Absolute Security released its 2026 Resilience Risk Index at RSA Conference 2026, and the headline finding is stark: endpoint security software fails to protect devices nearly 21 percent of the time, leaving enterprise PCs exposed to attacks for up to 76 days per year.

The report is based on anonymized telemetry analyzed across millions of endpoint devices by Absolute Security’s Cyber Resilience team. The company estimates that gap in coverage contributes to $400 billion in annual downtime losses globally, a figure drawn from Oxford Economics research conducted in partnership with Splunk.

The data reveals compounding problems. Critical OS patching for Windows 10 and 11 PCs is lagging by an average of 127 days, more than double the 56-day lag found in last year’s report. Ten percent of enterprise PCs still run Windows 10, which Microsoft ended support for in October 2025, leaving those devices exposed to unpatched vulnerabilities. Protected-state integrity dropped from 64 percent in 2025 to 55 percent in 2026, meaning nearly half of all enterprise devices now fall outside a fully protected and enforceable state.

The report also flags growing risks at the intersection of AI and endpoint security. Browser sessions on PCs rose from 150 million to 350 million year-over-year, with employees increasingly visiting high-risk generative AI sites like DeepSeek. Because endpoint security tools fail roughly one in five times, those AI visits may be happening without any governance controls applied.

“Cyberattacks are inevitable, downtime is optional,” said Christy Wyatt, President and CEO of Absolute Security. “The cybersecurity industry has rushed to provide innovations that detect and prevent threats, unfortunately it’s lagging when it comes to ensuring that tools can remain operational when they are needed most.”

Absolute Security is embedded in the firmware of 600 million devices through partnerships with more than 28 endpoint device manufacturers. The full 2026 Resilience Risk Index is available at absolute.com.