now, we’re applying the term to control failure. Here’s an example of a toxic combination of control failures:

    Imagine a device that:

    • has an unpatched critical vulnerability;
    • doesn’t have endpoint protection;
    • is owned by an admin;
    • and that admin has been seen to fail phishing tests.

    Each of these poses a security risk individually, but when they’re all present on the same asset, that’s a toxic combination you would want to be made aware of and fix immediately. In this instance, we have two different control failures that combine to make a more significant risk which is then compounded by the risks associated with admin status and failed phishing tests.

    This is exactly the kind of thing threat actors will look to exploit because they are much harder to identify than individual vulnerabilities.

    a comic book strip explaining toxic combinations


    Research into control failures

    There’s a fundamental link between toxic combinations and control failure. To clarify, we can define a control failure as: “a control that is expected but absent or ineffective.” For example, an organization may have deployed an endpoint tool but there are devices that aren’t covered. We might also call this a control coverage gap.

    In the five years we’ve been doing these research reports, we’ve consistently found that organizations are breached due to control failure.

    The 2023 report found that 88% of security leaders consider control failures and gaps to be the primary reason for cyber breaches. Similarly, the 2022, 2023, and 2024 reports all found that around 9 out of 10 security leaders have been surprised by a security incident because they already had a tool or control in place to stop it. Additionally, the 2022 report found that a typical event, incident or breach is the result of five control failures.

    This theme has continued into the 2025 report: 61% of security leaders have suffered a breach specifically because of failed or misconfigured controls in the last 12 months and 70% say there are too many unknowns to get a clear picture of their risk.

    In short, security teams have the tools and controls in place to stop most commodity attacks, but there are gaps and control failures they don’t know about. These unknowns represent hidden risks.

    And those hidden risks can become even more significant with the presence of toxic combinations of control failure.

    But it isn’t just control failures. Breaches typically happen because threat actors move across multiple security domains. Verizon’s 2024 Data Breach Investigations Report found that nearly 80% of data breaches involve phishing and the misuse of credentials. That’s why understanding control failures is only half the battle. You also need to know who is responsible for the assets with those control failures. If those people are failing phishing tests and have admin credentials that can be misused by threat actors, then that’s a recipe for disaster.


    How AI amplifies cybersecurity risks

    These seemingly smaller risks compound together to create risks that are potentially very damaging. But, as mentioned above, AI also compounds the threat. There are benefits to using AI in cybersecurity, but there are also challenges. Threat actors use AI to develop more sophisticated attacks. This ranges from very good phishing emails to deepfake videos to creating malicious code.

    Splunk’s recent research on The Race to Harness AI in cybersecurity found that 91% of security teams have adopted AI, but 34% don’t have a generative AI policy in place. Expect that to change, though, as more regulations on AI are introduced worldwide, such as the EU AI Act and the AI Bill of Rights

    Interestingly, the Splunk report also asked the question: “Who has the AI advantage?”, and saw a split response. 43% think defenders will benefit most, 45% adversaries, and 12% think they will cancel each other out. Nevertheless, AI-powered attacks came in as the number one most concerning type of cyber attack.

    This all means that identifying toxic combinations is even more concerning. Hence 82% of security leaders fear AI will amplify challenges around toxic combinations.


    Current approaches to toxic combinations

    The established approach to identifying toxic combinations is challenging.

    It is often a heavily involved manual process. Security teams need to analyze attack patterns, often using frameworks like the Cyber Kill Chain®. They look beyond individual vulnerabilities and assess how they can be linked together in a multi-step attack. This approach requires continuous monitoring, vulnerability scanning, and understanding how different parts of a network interact. That means getting hold of data from a range of siloed sources that need to be analyzed, understood, presented in a meaningful way, and used to fix the problem.

    Pain points: 

    • Tool owners often operate using separate priority lists, that are dedicated to the tool(s) they manage. This means they prioritize their remediation activity based on a narrow field of view, without the ability to consider compound weaknesses that might exist across multiple security domains.
    • It’s a manual effort and slow process to identify the highest priority risks to work on first that might exist when weaknesses across more than one security domain could be combined in a kill chain.

    What's needed to prevent toxic combinations?

    We asked Simon Goldsmith, Enterprise Security and Platforms Lead at OVO, to comment. Simon is a well-regarded thought leader in cybersecurity, particularly focusing on a people-centric approach. That means an approach that focuses on the quality of communication, assessment, and mitigation of cyber risks by aligning to business objectives, as well as passionate advocacy for progress on diversity and inclusion.

    Here’s what he had to say:

    Security incidents stem from a convergence of multiple control failures. These failures have often been spotted before by security teams, either in security monitoring or controls testing, but it’s only when they interact in a toxic combination with the wrong threat actor as an accelerant, that we see truly damaging consequences. This is why an information security management system needs to be wired to do much more than detect missing and misconfigured controls.

    Simon Goldsmith
    Enterprise Security and Platforms Lead at OVO Energy

    “Effective amplification is vital to ensure that signals of problems, even seemingly small ones, are transmitted within the context of toxic combinations. The system must also make sure these signals are received and acted upon to prevent them from escalating into larger issues. The wiring is a feedback loop where individuals raise concerns, leaders respond swiftly and effectively, and everyone works together to verify that the implemented solutions have fully addressed the underlying risk exposure.”

    Any potential solution needs to utilize advanced automation and data analytics.

    It would need to create inventories of not just devices, but also people, accounts, privileges, vulnerabilities, and perhaps more. And layer on top of those inventories the status of security controls across multiple cyber domains, such as endpoint protection, vulnerability management, patch management, IAM, PAM, user awareness, and, again, perhaps more.

    It requires a lot of data to understand where the control failures and gaps are across these inventories and domains, so automation is essential.

    Let’s return to the example we used at the beginning.

    Any device that:

    • has an unpatched critical vulnerability;
    • doesn’t have endpoint protection;
    • is owned by an admin;
    • and that admin has been seen to fail phishing tests...

    ...would pose a risk to the business. A good solution to the toxic combination problem would be to identify a list of those devices so you can go away and fix them. Or perhaps fix them automatically (but that may come with its own problems).

    You’d also need to be able to configure for different toxic combinations. The first example is quite advanced, so you would expect the output number to be low.

    However, there may be more common toxic combinations that an organization would want to constantly monitor. For example, our customers can identify these more common toxic combinations:

    • Devices that have critical/high vulnerability(s) and no endpoint protection
    • Privileged accounts owned by repeat phishing offenders

    Referring back to Simon’s comment, it’s clear that simply discovering toxic combinations isn’t enough. They need to be communicated effectively, fixed, and verified.

    The final word

    The toxic combination challenge isn’t a new one. After all, attackers have always sought to exploit multiple vulnerabilities within the same target company. However, there is a growing urgency for security teams to prioritize the risks that are most attractive to become threats, especially as AI speeds up their efforts.

    Rapidly identifying these toxic combinations across multiple security domains is a challenge our customers have been trying to solve for a long time, so we’ve done something about it. If you’re interested to see how we’re solving this problem, get in touch.

    About the author

    Barnaby Clarke

    Related blogs

    View all blogs