2025: The year human risk became manageable

2025 was the year human risk became the cybersecurity conversation. Not just at Mimecast — everywhere. Our State of Human Risk report quantified what security teams already knew: you can't firewall your way out of human-targeted attacks. So we built a platform and a company designed to actually manage it.

Here's some highlights on what that looked like in practice; the products we shipped, the recognition we earned, and the customer conversations that shaped where we're headed next.

The data that changed the conversation

The data from our State of Human Risk report landed hard: human risk is now the #1 cybersecurity challenge, outranking every technical vulnerability. Organizations are spending millions on tools while their employees are clicking the one link that undoes all of it. That's not a training problem. It's a visibility and control problem.

Real-time visibility into your human attack surface

With the launch of the Human Risk Command Center security teams got something they've never had: real-time visibility into who's clicking what, why they're high-risk, and how to fix it before something breaks. It's not awareness training with dashboards. It's the difference between knowing your organization has a phishing problem and knowing exactly which twelve people in finance are about to click on something catastrophic.

Recognition for challenging industry assumptions

SC Media named Marc van Zadelhoff Security Executive of the Year, recognizing what we've been saying all along: the industry needed someone willing to call out that traditional security approaches aren't cutting it. His bet that Human Risk Management would become central to enterprise security. Validated.

Elevate: What happens when practitioners drive the roadmap

We threw our first user conference – Elevate – and learned something important: when security practitioners get in a room together, they stop talking about products and start solving actual problems. The product roadmap discussions weren't marketing pitches. They were customers telling us exactly what they need to secure human risk at scale. More of this in 2026.

What 24 trillion data points taught us

Our threat intel team analyzed 24 trillion data points in 2025 and found something alarming: ClickFix attacks surged 500%, accounting for nearly 8% of all threats we tracked. These aren't sophisticated nation-state operations. These fake browser update prompts work because they look legitimate. The threat landscape isn't getting more complex. It's getting more convincing.

7X faster response when seconds cost millions

MIHRA AI cuts incident response time by 7X. That's not a marginal improvement; it's the difference between containing a breach and reading about yourself in the news. When an attack targets your people, seconds matter. MIHRA AI gives security teams those seconds back.

What's next

Everything we shipped in 2025 was about one thing: human risk. With actual tools that give security teams control over their human attack surface. 2026's roadmap is already full of things customers told us they need. We're building them.