As a course of annual reporting work for my employer, i synthesize publicly available threat intelligence reporting into memos designed to raise attention, and grant readers a quick understanding of the current World of cyber threats.

Here is the 2025 edition for you.

For 2026 planning, security leadership must keep prioritizing a defense-in-depth strategy that addresses the following critical takeaways 

1. Identity Is the New Perimeter: Adversaries are overwhelmingly "logging in, not breaking in." The primary threat vector is the compromise of identities, both human and machine (workload, through a thriving cybercrime economy fueled by infostealer malware, access brokers, and massive credential leaks. This is compounded by an evolution in social engineering, including AI-powered phishing and novel techniques like "ClickFix," which bypass traditional defenses by tricking users into executing malicious code themselves. Phishing-resistant Multi-Factor Authentication (MFA) is no longer a recommendation, instead it is a foundational requirement.
2. Supply Chain & Third-Party Risk Has Exploded: Third-party involvement in breaches has doubled to 30%, becoming a dominant problem. High-profile incidents involving software vendors, SaaS platforms (like Snowflake), and critical service providers (like Change Healthcare) demonstrate that a compromise in a single partner can trigger devastating, widespread business interruption and data loss across entire industries. Vendor security due diligence must evolve from a compliance checkbox into a critical component of risk management and procurement.
3. Ransomware Is Endemic, with a Focus on Extortion: Ransomware remains a pervasive threat, present in 44% of all breaches. While median ransom payments are decreasing as fewer victims pay, the tactic has evolved. The primary goal is now multifaceted extortion, combining data encryption with the theft and public leakage of sensitive data. This threat disproportionately devastates Small and Medium-sized Businesses (SMBs), where ransomware is a component in a staggering 88% of breaches.
4. Attacks are Increasingly Malware-Free and Cloud-Focused: A significant majority of intrusions—up to 79% in some datasets—are now "malware-free." Attackers use legitimate credentials and built-in system tools ("living off the land") in hands-on-keyboard campaigns that mimic legitimate user activity, making them exceptionally difficult to detect. As infrastructure moves to the cloud, adversaries have followed, targeting cloud configurations, APIs, and especially workload identities, with a marked increase in destructive attacks aimed at cloud environments.
5. Vulnerabilities are Being Weaponized at Unprecedented Speed: The exploitation of known vulnerabilities, particularly in internet-facing edge devices like VPNs and firewalls, has surged to become a top initial access vector, overtaking phishing. Threat actors are weaponizing newly disclosed vulnerabilities at an alarming rate, with nearly 30% being exploited within 24 hours of public disclosure. This compressed timeline renders traditional, scheduled patching cycles obsolete and necessitates an adversary-centric, risk-based approach to vulnerability management.

---

Detailed Analysis of the Threat Landscape

This analysis synthesizes findings from the Verizon 2025 Data Breach Investigations Report (DBIR), Microsoft 2025 Digital Defense Report, CrowdStrike 2025 Global Threat Report, Red Canary’s Threat report, and Mandiant M-Trends 2025 report, among other sources, to provide a comprehensive view of the threats shaping the cybersecurity environment.

I. The Central Role of Identity and Human Factors

The consensus across all major intelligence reports is that the battleground has decisively shifted to identity. Adversaries are investing heavily in methods to bypass the "wall" and simply walk through the "front door" using legitimate, albeit stolen, credentials.

Key Recommendations on what you should do for Identity

Implement Phishing-Resistant MFA: Prioritize the rollout of FIDO2 security keys or equivalent technologies ( like WINDOWS HELLO) for all users, especially those with privileged access. Standard push-notification MFA is increasingly susceptible to bypass techniques.

Secure Workload Identities: As user accounts are hardened, attackers are pivoting to non-human workload identities (apps, services, scripts). Enforce least-privilege access, rotate credentials automatically, and monitor for anomalous activity.

Adopt Human Risk Management (HRM): Move beyond generic annual training. Use behavioral analytics to identify high-risk users and provide targeted, adaptive controls, and requisite secure processes for account recovery, account access.

Strengthen Vetting for Remote Hires: Enhance identity verification during the hiring process for remote IT and development roles to counter the threat of state-sponsored fraudulent employees.

The Stolen Credentials Ecosystem

Initial access is increasingly sourced from a specialized cybercrime economy.

• Prevalence: The use of stolen credentials remains a dominant initial access vector. Mandiant identifies it as a top-two vector, involved in 32% of its investigations. Microsoft notes that 80% of access broker activity relies on credential-based attacks.
• Infostealers: Malware like Lumma Stealer is a primary tool for harvesting credentials and session tokens from infected devices. Microsoft stresses that defenders must treat infostealer infections as "precursors to wider compromise, not isolated malware events." The Verizon DBIR found that 54% of ransomware victims had their domains appear in infostealer logs.
• Password Spraying: This remains a high-volume attack, with Microsoft finding that over 97% of all identity attacks are password spray or brute force. These attacks are highly effective, as an analysis revealed 85% of targeted usernames appeared in known credential leaks.

The Evolution of Social Engineering

While simple phishing persists, threat actors are deploying more sophisticated and evasive social engineering techniques to compromise the human element.

• ClickFix: Identified by Microsoft as the most common initial access method in its Defender Expert notifications (47%), this technique tricks users into copying and pasting malicious code into a terminal or Run dialog, executing a fileless payload that bypasses many traditional security tools.
• Device Code Phishing: This emerging technique tricks users into entering an MFA device authorization code on an attacker-controlled session, granting the attacker access without needing the user's password and often bypassing traditional phishing detection.
• Vishing: Voice phishing is seeing significant growth, with CrowdStrike observing a 40% compounded monthly growth rate in vishing operations in 2024. These attacks often impersonate IT support and are combined with other tactics, such as email bombing, to create a sense of urgency.
• AI-Enhanced Attacks: Generative AI is being used to craft hyper-personalized and grammatically perfect phishing lures at scale, create deepfake audio and video for BEC and vishing schemes, and generate fake professional profiles on platforms like LinkedIn to socially engineer recruiters.

The Insider Threat Reimagined: State-Sponsored IT Workers

Nation-states, particularly North Korea (DPRK), have industrialized the placement of their IT workers into remote jobs at global companies.

• Actors & Motives: Tracked as UNC5267 (Mandiant) and FAMOUS CHOLLIMA (CrowdStrike), these operatives use stolen or fabricated identities to get high-paying tech jobs. The primary motive is to generate revenue for the DPRK regime, but their privileged access presents a significant secondary risk of espionage, data theft, and extortion.
• Methods: These actors use sophisticated methods, including GenAI-assisted interviews, third-party facilitators, and "laptop farms" in target countries to mask their true location and activities. Mandiant noted a case where four suspected DPRK workers were employed by the same company within 12 months.

---

II. The Exploding Third-Party & Supply Chain Attack Surface

An organization's security is no longer defined by its own defenses but by the security of its most vulnerable partner. Third-party risk has transitioned from a theoretical concern to a primary driver of major breaches.

Key Recommendations on what you should do for Supply Chain Risk

Integrate Security into Procurement: Make positive security outcomes and robust security controls a critical, non-negotiable component of the vendor selection and procurement process.

Develop Partner Breach Response Plans: Assume partners will be breached. Develop and test incident response plans specifically for scenarios where a critical vendor or software provider is compromised.

Monitor for Exposed Secrets: Implement automated scanning of public code repositories and other online sources for inadvertently exposed corporate credentials and secrets.

Enforce Strict SaaS Governance: Regularly audit OAuth permissions and user access across all SaaS applications. Implement least-privilege principles and monitor for unusual cross-application activity.

Key Third-Party Attack Vectors

• Service Provider Compromise: The Snowflake incident, where a financially motivated actor accessed approximately 165 customer accounts via stolen credentials, underscores the risk of software platforms OTHER than M365 where MFA is not mandatory.
• Business Interruption Events (BIRs): Ransomware attacks on critical service providers like Change Healthcare (healthcare payments), CDK Global (auto dealerships), and OnSolve (emergency alerts) caused massive, industry-wide operational downtime, demonstrating a convergence of cybersecurity and operational risk.
• Software Vulnerabilities: The exploitation of zero-days in widely used software, such as MOVEit, continues to cause widespread data breaches across thousands of downstream organizations simultaneously. Read more here: 
• Secrets Sprawl: A significant risk identified in the Verizon DBIR is the accidental leakage of secrets, such as API keys, authentication tokens (JWTs), and database credentials in public code repositories like GitHub. A subtle form of insider risk involves employees bypassing security policies. Verizon found that 46% of systems compromised by infostealers were non-managed devices (BYOD) that hosted corporate logins, indicating employees are accessing work assets on unsecured personal devices. Analysis shows the median time to remediate these discovered leaks is a dangerously long 94 days.
• SaaS-to-SaaS Attacks: Attackers are exploiting interconnected SaaS environments. By compromising a single identity with SSO access, they can pivot to connected applications like document storage or credential management platforms to exfiltrate data or escalate privileges.

Key Data Points on Third-Party Risk 
• Breaches with Third-Party Involvement (supply chain) | 30% (up from 15% last year) | 
• Primary Pattern in Third-Party Breaches | System Intrusion (81%) |
• Median Time to Remediate Leaked Secrets | 94 days | 
• Top Exposed Secret Category | Web application infrastructure (39%) |
Source: 2025 Verizon DBIR

---

III. Ransomware and Extortion: A Persistent Scourge

Ransomware remains one of the most impactful and prevalent threats, evolving its business model to maximize pressure on victims.

Key Recommendation: Ransomware & Extortion

Assume Breach and Practice Recovery: Regularly test data recovery processes from isolated, immutable backups. Develop clean rebuild procedures for critical systems, including identity infrastructure.Focus on Initial Access Prevention: Since ransomware is the monetization step, focus defenses on preventing the initial access vectors it exploits: vulnerability exploitation, credential compromise, and phishing.Develop an Extortion Response Playbook: Go beyond technical IR. Create a playbook that involves legal, communications, and executive leadership to navigate the complexities of a data extortion threat, including decisions around payment and disclosure.

Prevalence and shift to extortion tactics, not just denial of service

Ransomware was present in 44% of all breaches analyzed by Verizon, a significant increase from 32% the prior year.Shift to Extortion: The primary goal is often data theft for extortion. Microsoft DART observed data collection in 80% of its reactive engagements, with multifaceted extortion (theft + encryption) being a common tactic.Disproportionate Impact on SMBsSMBs are uniquely vulnerable, with ransomware factoring into 88% of their breaches, compared to 39% for large organizations. This is attributed to fewer resources for defense and recovery, such as readily available backups.Declining PaymentsThe financial dynamics are shifting. The median ransom amount paid decreased from 150,000 to 115,000, and a growing majority of victims (64%) are not paying the ransom.Rapid Dwell Time: Ransomware attacks are swift. Mandiant reports a median dwell time of just 6 days for ransomware-related intrusions, and only 5 days when the adversary discloses the breach.

---

IV. The Weaponization of Vulnerabilities and Malware-Free Intrusions

The nature of intrusion is becoming stealthier and faster, challenging traditional detection and response models.

Key Recommendation: Vulnerabilities & Modern Intrusions

Adopt Adversary-Centric Vulnerability Management: Prioritize patching based on active exploitation and exposure, not just CVSS scores. Focus intensely on internet-facing systems, web applications, and remote access services, especially securing your RMM tools.Enhance Behavioral Detection (XDR/SIEM): Deploy and tune security platforms that can correlate weak signals across endpoints, identity systems, and cloud environments to detect the abuse of legitimate tools and anomalous user behavior.Proactively Threat Hunt: Do not wait for alerts. Actively hunt for signs of compromise based on threat intelligence regarding common TTPs, especially those related to credential access, lateral movement, and persistence using legitimate system utilities.

Vulnerability Exploitation at "Zero-Day" Speed

• Surge in Exploitation: Exploitation of vulnerabilities has risen dramatically as an initial access vector, increasing by 34% to account for 20% of all breaches (Verizon), and ranking as the #1 vector in Mandiant's investigations (33%).
• Rapid Weaponization: The window to patch is shrinking to near-zero. VulnCheck data shows 28.3% of new vulnerabilities were exploited within 24 hours of disclosure.
• Targeting the Edge: Adversaries are focusing on internet-facing systems like VPNs, firewalls, and other edge devices. Exploits against vendors like Palo Alto Networks, Ivanti, and Fortinet were among the most frequently observed.

The Rise of Malware-Free, Interactive Intrusions

• Prevalence: CrowdStrike reports a 35% year-over-year increase in "interactive intrusions" and found that 79% of ALL observed detections were malware-free.
• Methodology: Instead of deploying custom malware, attackers use stolen credentials and legitimate, built-in tools (PowerShell, PsExec, WMI) in "hands-on-keyboard" activity. This "living off the land" approach allows them to blend in with normal administrative traffic and evade signature-based detection tools.
• Impact: These attacks are stealthier and require behavior-based detection capabilities. The average breakout time—from initial compromise to lateral movement, is incredibly short, necessitating rapid detection and response.

---

V. The Geopolitical and AI-Driven Threat Landscape

The motivations and capabilities of threat actors are being shaped by geopolitical competition and rapid technological advancement.

Key Recommendation: Geopolitical & AI Threats

Maintain Geopolitical Threat Awareness: Understand which nation-state actors are targeting the organization's industry and geography to tailor threat hunting and defense priorities.Develop a Secure AI Framework: As the organization adopts AI, establish a framework to govern its use, protect sensitive data from being fed into models, and secure AI applications and infrastructure from attack.Prepare for Future Threats: Begin planning for emerging long-term threats. Inventory cryptographic assets to prepare for a transition to post-quantum cryptography (PQC) to mitigate the "Harvest Now, Decrypt Later" risk.

Nation-State Actor Trends

• China: Actors have increased their operational security and specialization, focusing on pre-positioning within telecommunications and other critical infrastructure. Mandiant and CrowdStrike identified new, highly specialized groups like LIMINAL PANDA and OPERATOR PANDA.
• Russia (APT44/Sandworm): In response to public exposure, Russian actors are shifting tactics to leverage the broader cybercrime ecosystem and commodity tools, making attribution more difficult. They have also expanded targeting to include smaller organizations in countries supporting Ukraine.
• Iran: Actors are expanding their arsenal of custom malware (a 35% increase in tracked malware families per Mandiant), particularly wipers for disruptive attacks, while also abusing legitimate cloud infrastructure to evade detection.
• North Korea: Remains focused on revenue generation through large-scale cryptocurrency theft and the deployment of its fraudulent IT workforce.

The Dual Role of Artificial IntelligenceAI is a transformative force multiplier for both attackers and defenders.

• Offensive AI: Adversaries are using AI for a range of activities:
  • Social Engineering: Generating highly convincing phishing emails, social media profiles, and deepfake audio/video.
  • Malware & Exploit Development: Assisting in coding and identifying vulnerabilities.
  • Influence Operations: Creating and spreading disinformation at scale.
• AI Systems as Targets: AI models and their data pipelines are becoming high-value targets for prompt injection, data poisoning, and model theft attacks.
• Defensive AI: Security vendors and teams are leveraging AI to process trillions of security signals, automate threat detection, accelerate investigations, and power autonomous response actions.