Duo Security

Quarterly Report filed 2026-05-14

Material Event filed 2026-05-14

Cisco stands alone in the Customers’ Choice Quadrant for 2026 based on reviews of its Duo offering in the Access Management VOC Cisco Systems was named a Customers’ Choice in the 2026 Gartner Peer Insights™ Access Management Voice of the Customer . The recognition follows Cisco’s inclusion in the 2026 Gartner Peer Insights™ Voice of the Customer User Authentication category. Cisco is the only vendor to be mentioned as a Customers’ Choice in both the 2026 VOC for Access Management and User Authentication based on reviews of its Cisco Duo offering. Among the companies evaluated by customers within the 2026 Gartner Peer Insights™ Access Management Voice of the Customer, Cisco was the only vendor to appear in the Customers’ Choice quadrant. Placement in the quadrant reflects ratings and reviews that met or exceeded the market average for User Interest and Adoption (x-axis) and Overall Experience (y-axis). Cisco, based on reviews for Duo, received an overall rating of 4.8 out of 5, reflecti

In a previous post, we explored why depending on a single Identity Provider (IdP) creates concentration risk that can affect availability, security, vendor leverage, and business continuity. Now we want to walk through the practical strategies for addressing that risk. If your organization has assessed its IdP concentration risk and determined that a mitigation strategy is necessary, this post provides two proven approaches you can implement. For a comprehensive framework to evaluate identity providers and directory strategies, download the IAM Buyers Evaluation Guide . We believe organizations operating critical infrastructure must implement a practical mitigation strategy for identity concentration risk. Two approaches have proven effective: Backup IdP: Maintain a secondary IdP that you fail over to during disruptions to your primary provider. Split IdP: Run two IdPs concurrently with your user base distributed across both providers. Each approach has distinct advantages depending on

AI agents are in your environment right now. They’re reading databases, sending messages on behalf of employees, and executing multi-step workflows across production systems. If you’re a security leader, you already know this introduces risk. The hard part isn’t awareness. It’s the pressure to keep pace. Every week brings new agentic capabilities, new integrations, new competitive advantages your organization can’t afford to sit out. So you let adoption move forward and accept a certain level of risk, because falling behind feels worse. That’s a reasonable trade-off. But most organizations are accepting risk they haven’t actually scoped. The agentic AI security challenge covers more ground than traditional security models account for, and without a way to think about it, it’s hard to know which exposures matter, which ones are already present, and where your existing controls fall short. In our research at Cisco Duo into how AI agents interact with enterprise systems through protocols

Many MSPs are helping clients build a stronger security foundation. But getting there isn't always straightforward. It takes time, resources, and alignment across teams. Yours and theirs. Meanwhile, threats aren't waiting. Many of your clients still rely on passwords and legacy access controls that weren't designed for today's attacks that target logins, not systems. Some have MFA in place, but the challenge is coverage and effectiveness. Ensuring it's enforced at the right access points and resistant to modern phishing attacks. According to Cisco Talos' 2025 Year in Review, VPNs are one of the top identity control points attackers target because VPNs authenticate users with credentials, and credentials get stolen. Without phishing-resistant MFA on the VPN, a stolen password is all an attacker needs to create a fully trusted session and move freely as a valid user. No forced entry. No alerts. And they're not stopping at the VPN. Talos found that MFA i

Following the adoption of zero-trust architectures, identity systems have become the new first line of defense. The shift from trusting connections based on network origin to verifying identity and device posture before granting access has been one of cybersecurity's most significant advances. If your organization relies on a single Identity Provider for every authentication decision, now is the time to evaluate whether that dependency creates more risk than you realize. Cisco Duo offers a free 30-day trial that lets you explore how Duo Single Sign-On (SSO) and Duo Multi-Factor Authentication (MFA) work as a second identity layer alongside your existing infrastructure. Modern hybrid and multi-cloud adoption typically results in a sprawl of disparate identity systems. The common approach to bridge these silos is through identity federation. Software as a Service (SaaS), Infrastructure as a Service (IaaS), and private applications are redirected to a central Single Sign-On (SSO) sys

Endpoint management platforms sit at the intersection of identity and device control. A compromised administrator does not need to find a zero-day or write custom malware. They already have the keys to push configurations, wipe devices, and modify security policies across an entire fleet. This is not a theoretical risk. It is a documented pattern, and it has a name: identity-based attacks on management infrastructure. Every time an attacker compromises administrative credentials for platforms like Microsoft Intune or Entra ID, they turn the tool designed to protect endpoints into a weapon. No malware required. No vulnerability exploited. Just identity governance that was not working the way it should. For a deeper look at why administrative access is vulnerable when it is not governed properly, read Cisco Duo's guide to privileged access management risks . In early 2026, a cyberattack hit Stryker Corporation, a major U.S. medical technology firm, and disrupted operations globally.

Proxy Statement filed 2026-04-10

Going passwordless is one of the most impactful steps an organization can take to reduce phishing risk and simplify the authentication experience. We’ve seen broad customer adoption of Duo Push for passwordless thanks to its familiar user experience, and we’re committed to continuously improving that experience. Today, we’re introducing enhancements to Duo Passwordless Push for Duo SSO apps that address limitations of the browser cookie-based approach used to establish device trust. Previously, switching browsers, setting up a new laptop, or simply clearing cookies could force users back to a password. That friction makes achieving true passwordless more difficult. By integrating Duo Desktop into the passwordless workflow and adding Bluetooth proximity verification, we’ve made Duo Passwordless Push more resilient, more consistent, and ready for organizations that want to go all in without compromise. Duo Passwordless Push works by verifying that a user's browser is recognized befo

The pace of innovation with agentic AI is genuinely staggering, and if you're a security leader trying to keep up, you are not alone in feeling like the ground is shifting beneath your feet. Every week there is news about new model updates, tooling, and capabilities for agentic AI. Somewhere in your environment right now, an AI agent is almost certainly operating without a proper identity, a defined owner, or any meaningful access controls. Developers are already connecting agents to production systems without looping in IT. This is exactly why we built Duo Agentic Identity. AI agents aren't productivity tools. They're autonomous actors that query databases, trigger workflows, send communications, and make decisions—capable of operating at machine speed and without human oversight. That's enormously powerful. It's also a security challenge your existing tools were never designed to handle. Every agent is effectively some level of privileged identity with access