Overconfident and under resourced: navigating the midmarket security gap

Security teams are stretched, and a fractured security tech stack isn't making life easier. Midmarket companies are significant targets, with complex digital estates, real revenue, and valuable data, but the vendor market wasn't really built with them in mind. Many have outgrown entry-level solutions but don't have the headcount or resources to support a sprawling enterprise security tech stack.

It's an uncomfortable reality, and we call it the security middle child problem. And we wanted to put numbers behind it.

We surveyed more than 500 security decision-makers at companies with 400-6,000 employees across the US and UK. What came back was a picture of high confidence at the top, but the closer you get to the teams doing the work, the more the cracks show.

Here are three findings. Want the full picture? Download the Security Middle Child report for free.

The confidence gap is striking

65% of C-level leaders say they're "very confident" in their security posture. Among middle managers, the people closest to the actual work, that drops to just 36%. The closer you are to the day-to-day, the less certain you are that things are working.

That gap matters. When we asked how long it would take to assess exposure to a critical zero-day, 51% said approximately a week. In a threat environment where exploitation routinely follows disclosure within 24 to 48 hours, that's worth paying attention to.

The full report breaks down confidence by seniority, company size, and sector, so you can see exactly where your organization sits.

More tools, less clarity

44% of teams have either outgrown their security stack or stitched it together from point solutions that don't provide a unified view. And with 33% planning to add more solutions this year, the fragmentation is likely to deepen rather than resolve.

The vendor market isn't helping. 46% say enterprise platforms assume more staff, budget, or complexity than they can support, while 29% say SMB tools no longer meet their needs. Midmarket security teams aren't failing to choose the right tools - the right tools largely haven't existed for them. It's a gap we know well, and it's what Intruder was built to close - a single platform that brings together attack surface management, vulnerability scanning, and cloud security, so lean teams can see what's exposed without stitching together five different tools to get there.

The report includes a breakdown of the top five tools by sector, where investment is flowing, and whether it maps to the problems teams actually face.

Cyber risk isn't reaching the boardroom

Just 9% of midmarket organizations discuss cyber risk at board level. 51% keep it at security or IT leadership only, and 7% confine it entirely to the security team.

UK respondents are more than twice as likely as US counterparts to report board-level discussion (14% vs 6%), suggesting regulation is doing what internal advocacy struggles to achieve.

Without board visibility, there's limited pressure to change course, and the problems this report describes keep reinforcing each other.

There's a lot more in the full report

These three findings are just the starting point. The full report covers how headcount is holding up as estates scale, which sectors are under the most pressure, how investment priorities are shifting, and what the data reveals about AI adoption, all broken down so you can benchmark against 500+ peers.

Chris Hughes also wrote an independent analysis of the data, worth reading if you want an outside perspective on what these numbers mean.

Get the full Security Middle Child report.

‍