Rising IT complexity and AI are creating a pathway for attackers to compromise critical resources, high-value assets, and data, warns Panaseer
NEW YORK – New research from Panaseer, a leader in security posture management powered by Continuous Controls Monitoring (CCM), shows 82% of security leaders fear AI will amplify challenges around toxic combinations of control failures. Moreover, 92% believe growing IT complexity is increasing the threat of toxic combinations, putting high-value assets at greater risk.
Toxic combinations of control failures refer to the interconnected risks spanning multiple inventories and asset relationships, that compound to create a pathway for attackers to compromise a business. Now attackers have AI at their disposal, security leaders are increasingly concerned that attackers will exploit these combinations as Marc Möesse, Chief Product Officer from Panaseer explains:
“The term ‘toxic combinations’ originates from pharmacology, where mixing certain drugs can have deadly effects. In cybersecurity, it describes the compounded risks when multiple security weaknesses overlap, creating layer upon layer of risk. Almost all breaches result from some form of toxic combination. For example, a user who has failed multiple phishing tests might have access to critical systems and an exploitable vulnerability on their device. Individually, each risk is relatively minor, but combined, the risk increases considerably. The whole is markedly greater than the sum of its parts. Now with AI, attackers can create more sophisticated attacks with minimal effort, so there is a greater chance that attackers will uncover and exploit toxic combinations.”
Panaseer warns that because toxic combinations span multiple security domains, they don’t always take the same form and are very hard to detect and prioritize. Security teams often lack the time and tools needed to see how different combinations of risk overlap within their environments, and are therefore ill-equipped to address areas of vulnerability or prioritize remediation effectively.
“Security incidents stem from a convergence of multiple control failures,” explains Simon Goldsmith, CISO at OVO Energy. “These failures have often been spotted before by security teams, either in security monitoring or controls testing, but it’s only when they interact in a toxic combination with the wrong threat actor as an accelerant, that we see truly damaging consequences. This is why an information security management system needs to be wired to do much more than detect missing and misconfigured controls.”
To tackle this challenge and help shine a light on toxic combinations, Panaseer has launched a new Compound Risk Metrics (CRMs) feature. These CRMs deliver actionable insights into the specific assets and relationships driving toxic combinations. This helps eliminate manual effort while ensuring consistent, reliable access to validated and verified data from across the business – far more than just a number or single line of data. Designed to address toxic combinations of risks across security domains, CRMs enable organizations to create complex, threat-driven risk profiles by identifying previously hidden or unknown vulnerabilities, prioritizing response and mitigating risk.
“It’s very difficult for security teams to identify toxic combinations, as it requires piecing together information from multiple security tools, attack chain analysis, vulnerability scans. Even then, you’re working blind because there’s no clear view of how different assets connect,” explains Möesse.
“Cybersecurity leaders are already feeling the pain of toxic combinations, as identifying them requires combining data from multiple security tools, security domains and across asset relationships, to uncover hidden risks, which is difficult with a typical security stack,” says Möesse. “Our new Compound Risk Metrics help teams save time and resources with reliable data, giving them a clear, continuous view of threats, and where they are overlapping.”
This is a unique solution available today that integrates data from multiple sources, including vulnerability, endpoint, Configuration Management Database (CMDB), user awareness, and Privileged Access Management (PAM) tooling, to spotlight hidden attack paths and devices at risk. Panaseer’s CRMs are uniquely automated and ready to deploy within hours, making it easy for users to start creating dashboards and getting insights from their data.
You can read more in Panaseer’s new blog:
https://panaseer.com/resources/blog/why-toxic-combinations-are-a-cause-for-real-concern-in-2025
To download the ‘ControlWatch and the Continuous Controls Battle: Panaseer 2025 Security Leaders Peer Report’, please visit the Panaseer website: https://panaseer.com/resources/reports/2025-security-leaders-peer-report
About Panaseer
Panaseer is an enterprise cybersecurity company that helps organizations improve their security posture by continuously measuring whether controls are fully deployed and working effectively. It has been recognized by the World Economic Forum as a Technology Pioneer helping to solve the world’s most pressing issues.
Panaseer’s Continuous Controls Monitoring (CCM) platform gives CISOs a true picture of their security posture by measuring performance of their cybersecurity defenses against established frameworks and regulations. This enables them to take targeted action to reduce cyber risk and provide accurate data to stakeholders and regulators. CCM also drives more efficient use of resources through automated processes and improved prioritization.