In a revealing analysis of global cybersecurity incidents, Panaseer’s study finds that in 14 out of 20 major data breaches examined over the past five years — roughly 70 percent — the root cause wasn’t a single vulnerability but a toxic combination of overlapping risks that compounded to create catastrophic exposure.
The Pattern: Risk Layers, Not Single Failures
Rather than being triggered by one glaring mistake, many high-profile breaches show up as a chain of smaller, individually manageable failures that align in sequence. Panaseer analysed breaches at organisations like AT&T (2024), MGM Resorts International (2023), Okta (2022), Uber Technologies (2022) and Colonial Pipeline (2021), finding that the breaches followed similar blueprint-like sequences. For example, the AT&T breach combined credential harvesting via malware, a cloud database lacking multi-factor authentication (MFA), unmonitored reconnaissance tools, and undetected large-scale data exfiltration.
This layering—“credentials + weak access controls + undetected movement + data exfiltration”—creates what Panaseer calls a “toxic combination”. Many organisations focus on addressing each risk in isolation (patching, MFA, monitoring), but without seeing how they align in sequence, the risk remains significant.
Why This Matters
The implications of this finding are substantial for executives, boards and cybersecurity leaders:
-
Single fixes won’t suffice: Stopping one vulnerability (e.g., enabling MFA) is unlikely to prevent a breach if other blind spots remain. The interaction of multiple weak controls is still the problem.
-
Risk visibility must be holistic: Organisations need the ability to identify when seemingly low-risk issues overlap across domains (identity, cloud, network, operations). It demands data-driven, cross-domain analytics, not just human intuition.
-
Prioritisation becomes more strategic: Rather than simply remediating all vulnerabilities equally, organisations should focus on the highest compound risks—those combinations of weaknesses that adversaries are most likely to exploit in sequence.
-
Investment in detective and response capabilities matters: Preventive controls are necessary but not sufficient. Organisations need mechanisms to detect when multi-layered attack chains are forming and respond early.
Key Findings From the Panaseer Analysis
Some of the notable observations:
-
Out of 20 major breaches, 14 (≈70%) clearly showed evidence of compounding risks that formed the final breach pathway.
-
Five case studies drilled deeper into how only eight distinct risk factors, when combined in various ways, accounted for multiple catastrophic breaches.
-
In each of those five cases, the breach did not happen due to one failure, but because multiple failures aligned and cascaded.
-
The notion of “one critical vulnerability” being the root cause is largely challenged. Instead, minor flaws iterated across domains may be the more realistic threat scenario.
What Organisations Should Do Now
Given this insight, the study suggests several strategic actions:
-
Map risk overlap scenarios: Create a matrix of how vulnerabilities in identity, cloud access, lateral movement, third-party access, monitoring gaps and data exfiltration may combine.
-
Prioritise compound risk metrics: Use tools that calculate compound exploitability — e.g., how many weaknesses exist along a likely adversary chain, and which create the greatest exposure when combined.
-
Invest in cross-domain signal aggregation: It’s not enough to silo identity risk, cloud risk, endpoint risk. Systems must correlate signals across these domains and alert when patterns align.
-
Simulate attack-chain scenarios: Instead of only patching vulnerabilities, test scenarios where an adversary might walk through multiple layers: stolen credential → misconfigured cloud service → undetected egress.
-
Strengthen detective and response mechanisms: Focus on early detection of reconnaissance or lateral movement, and ensure effective escalation to stop the chain before full breach or exfiltration occurs.
-
Governance and board awareness: Communicate to senior leadership the concept of overlapping risk rather than isolated vulnerability — so that resource allocations and security strategies reflect this reality.
Challenges and Considerations
While the insights are compelling, applying them is not without challenges:
-
Data and tooling gaps: Many organisations lack unified visibility across identity, cloud, network, endpoint and third-party domains, making compound risk analysis difficult.
-
Complexity and noise: Aggregating signals across domains can generate many alerts; distinguishing true compound risk chains from false positives remains a trade-off.
-
Organisational silos: Risk domains are often managed separately (identity team, cloud team, network team). Bridging these silos across people, processes and technology is essential but hard.
-
Resource allocation: While compound-risk remediation is strategic, it can be harder to budget and justify compared to simple patch management or single control upgrades.
-
Changing adversary behaviour: Attackers adapt. Compound risk scenarios will evolve. Organisations need to update their modelling continuously to reflect new tactics, techniques and procedures (TTPs).
The Bigger Picture: Cyber Risk is Multiplicative, Not Additive
This research shifts the way we conceptualise cyber risk: rather than thinking in terms of “100 vulnerabilities → X risk”, it’s more accurate to imagine multiple weak nodes forming pathways that adversaries exploit. Each additional weakness in the chain multiplies overall exploitability.
The traditional focus on individual controls remains important—but insufficient. What matters increasingly is how controls interface, how weaknesses cascade, and whether detection and response mechanisms can stop multi-step attacks.
Final Thoughts
The Panaseer analysis serves as a wake-up call: major breaches are rarely caused by a single catastrophic failure. They are almost always the result of multiple small failures, aligned in sequence and exploited by adversaries who understand sequences better than organisations anticipate them.
For executives and security leaders alike, the message is clear: shift from “What single control am I missing?” to “What risk paths can an adversary walk through in my environment?” Focus on detecting and breaking those paths, and you’ll be far better positioned to prevent the next major breach.
