Endpoint Security Statistics: US Breach Data and Industry Benchmarks

Endpoint security statistics drawn from federal agencies, industry standards bodies, and publicly available breach databases establish the quantitative baseline that organizations use to calibrate risk posture, justify security investment, and benchmark program maturity. This page covers the scope of endpoint-related breach data in the US, the mechanisms by which those figures are collected and reported, the scenarios in which specific metrics apply, and the decision thresholds that distinguish adequate from deficient endpoint security programs. The figures cited reference named public sources only.

Definition and scope

Endpoint security statistics encompass measurable data points describing breach frequency, attack vector distribution, remediation timelines, financial impact, and compliance posture across devices classified as endpoints — including workstations, laptops, servers, mobile devices, and connected operational technology assets. The scope of what counts as an endpoint has expanded substantially as IoT devices and cloud-connected workloads joined the attack surface.

The primary US reporting frameworks that generate these statistics include the FBI's Internet Crime Complaint Center (IC3), the Cybersecurity and Infrastructure Security Agency (CISA), the Health and Human Services Office for Civil Rights (HHS OCR) breach portal, and NIST's National Vulnerability Database (NVD). Each uses distinct collection methodologies, producing figures that are comparable only when source definitions are held constant.

IBM's annual Cost of a Data Breach Report, while produced by a commercial entity, draws on Ponemon Institute research methods and is widely cited by government bodies as a benchmark. The 2023 edition reported the global average breach cost at $4.45 million — the highest figure recorded in the report's 18-year history. US-based organizations recorded the highest country-specific average at $9.48 million per incident (IBM Cost of a Data Breach Report 2023).

How it works

Endpoint breach statistics are collected through three primary mechanisms: mandatory regulatory reporting, voluntary incident disclosure, and law enforcement complaint aggregation.

Mandatory reporting applies to regulated sectors. Under 45 CFR §164.408, HIPAA-covered entities must notify HHS OCR of breaches affecting 500 or more individuals within 60 days. HHS OCR publishes these disclosures on its public breach portal, commonly called the "Wall of Shame." As of federal fiscal year 2023, HHS OCR's breach portal listed over 5,000 cumulative entries, with hacking and IT incidents — the category that captures most endpoint attacks — accounting for the largest share of records exposed.

Voluntary frameworks include CISA's Voluntary Cyber Incident Reporting portal and the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed into law in 2022, which mandates 72-hour reporting for critical infrastructure operators once CISA finalizes implementing rules (CISA CIRCIA).

Law enforcement aggregation operates through the FBI IC3, which publishes the annual Internet Crime Report. The 2023 IC3 report recorded 880,418 complaints with adjusted losses exceeding $12.5 billion (FBI IC3 Internet Crime Report 2023). Ransomware, which predominantly enters networks through endpoint vulnerabilities, accounted for 2,825 formal IC3 complaints in 2023 — though the FBI acknowledges actual incident counts are significantly higher due to underreporting.

The endpoint threat landscape determines which statistical categories dominate in any given reporting period, and understanding which collection mechanism generated a figure is prerequisite to interpreting it accurately.

Common scenarios

Endpoint statistics appear in four primary operational contexts:

1. Risk quantification for budget justification — Security leaders use breach cost averages and attack frequency rates to support capital requests. The $9.48 million US average breach cost from IBM's 2023 report is the most frequently cited figure in this context.
2. Regulatory compliance benchmarking — Organizations subject to HIPAA, PCI DSS, CMMC, or FISMA use sector-specific breach statistics to assess whether their endpoint security compliance requirements align with peer organizations. The HHS OCR breach portal provides sector-specific denominators.
3. Vendor and technology evaluation — Procurement teams reference detection rate benchmarks, mean time to detect (MTTD), and mean time to respond (MTTR) published by MITRE ATT&CK evaluations when selecting endpoint detection and response platforms. MITRE Engenuity ATT&CK Evaluations do not produce ranked scores, but provide raw detection visibility data across vendor products (MITRE ATT&CK Evaluations).
4. Post-incident forensic benchmarking — After a breach, organizations compare their own containment timelines against the IBM-reported average breach lifecycle of 204 days to identify and 73 days to contain (2023 figures). Extended lifecycle correlates with higher total breach cost.

The contrast between ransomware-specific metrics and general breach statistics is operationally significant: ransomware incidents carry distinct cost structures including extortion payments, public disclosure obligations, and regulatory penalties that inflate average figures compared to non-ransomware endpoint breaches.

Decision boundaries

Endpoint security statistics become actionable at specific organizational decision thresholds:

sec.gov/rules/final/2023/33-11216.pdf)). Statistical benchmarks inform materiality determinations.
- Control adequacy under CIS Benchmarks: CIS Benchmarks for endpoints provide 100+ specific configuration controls. Organizations using CIS Controls v8 Implementation Group 2 as a baseline have a defined 56-control subset applicable to most mid-sized enterprises.
- Patch latency risk window: CISA's Known Exploited Vulnerabilities (KEV) catalog, which listed over 1,100 CVEs as of mid-2024, establishes mandatory remediation windows for federal agencies under BOD 22-01. Non-federal organizations use KEV data as a priority signal for patch management cycles.
- Comparing EDR vs. legacy AV coverage: Organizations transitioning from signature-based antivirus to behavioral detection platforms should reference MITRE ATT&CK evaluation data rather than vendor-supplied detection rate claims. The distinction between antivirus, EDR, and XDR capabilities maps directly to which statistical categories each tool affects.

Statistical benchmarks drawn from a single source without cross-referencing reporting methodology produce misleading baselines. Federal reporting (IC3, HHS OCR, NVD) and independent research methodologies (Ponemon/IBM, MITRE) measure different populations and should not be aggregated without normalization.

References

• FBI Internet Crime Complaint Center (IC3) — 2023 Internet Crime Report
• IBM Cost of a Data Breach Report 2023
• HHS Office for Civil Rights — Breach Portal
• CISA — Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)
• MITRE Engenuity ATT&CK Evaluations
• NIST National Vulnerability Database (NVD)
• SEC Final Rule on Cybersecurity Risk Management — 17 CFR Parts 229 and 249
• CISA Known Exploited Vulnerabilities Catalog — BOD 22-01
• eCFR — 45 CFR §164.408 (HIPAA Breach Notification)