Quantum cryptographic protocols are typically analyzed by assuming that potential opponents can carry out all physical operations, an assumption which grants capabilities far in excess of present technology. Adjusting this assumption to reflect more realistic capabilities is an attractive prospect, but one that can only be justified with a rigorous, quantitative framework that relates adversarial restrictions to the protocol’s security and performance. We investigate the effect of limitations on the eavesdropper’s (Eve’s) ability to make a coherent attack on the security of continuous-variable quantum key distribution (CV-QKD). We consider a realistic attack in which the total decoherence induced during the attack is modeled by a Gaussian channel. Based on our decoherence model, we propose an optimal hybrid attack, which allows Eve to perform a combination of both coherent and individual attacks simultaneously. We evaluate the asymptotic and composable finite-size security of a heterodyne CV-QKD protocol against such hybrid attacks in terms of Eve’s decoherence. We show that when the decoherence is greater than a threshold value, Eve’s most effective strategy is reduced to the individual attack. Thus, if we are willing to assume that the decoherence caused by the memory and the collective measurement is large enough, it is sufficient to analyze the security of the protocol only against individual attacks, which significantly improves the CV-QKD performance in terms of both the key rate and maximum secure transmission distance.