New research shows 42% of midmarket security teams are stretched thin while enterprise tools don't fit. Here's why a zero trust reverse proxy, like Pomerium, changes the equation.
A new report from Intruder surveying over 500 senior security decision-makers paints a stark picture: midmarket companies are the "security middle child". Too large to rely on small-business tools, too lean to absorb the complexity of enterprise platforms. And the gap between confidence and reality is wider than most leaders realize.
For midmarket security teams navigating this uncomfortable middle ground, the findings point to a fundamental structural problem, and to a different kind of solution than the one most vendors are selling.
On the surface, midmarket security looks healthy. Budgets are increasing (89% of respondents say so), headcount is growing at most organizations, and 94% of leaders express confidence in their ability to catch critical risks before attackers exploit them.
But dig one layer deeper and the picture shifts. That confidence is unevenly distributed — 65% of C-level respondents say they're "very confident," but only 36% of middle managers share that view. The people closest to the daily operational reality are the most skeptical.
And they have reason to be. Twenty-eight percent of respondents cite lack of visibility into what's actually exposed as a top challenge. Eighteen percent are still tracking internet-facing assets manually. Half say it would take approximately a week to assess their exposure to a critical zero-day, in a threat landscape where exploitation can follow disclosure within 24 to 48 hours.
Confidence, it turns out, isn't rooted in visibility. It's grounded in not knowing what you're missing.
The instinct when teams feel stretched is to reach for more tools. And that's exactly what's happening — 33% of midmarket organizations plan to add new solutions this year, and 49% are prioritizing AI and automation adoption.
But the data suggests this is treating the symptom, not the cause. Forty-four percent of teams describe their security stack as either outgrown or fragmented. Twenty-six percent say they're navigating too many tools. Twenty-four percent struggle with poorly prioritized alerts. The stack isn't just complex, it's actively getting in the way.
This is the vicious cycle the report describes: a stretched team reaches for more tools, more tools create more noise, and more noise makes it harder to see what's actually exposed. Meanwhile, 46% of respondents say enterprise security platforms assume more staff, budget, or complexity than they can support, and 45% say they're forced to combine multiple tools to compensate for gaps.
The midmarket doesn't need more tools. It needs the right architecture.
When midmarket teams think about security investments, they tend to focus on detection and response: CSPM, SIEM, EDR, vulnerability management. These are important categories, and the Intruder report confirms they dominate adoption across every sector.
But there's a layer underneath all of these that often goes unaddressed: who and what has access to your internal applications, services, and infrastructure in the first place?
This is where most midmarket organizations are still relying on legacy approaches, like VPNs that grant broad network access once a user authenticates, or a patchwork of application-specific login flows that create blind spots. The report's finding that 28% of teams lack visibility into what's exposed isn't just about internet-facing assets. It's about a fundamental inability to see and control who is connecting to what, from where, and under what conditions.
This is the problem Pomerium was built to solve.
Pomerium is a zero trust, identity-aware reverse proxy. Rather than tunneling users into the network like a VPN, or requiring a heavyweight SASE platform with a dedicated team to manage it, Pomerium sits in front of your internal applications and makes an access decision on every single request.
For midmarket security teams, this architecture matters for several specific reasons.
It's clientless. There's no agent to deploy and maintain on every endpoint. Users access internal applications through their browser. For a team of 6 to 10 people (the most common security team size in the report, at 65% of respondents), eliminating client management is not a small thing, it's hours back every week.
It's self-hosted. Your traffic doesn't route through a third-party cloud. For organizations in regulated sectors like healthcare and financial services which the report shows are already leading in cloud security posture management adoption, keeping data flows within your own infrastructure simplifies compliance significantly.
It replaces rather than adds. Pomerium isn't another point solution to stitch into a fragmented stack. It replaces your VPN, your ad hoc access controls, and your manual access reviews with a single policy engine that continuously evaluates identity, device posture, group membership, and context on every request. For the 44% of teams whose stack is already outgrown or fragmented, this is consolidation that actually reduces complexity rather than shifting it.
It scales without scaling headcount. Policy-as-code means access rules are version-controlled, auditable, and repeatable. When the Intruder report notes that only 17% of midmarket organizations are prioritizing headcount growth while 49% are betting on AI and automation, it signals that teams need tools that multiply their existing capacity. Declarative access policy does exactly that — you define the rules once, and Pomerium enforces them continuously.
The Intruder report highlights that 49% of midmarket security leaders are prioritizing AI and automation adoption in 2026, and 41% report using AI-assisted pentesting. The appetite for AI is clear.
But as organizations begin deploying AI agents that interact with internal systems — querying databases, calling APIs, accessing internal tools — a new access control challenge emerges. These agents need identities, scoped permissions, and audit trails, just like human users do.
Pomerium has built support for the Model Context Protocol (MCP), providing the same identity-aware, policy-enforced access layer for AI agents that it provides for humans. Every agent gets a verified identity. Every action gets a policy check. Every interaction is logged.
For midmarket teams that are already stretched, the last thing they need is for their AI investments to create a new class of unmanaged access. Pomerium ensures that as you adopt agentic AI, your zero trust posture extends to cover it from day one.
The Intruder report concludes with a pointed observation: "The midmarket security gap isn't a spending problem, in fact, budgets are growing. It isn't an awareness problem as leaders know the challenges they face. It's a structural one: the tools available to midmarket security teams were never built for the position they're now in."
The right tool for this position has a few characteristics. It reduces complexity rather than adding it. It works with a team of 6, just as well as it works for a team of 60, 600 or 6000. It provides continuous verification rather than one-time authentication. It's transparent enough to audit and simple enough to operate without a dedicated platform team.
That's the design philosophy behind Pomerium. Not an enterprise platform squeezed into a smaller box, and not a small-business tool stretched beyond its limits, but a zero trust access layer built to serve teams and organizations of all sizes.
If your security team is feeling the strain of being the middle child, it might be time to stop looking for tools that were built for someone else and start with the architectural foundation that everything else depends on: knowing exactly who has access to what, and verifying it every single time.
Ready to see how Pomerium works for midmarket teams? Start with Pomerium Zero — deploy in minutes, no client software required.
Stay up to date with Pomerium news and announcements.
Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.
Use Cases
Quicklinks
Stay Connected
Stay up to date with Pomerium news and announcements.
