A curated list of annual cyber security reports - Centralized annual cybersecurity analysis and industry surveys
Definition: The cybersecurity landscape is constantly evolving, making it hard for CIOs, CISOs, and security leaders to keep up. They're flooded with annual reports from research consultancies, industry working groups, non-profits, and government agencies, and sifting through marketing material to find actionable insights is a major challenge. This list aims to cut through the noise by providing a vendor-neutral resource for the latest security trends, tools, and partnerships. It curates information from trusted sources, making it easier for security leaders to make informed decisions.
Disclaimer: The reports in this collection are limited to content which does not require a paid subscription, membership, or service contract. There are a variety of different business models and drivers that would cause information to be put behind a paywall, I would like to respect those companies and individuals. Consult the original authors for licensing of any report content.
Limitations: This is not a collection of project based information such as white papers, intelligence reports, technical specifications, or standards. I welcome all user submitted uploads or report requests, but we should draw a box around this awesome list. All reports will be sourced from the original author when possible and uploaded to Hybrid Analysis for an additional level of confidence, result link will be included in the readme.md commit notes.
Acknowledgement: I would like to give recognition for other works that inspired this collection. Richard Stiennon and his annual analysis of the cybersecurity industry is significantly more comprehensive than this repository and deserves recognition. Additionally,Rick Howard's cyber cannon list of must-read books is an invaluable resource, catering to both leadership and practitioner levels within the field.
Reports have been classified into two categories by the source of data.
Analysis: Reports generated from quantifying and qualifying intelligence from sensor networks or services.
Survey: Reports generated from observations and feedback from surveys or consulting engagements.
The reports listed below are the most recent iteration, while past versions are stored in their corresponding yearly folders. After three years, if a source has not updated a report it will no longer be featured in the ReadMe.md file but will still be accessible within the repository directory corresponding to its respective year.
The "Data Type" field categorizes the nature or focus of each report. This field helps to classify and organize the reports based on their primary content or emphasis.
Annual reports are composed by a combination of paid and non-profit research both internal and external to the organization. Examples of paid and government sponsored research are listed as research consulting. Examples of sponsored and non-profit research include professional societies and standards organizations which are listed as working groups. Both of these research resource types rely on sponsorship that is often commercial.
- Forrester Research - an advisory company that offers paid research, consulting, and event services specialized in market research for information technology.
- Gartner - a technology research and consulting firm which offers private paid consulting as well as executive programs and conferences.
- MITRE Corporation - an American not-for-profit organization which conducts research and development supporting various U.S. government agencies.
- The Rand Corporation - an American not-for-profit organization which conducts research and analysis on various aspects of cybersecurity and cyber policy focused on national security.
- Ponemon Institute - considered the pre-eminent research center dedicated to privacy, data protection and information security policy.
- SANS Institute - a private U.S. for-profit company which conducts research for consumers of their cybersecurity training and certifications.
- The International Information System Security Certification Consortium (ISC)² - an American not-for-profit organization which conducts research for consumers of their cybersecurity training and certifications.
- The Information Security Forum (ISF) - a global, independent organization dedicated to benchmarking and sharing best practices in information security.
- International Data Corporation (IDC) - a global provider of market intelligence and advisory services.
- The Cyber Threat Alliance (CTA) - an industry-driven group of cybersecurity organizations that share threat intelligence and conduct collaborative research to combat cyber threats.
- The Information Systems Audit and Control Association (ISACA) - an international professional association focused on IT governance, which conducts research for and on behalf of the members.
- The Forum of Incident Response and Security Teams (FIRST) - provides platforms, means and tools for incident responders to always find the right partner and to collaborate efficiently.
- The Open Web Application Security Project (OWASP) - a professional community that produces research concerning web application security, made freely available to the online community.
- The International Organization for Standardization (ISO) - an international organizational body composed of representatives which conduct closed research for creation of standards.
- Cybersecurity and Infrastructure Security Agency (CISA) - a U.S. government agency responsible for enhancing the security and resilience of the nation's critical infrastructure.
- Europol - European Cybercrime Centre (EC3) - a strategic alliance focused on combating cybercrime within the European Union.
- The Cybersecurity Forum Initiative (CSFI) - an American non-profit organization that promotes cybersecurity awareness and research.
- The Center for Internet Security (CIS) - a American non-profit organization that provides cybersecurity solutions and best practices.
- The Center for Strategic and International Studies (CSIS) - Technology Policy Program - a think tank with a Technology Policy Program that conducts research and provides insights into technology and cybersecurity policies.
Please refer to the guidelines at CONTRIBUTING.md for details.