The US Cities Most at Risk for Cyberattacks in 2025

Not all cities are equally prepared for the digital threats coming their way. In some metro areas, critical industries like tech, finance, and healthcare are booming, but the cybersecurity workforce isn’t keeping up. That imbalance creates real risk—more open attack surfaces, more pressure on lean security teams, and more opportunities for attackers to break through.

To determine which US metro areas are most exposed, we built a Digital Risk Index based on the four key indicators. Each metric highlights a specific vulnerability in a city’s digital defenses:

• Cybersecurity workforce per 100K residents: A low number of employed professionals limits a metro’s ability to defend against and respond to attacks.
• Cybersecurity job openings per 100K residents: High demand with unfilled roles signals a talent gap that leaves critical systems vulnerable.
• High-risk industry density: Cities with large clusters of tech, healthcare, and finance companies are prime targets due to the volume of sensitive data they manage.
• Data breach volume: A history of frequent breaches may point to unresolved security weaknesses or persistent infrastructure gaps.

Together, these factors offer a fuller view of digital risk and reveal which cities face the greatest cybersecurity threats in 2025.

Key Takeaways

• California leads the risk index, with seven of the top 10 most at-risk cities located there.
• The Washington-Arlington-Alexandria metro area faces elevated cyber risk due to having the highest number of unfilled cybersecurity job openings per 100,000 residents (947), signaling a critical talent gap. The Baltimore, MD, and San Jose, CA, metro areas follow with vacancy rates of 487 and 310, respectively.
• Washington, DC, reports the highest rate of state-level data breaches, with 34 incidents per 100,000 residents.

Digital threat risk rankings

Cyber threats are evolving, but so are the vulnerabilities. And they’re not evenly distributed across the country. Our index reveals which metro areas face the most pressure today, based on the intersection of weaker defenses and high-value targets.

To determine a city’s Final Risk Rank, we analyzed data for 55 major metro areas with populations over 1 million. Each city was ranked based on four factors per 100,000 residents: the number of cybersecurity workers, the number of cybersecurity job openings, the number of companies in high-risk industries, and the number of data breaches in the city’s state.

See where your city ranks overall by searching the interactive table below, with 1 being the most at-risk city and 55 being the least.

Seven of the top 10 highest-risk metros are in California, where sky-high demand for cybersecurity workers meets a dense concentration of tech, healthcare, and finance firms. Los Angeles, San Francisco, and San Jose top the risk index. These cities face high demand for cybersecurity workers, which potentially leaves them more exposed when job positions aren’t filled fast enough.

The Washington-Arlington-Alexandria metro area and Boston, Massachusetts, also rank among the top 10 most at-risk cities. Both have many high-risk industries and elevated data breach activity. These overlapping risk factors increase exposure for businesses and consumers alike.

Cybersecurity weak spots

While every city in our index faces some level of exposure, the root causes vary. In many metros, the security talent pool is too small to keep pace with digital growth. Elsewhere, persistent breach activity or a heavy footprint of high-risk industries creates chronic pressure on existing defenses. Here’s a breakdown of the most and least at-risk metro areas in each of our Digital Risk Index’s four categories.

Some metro areas are more exposed because of what’s at stake. Nowhere is that more evident than in Washington, DC, the seat of the federal government and the area with the highest rate of state-level data breaches at 34 incidents per 100,000 residents. Whether due to a high concentration of valuable targets or lagging cybersecurity defenses, this volume of data breaches highlights a critical vulnerability.

Massachusetts follows with 17 data breaches per 100,000 residents, and Oregon with 14. For cities in these states, a consistent pattern of breaches may point to deeper infrastructure gaps, outdated systems, or insufficient cybersecurity investment, any of which can leave sensitive assets exposed.

Other metro areas face a different kind of risk. With just 49 cybersecurity professionals per 100,000 residents, Fresno, California, has the thinnest cyber defense layer in the index. As attacks become more frequent and complex, the shortage of skilled defenders leaves local infrastructure increasingly exposed.

According to the Global Cybersecurity Outlook 2025, 72% of security leaders reported a rise in cyber risks, with attacks growing not just in number but in sophistication. Tactics like ransomware, deepfakes, and AI-powered phishing are becoming more common, and supply chain attacks are on the rise. For cities already struggling to staff their cyber defenses, this wave of advanced threats could quickly overwhelm existing infrastructure.

The cybersecurity talent gap is a risk multiplier. The Washington, DC, metro area leads the nation in unfilled cybersecurity jobs, with 947 openings per 100,000 residents. Baltimore (487) and San Jose (310) also show high vacancy rates per capita compared to the rest of the cities in our study.

Digital risks are rising, and your defenses need to keep up

Some cities are becoming hotspots for cyber threats because their defenses aren’t scaling with their digital growth. When critical industries expand faster than the cybersecurity teams meant to protect them, vulnerabilities multiply. The result is a wider attack surface, more pressure on internal teams, and more opportunities for breaches.

For business leaders, this is a strategic moment. It’s time to invest in security infrastructure that adapts to growth. That means adopting tools that make authentication seamless, empowering nontechnical teams to manage access safely, and designing login experiences that protect users without slowing them down. As the threat landscape evolves, resilience starts with building smarter, more scalable defenses.

Methodology

To identify the US metro areas facing the greatest digital threats, we created a composite Digital Risk Index based on four core risk indicators. Each metric captures a different dimension of a metro’s cybersecurity landscape. Each of the 55 metro areas was assigned a risk score based on a weighted combination of the following variables:

• Cybersecurity workers per 100K residents(35%)
  • The estimated number of professionals employed in cybersecurity-related jobs from September 2023 through August 2024 in each metro area. Fewer workers indicate higher risk due to limited defense capacity. Data did not specify whether workers were on-site or remote.

• Cybersecurity job openings per 100K residents(30%)
  • The number of online job listings for cybersecurity-related positions from September 2023 through August 2024. More openings suggest higher demand and greater workforce gaps, increasing risk exposure.

• High-risk industry density (per 100K residents) (25%)
  • The number of private companies per capita in each metro area from the following sectors:
    • Tech (includes computer systems design & related services and computing infrastructure providers, data processing, web hosting, & related services)
    • Healthcare (also includes social assistance services)
    • Finance (also includes insurance organizations)
  • A higher concentration of these industries elevates risk due to the volume of sensitive data and critical infrastructure involved.

• State-level data breaches per capita(10%)
  • Data breaches were measured at the state level, including Washington, DC. For metros spanning multiple states, data was assigned based on the first state in the metro’s official name. For example, New York-Newark-Jersey City, NY-NJ, was mapped to New York.

Those with a higher risk score received a higher rank in the index. While this index provides a comprehensive look at digital vulnerability, a few limitations should be noted:

• State-level breach data: Data breaches were only available at the state level and were uniformly applied to all metros within each state. This may obscure localized differences in breach activity.
• Metro inclusion: Only 55 metros were included in the final ranking based on the availability of complete data across all four scoring metrics. Some smaller or less digitally mature metros may be excluded due to incomplete reporting or gaps in public data. Only metros with populations of 1 million or more were included.
  
• Job market volatility: Job postings are dynamic and may fluctuate due to economic shifts, remote work policies, or hiring freezes, which can affect the interpretation of demand.
  
• Population normalization assumptions: All per-capita calculations rely on population estimates, which may introduce slight inaccuracies in rank comparisons, especially in fast-growing metros.
  
• Sector categorization: The classification of “high-risk establishments” is based on NAICS codes and may include businesses of varying sizes and exposure levels.

About Frontegg

Frontegg makes customer identity and access management effortless by extending controls beyond engineering. Developers are freed from routine authentication tasks, while teams like Customer Success, Product, and Infosec can manage user access, security policies, and compliance settings without relying on engineering.

By distributing ownership of identity, Frontegg reduces developer toil, strengthens security and compliance, and enhances the customer experience. Developers focus on innovation, teams move faster without bottlenecks, and businesses scale securely. The result is a win-win.

Fair Use Statement

If you’d like to share this research, please do! We just ask that it be for noncommercial purposes and that you link back to this page and credit Frontegg appropriately.