Today marks nine years since the Cyentia Institute first launched with a simple goal: make cybersecurity data make sense. Nearly a decade later, we’re still doing exactly that—with more data, more collaborators, and more curiosity than ever.
Over the past nine years, we’ve published dozens of original research studies across the cybersecurity, risk, and insurance spaces—each one grounded in data and built to answer real questions. From our exploration of vulnerability exploitation timelines in Exploit Predictions Scoring System (EPSS), to the detailed breakdowns of security metrics in the Information Risk Insights Study (IRIS) series, our work has helped practitioners, vendors, and insurers understand where risk truly lies and how it behaves. Whether it’s digging into ransomware trends, third-party risk, or incident frequency by sector, we’ve aimed to provide clarity through credible analysis.
“The best research doesn’t try to predict headlines. It helps people prepare for them.”
– Jay Jacobs
One of our proudest accomplishments has been the ongoing development and expansion of the IRIS research series. When we launched the first IRIS report, our goal was to cut through the noise and bring empirical visibility to cyber loss events. Since then, we’ve released multiple IRIS editions—including IRIS 20/20, IRIS Ransomware, IRIS T.E.A, and the two upcoming IRIS reports for 2025 — each one building on the last to paint a more complete picture of the economic impact of cyber incidents. These reports have been used by insurers to inform underwriting, by security leaders to prioritize resources, and by researchers to push the field forward. It’s fair to say that the IRIS series brought clarity to cyber loss at a scale that hadn’t been possible before.
We’ve also been fortunate to collaborate with some of the most respected organizations in the industry. Whether partnering with RiskRecon to assess third-party cyber risk, or working with Advisen to leverage incident data for broader risk modeling, our goal has always been to produce research that informs decisions and drives practical action. Sometimes that action is strategic—like informing board-level cyber risk assessments. Other times, it’s sparked conversation and even a little healthy debate. We welcome that. Good research should get people talking.
“Cyentia is one of the few teams that consistently blends academic rigor with operational relevance. That’s rare—and valuable.”
– Review from Partner Organization
Of course, none of this would be possible without the team behind it. Over these nine years, we’ve built a group of analysts, data scientists, and security researchers who somehow make all of this look easy. They ask hard questions, dig through complex datasets, and explain their findings in a way that actually makes sense. Whether it’s modeling the frequency of data breaches, testing predictive scoring systems, or visualizing data in ways that grab attention, their work keeps Cyentia focused, curious, and continually moving forward.
To date, we’ve published 30+ major reports, analyzed hundreds of thousands of incidents, and reached an audience of millions across the security community.
And we’re only getting started.
We’ve spent nearly a decade buried in datasets, translating spreadsheets into stories, and asking questions that actually get people to think. Along the way, we’ve learned a few things:
-
The plural of anecdote is still not data—but anecdotes with context can be a useful signal
-
Data-driven doesn’t mean data-drenched—clarity beats quantity every time
-
Cyber risk isn’t static—and neither are we
To our clients, partners, readers, and fellow data nerds: thank you for being part of this with us. Whether you’ve followed us since our first publication or only recently discovered our work, you’ve helped shape what Cyentia is today. We’re here because you’ve continued to ask good questions, challenge assumptions, and push for better data, better models, and better decisions. Whether you’ve read every report cover to cover, skimmed for the charts, or bookmarked them for that one meeting where you needed the right stat—we’re glad you’re here.
Every conversation, collaboration, and piece of feedback (even the brutally honest kind) has helped us grow. You’ve told us what matters, what resonates, and what connects. That dialogue has made our research better and our purpose sharper.
As we head into year ten, we’ve got a lot coming down the pipeline: new IRIS reports focused on emerging risks, expanding work, deeper partnerships across sectors, and continued innovation in how we share and visualize data. We’re also exploring fresh ways to connect with more accessible insights, and a few experiments we think you’ll enjoy. If you’ve got questions you want answered, datasets you want to explore, or stories you think deserve to be told through data, we’d love to hear from you.
Here’s to nine years of research with purpose—curious, collaborative, and always questioning. Here’s to what comes next.
