Digital Content Editor, Eve Goode speaks exclusively with Chris Wallis, CEO and Founder of Intruder about the findings from the company’s newly released Security Middle Child Report.
The survey was taken by over 500 senior security decision-makers across the US and UK.
Throughout the interview, Wallis discusses what the survey revealed about the challenges facing midmarket organisations caught between enterprise tooling they cannot fully leverage and SME solutions they have outgrown.
These are organisations with complex digital estates, significant revenue and a wealth of data that make them worth targeting.
However, they often don’t have the resources, headcount or security depth that larger enterprises can draw on. That gap is what makes them attractive.
These organisations have grown rapidly, often through acquisitions or digital transformation programmes, and their attack surface has expanded accordingly.
In fact, our research found that 91% of midmarket organisations saw their digital estate grow over the past 24 months, with 38% describing that growth as significant.
The security function, in many cases, has not kept pace.
The confidence figures in our research are striking on the surface.
Almost all respondents (94%) express confidence in their ability to catch and remediate critical risks before attackers can exploit them.
The operational picture is harder to square with that.
Nearly one in three cite lack of visibility into what is exposed as a top operational challenge.
Around one in five are still tracking internet-facing assets manually and 51% say it would take about a week to assess their exposure to a critical zero-day.
In a threat environment where exploitation can follow public disclosure within hours, that is a significant window.
There is also a telling pattern in how confidence varies by seniority.
Two thirds of C-suite respondents describe themselves as very confident.
That figure drops to 55% among directors, 46% among senior managers and 36% among middle managers.
The people closest to the work are consistently the least confident.
That suggests a further disconnect within organisations as confidence is highest precisely where visibility is lowest.
The strain is real and it has direct consequences.
More than 40% of teams in our survey describe themselves as stretched, overwhelmed or consistently behind.
Over one in 10 say they are overwhelmed and reactive and a similar proportion say they are consistently behind and exposed.
When a team is in reactive mode, it cannot do the planned, strategic work that effective security requires.
The data also points to the reasons behind this strain and it’s down to a combination of factors, from resources to tooling complexity that adds to the noise instead of cutting through it and being stretched across too many demands.
Approximately one in four lack visibility into what is exposed (28%), navigate too many tools (26%) and deal with poorly prioritised alerts (24%).
A third cite limited resources and competing priorities as a top challenge.
The sector variation is worth noting as well. Professional services and manufacturing report the highest levels of strain, at 51% and 46% respectively.
In the healthcare sector, where the consequences of a security failure are particularly serious, a quarter of teams (26%) report that they are growing their teams more slowly than their digital estate.
Not always.
A significant share of respondents to our survey cited lack of visibility into what is exposed as a top challenge.
Yet attack surface management and continuous threat exposure management – the two categories most directly designed to address that problem – rank 10th and 13th for adoption.
Teams are investing in solutions that do not map to their most pressing needs, while the tools that would close the visibility gap remain under-deployed.
The dominant investment priorities for 2026 are AI and automation (49%) and adding new solutions (33%). Only 17% are prioritising headcount.
The instinct to reach for technology is understandable but 44% of teams already describe their stack as either outgrown or fragmented.
Adding more tools to a fragmented stack rarely simplifies anything.
AI pen testing is worth examining.
Just over four in 10 respondents report using it, but the category has only existed for around 12 to 18 months.
It is not clear whether all of those teams are using genuine AI pen testing or applying the label more loosely.
Adoption is also heavily skewed towards larger organisations and bigger teams.
Among teams of two to five people, adoption sits at 25%.
For the smallest and most stretched teams, there is a real risk that new AI tooling adds complexity rather than relieving pressure.
It is the root cause of much of what the data describes.
Nearly half of respondents say enterprise platforms assume more staff, budget or complexity than they can support.
Three in 10 say SME tools no longer meet their needs.
That leaves a substantial portion of the midmarket in a gap where neither end of the market serves them well and 45% say they are forced to combine multiple tools to compensate for gaps in their stack.
This is not a spending problem.
The vast majority of respondents (89%) are increasing budgets, so midmarket teams are not underinvesting.
The issue is that solutions available to midmarket teams were not designed for organisations of their size and resource profile.
When you stitch together tools built for different contexts, you get fragmentation, noise and blind spots.
A team spending its time managing that complexity has less capacity to focus on genuine risk.
Only 9% of midmarket organisations in our research discuss cyber-risk at board level, with just over half keeping it within security or IT leadership.
That means the majority of boards are making strategic decisions about the business without cyber-risk as part of that conversation.
The consequences are predictable.
Without board-level visibility, there is limited organisational pressure to address the disconnect between digital estate growth and security capacity.
Strategic resource decisions get made without a full picture of risk and when something does go wrong, the board is poorly positioned to respond effectively.
The path forward is as much about framing as it is about process.
Cyber-risk needs to be presented as a business risk with financial and operational consequences, not a technical problem for the security team to manage in isolation.
When boards understand the exposure in those terms, the conversation tends to follow.
