Security software sells fear. Some of that fear is justified. Here’s what actually protected users in 2025 versus what just extracted subscription fees.

Password Managers: Still Essential

1Password and Bitwarden remained the best password managers. 1Password offered superior user experience and family features. Bitwarden cost less and offered open source transparency.

LastPass continued its slow decline. Multiple security incidents and degraded user experience pushed users toward alternatives. If you’re still using LastPass, this is your annual reminder to switch.

Dashlane worked fine but couldn’t justify its premium pricing compared to 1Password.

The security impact: Password managers prevent credential reuse, the single biggest personal security vulnerability. This category is worth paying for.

VPNs: Necessary But Oversold

NordVPN, ExpressVPN, and Mullvad all provided reliable VPN services. The difference came down to jurisdiction (Mullvad in Sweden for privacy maximalists), price, and marketing budget.

VPNs are essential for:

• Using public WiFi safely
• Accessing region-locked content
• Privacy from ISP tracking

VPNs don’t:

• Make you anonymous (you’re still trackable through browser fingerprinting and cookies)
• Protect you from malware
• Make illegal activity legal

Most VPN marketing is oversold privacy theater. But the core use case—encrypting traffic on untrusted networks—remains valid.

Antivirus: Built-In Solutions Won

Windows Defender (now Microsoft Defender) reached parity with paid antivirus in detection rates while being free and not slowing down systems.

macOS built-in security (XProtect, Gatekeeper, etc.) protected most Mac users without third-party tools.

Paid antivirus like Norton, McAfee, and Bitdefender still existed but served diminishing value for typical users in 2025. They caught maybe 2-3% more threats than built-in solutions while using significant system resources and creating user friction.

Enterprise antivirus remained different. Centralized management, detailed logging, and compliance requirements justified CrowdStrike, SentinelOne, and similar endpoint protection platforms.

Browser Security: uBlock Origin and Common Sense

uBlock Origin remained the essential browser extension for blocking ads, trackers, and malicious scripts. Free, open source, effective.

Privacy Badger, Ghostery, and similar tools added marginal value on top of uBlock Origin. Most users only needed one ad/tracker blocker.

HTTPS Everywhere became less necessary as browsers and websites defaulted to HTTPS. Still useful as defense-in-depth.

The uncomfortable truth: most security breaches come from social engineering (phishing, pretexting) not technical exploits. Browser extensions can’t fix human judgment.

Two-Factor Authentication: Authy and Google Authenticator

Authy allowed multi-device sync and cloud backup. This added convenience but created a potential security tradeoff.

Google Authenticator remained simple and secure but lacked backup features. Losing your phone meant recovery pain.

1Password and Bitwarden both added TOTP support, consolidating 2FA into password managers.

SMS-based 2FA remained common despite being less secure than authenticator apps. Something is better than nothing, but TOTP apps are better than SMS.

Hardware tokens like YubiKey provided maximum security for high-value accounts. Overkill for most users, essential for high-risk individuals.

Email Security: Proton and Built-In Filters

ProtonMail served privacy-focused users wanting end-to-end encrypted email. The 2025 improvements to usability made it more viable for non-technical users.

For most users, Gmail and Outlook’s built-in spam and phishing detection worked excellently. The false positive rate was low, and the catch rate was high.

SpamSieve and similar third-party email filters added minimal value for individual users. Corporate email filtering (Mimecast, Proofpoint) remained valuable for enterprises.

Backup Solutions: Backblaze and Cloud Storage

Backblaze provided unlimited backup for $70/year. It worked reliably, ran in the background, and restored files when needed. This is textbook good software.

Crashplan served business backup needs with better admin controls.

Cloud storage (Google Drive, Dropbox, OneDrive) provided accidental deletion protection but not true backup. Ransomware can encrypt cloud-synced files. Dedicated backup solutions protect against more failure modes.

External hard drives with manual backups remained viable for users who actually maintained the discipline. Most people didn’t.

Firewall Software: Built-In Wins Again

Windows Firewall and macOS Firewall both worked well enough that third-party firewalls added minimal value for typical users.

Little Snitch (macOS) appealed to users wanting granular outbound connection control. Useful for detecting misbehaving applications. Overkill for most.

Mobile Security: Less Than You Think

iOS security largely worked through Apple’s walled garden approach. Installing security apps on iOS did approximately nothing useful.

Android security depended on keeping devices updated and avoiding sideloaded apps. Google Play Protect caught most malicious apps. Third-party antivirus on Android had marginal utility.

Privacy Tools: Firefox and Brave

Firefox with privacy extensions (uBlock Origin, container tabs) provided strong privacy without cryptocurrency baggage.

Brave integrated privacy features by default and worked well despite the cryptocurrency integration that some users found annoying.

DuckDuckGo browser worked for mobile privacy-focused browsing.

Tor Browser remained essential for maximum privacy needs but too slow for general browsing.

What You Actually Need

For typical users:

1. Password manager (1Password or Bitwarden)
2. VPN for public WiFi (NordVPN or Mullvad)
3. uBlock Origin browser extension
4. Two-factor authentication (Authy or Google Authenticator)
5. Cloud backup (Backblaze or iCloud/Google)
6. Common sense about phishing and social engineering

That’s it. Everything else is optional based on specific threat models.

What Enterprises Need

Corporate security requirements differ:

• Endpoint detection and response (EDR)
• Email filtering and DLP
• VPN and zero-trust network access
• Security information and event management (SIEM)
• Employee security training

Organizations work with AI consultants in Sydney and security specialists to implement comprehensive security programs rather than relying on individual tools.

The Security Theater Problem

Much security software sells reassurance rather than protection. Antivirus that runs constant scans, browser extensions that display “protected” badges, VPNs that claim to make you “anonymous”—these create feelings of security without proportional actual security.

The best security comes from:

• Unique passwords for every service
• Two-factor authentication on important accounts
• Regular software updates
• Skepticism about unexpected requests (phishing defense)
• Backups for important data

Software can enable these practices, but the practices matter more than the specific tools.

Looking to 2026

Expect built-in OS security to continue improving, reducing the need for third-party security software. Password managers and VPNs will remain valuable. Antivirus will continue its slow decline in consumer relevance.

The security software that survives will solve specific problems clearly rather than promising comprehensive protection from all threats.