Every April we get a deluge of great reports from the industry leaders. Verizon was the first, then Mandiant, now CrowdStrike, Red Canary, and Picus are in the game. They all have great insights in their own right, but we might not have time to read them all. Then we wonder, who’s conclusions should get the most priority. Well fear not–we’ve done a comparison of the reports to highlight the common lessons from 2024 that should lead your efforts in 2025.
The Cybersecurity Industry’s Process Problem
Great. I’ll summarize the key insights from the 2025 Verizon DBIR, CrowdStrike Global Threat Report, Red Canary Threat Detection Report, and the EPSS exploitation study into a short, engaging LinkedIn post for executives, and a longer blog article. Both will highlight emerging threat trends and emphasize the importance of testing security posture against real-world threats.
I’ll let you know as soon as they’re ready.
Cyber Threat Trends 2025: Key Insights for Executives
Cybersecurity reports from Verizon, CrowdStrike, Red Canary, and Cyentia’s EPSS project all paint a consistent picture: cyber threats in 2025 are more relentless, more creative, and more identity-focused than ever. Below, we break down the major trends and what they mean for organizations, with data-driven insights from these reports.
Ransomware’s Resurgence and Ripple Effect
Ransomware continues to be one of the most disruptive cyber threats. Verizon’s 2025 Data Breach Investigations Report (DBIR) shows a 37% year-over-year increase in ransomware attacks, which are now present in 44% of breaches analyzed. This means nearly half of all breach incidents involve attackers encrypting data and demanding payment. Even more alarming, small and mid-sized businesses are bearing the brunt. In Verizon’s data, a staggering 88% of breaches at SMBs involved ransomware.
However, there is a silver lining: more victims are refusing to pay ransoms. In fact, 64% of organizations hit by ransomware did not pay up, compared to only 50% two years ago. Law enforcement pressure and better recovery planning are likely contributors to this shift. Yet, ransomware remains lucrative. Red Canary’s 2025 Threat Detection Report notes that criminal operations have become even more agile and sophisticated, with some groups raising their payout demands. Several new ransomware variants (Akira, Play, RansomHub, etc.) were observed, though interestingly Red Canary found that few attacks reached the final encryption stage thanks to early detection of precursor activities. The takeaway: practice, practice, practice on detecting ransomware early in the kill chain (before attackers deploy the ransomware payload) can greatly reduce damage.
Ransomware is also tightly intertwined with other threat trends. One notable link is with stolen credentials. Verizon found that 54% of ransomware victims had their account credentials exposed in data breaches or criminal forums before the ransomware incident. In 40% of those cases, the organization’s corporate emails were found in those leaks. This suggests that ransomware crews are increasingly purchasing ready-made access via the thriving access broker marketplace rather than hacking in from scratch. In other words, if your employees’ passwords or API keys are floating around on the dark web, there’s a good chance they could be used to orchestrate a ransomware attack.
Identity Attacks: The New Frontline
Multiple reports this year point to one conclusion: identity is the new battleground in cybersecurity. Attackers have shifted their focus to what’s longstanding the weakest link user and administrator accounts–albeit in evolving ways. Credential abuse (using stolen or hacked passwords, tokens, or keys) has now become the top initial access vector in breaches at 22% edging out even vulnerability exploits and phishing. Credentials are essentially the keys to your digital kingdom, and attackers are finding plenty of lost or stolen keys lying around.
According to Red Canary, identity-based threats surged dramatically in 2024. Their team detected 4× more identity-related attacks (like account takeovers and abuse of identity systems) than in the previous year. In fact, three of the top five adversary techniques observed by Red Canary were “cloud-native and enabled by identity,” with compromised Cloud Accounts now the #1 technique in their detections. This aligns with CrowdStrike’s intelligence: the CrowdStrike 2025 Global Threat Report confirms that identity-based attacks, such as credential theft and social engineering, remain the most effective methods for adversaries. One particularly concerning statistic: voice-phishing (or “vishing”) attacks increased by 442% in late 2024, often targeting employees with convincing calls from imposters (like fake IT support) to steal their login credentials.
Why this explosion in identity attacks? One reason is the wider adoption of single sign-on and cloud identity providers for convenience and security; attackers see a single identity as a one-stop shop to access a multitude of services once compromised. As Red Canary’s CSO notes, centralized identity systems have made identity a lucrative target. If an adversary can compromise one privileged account, they instantly gain access to a range of systems and data. Another factor is the rise of info-stealing malware that harvests credentials. In 2024, infostealer infections spiked on both Windows and macOS, with malware like LummaC2 (sold cheaply as Malware-as-a-Service) enabling criminals to collect passwords, session tokens, and cookies at scale. These stolen credentials often fuel further attacks, from business email compromise to – as mentioned – ransomware.
The data makes it clear that protecting identities is now paramount. This means not only adopting stronger authentication (e.g. enforcing multi-factor authentication everywhere), but also actively hunting for signs of credential compromise. Monitoring for unusual login patterns, password resets, or the presence of corporate credentials in data leak sites can give early warning before attackers use stolen identities to wreak havoc. And given that none of the 93,000 threats analyzed by Red Canary were stopped by their clients’ preventative controls (including leading endpoint and identity protection tools), organizations should assume that some attacks will penetrate initial defenses – making detection and response (and regular testing of those capabilities) absolutely critical.
Attackers Are Adopting Generative AI
One of the emerging trends highlighted in the CrowdStrike report is the use of generative AI by threat actors. What does this mean in practice? Essentially, attackers are now using large language models to enhance their operations. Generative AI has become a key tool for adversaries, aiding in social engineering campaigns and the development of sophisticated malware. For example, AI can help craft highly convincing phishing emails, text messages, or even voice deepfakes by analyzing troves of legitimate communication. Instead of broken English spam, executives might receive spear-phishing emails that read exactly like a genuine message from a colleague making them much harder to spot. On the malware side, AI might assist criminals in generating polymorphic code (malware that constantly changes to evade detection) or even help less-skilled hackers write exploit code they wouldn’t have been able to create on their own.
We are also seeing the unintended consequences of employees themselves using AI tools. Verizon’s DBIR noted that 15% of employees were accessing generative AI services from corporate devices (often using personal accounts). This opens a new vector for data leakage sensitive code or internal documents can inadvertently be fed into external AI platforms, outside of company control. While this is more of an accidental insider risk than an attacker technique, it underscores how quickly the AI landscape is changing the security equation. Companies will need to establish policies and controls around AI usage (for instance, limiting what data can be input into public AI services, or using self-hosted AI solutions) to avoid leaking crown jewels.
For executives, the rise of AI in cyber means two things: attackers can now scale and polish their social engineering like never before, and your organization needs to be prepared for extremely convincing scams. Security awareness training should evolve accordingly employees should be shown examples of AI-generated phishing content so they know what to look out for. On the flip side, defenders can leverage AI as well (for threat detection, user behavior analytics, etc.), but that’s a topic for another day. The immediate takeaway is that the cat-and-mouse game has entered a new era, with AI as a force multiplier on both sides of the equation.
Vulnerability Exploitation: Fewer, Faster, and Focused
Known initial access vectors in data breaches (Verizon DBIR 2025). Credential-based attacks (stolen passwords/tokens) were the leading cause of breaches at 22%, followed by exploits of software vulnerabilities (20%) and phishing at 16%. This highlights the prominence of identity-related breaches and the continued importance of prompt patching and phishing defenses.
Another major theme of the 2025 reports is how attackers are exploiting software vulnerabilities. Interestingly, the data shows a story of “fewer but faster”: only a small percentage of all bugs get exploited, but those that do are weaponized very quickly by attackers. The Cyentia Institute’s analysis with EPSS (Exploit Prediction Scoring System) reveals that historically only about 6% of published CVEs have ever been seen exploited in the wild. In other words, out of hundreds of thousands of known vulnerabilities, the vast majority are never used by attackers. However and it’s a big however; the small subset that are exploited can cause widespread damage if left unpatched. And attackers are getting faster at leveraging these. According to vulnerability intelligence from VulnCheck, nearly **28.3% of newly reported “known exploited” vulnerabilities had evidence of exploitation within 24 hours of their public disclosure. In some cases, exploits were unleashed the same day a CVE was announced. This is a dramatic reminder that when a critical zero-day or publicly known flaw hits the news, the race is on. Organizations can no longer assume a comfortable patch window measured in weeks when it may be a matter of hours.
The Verizon DBIR data also showed a 34% rise in attackers exploiting vulnerabilities as an initial attack vector, often targeting perimeter devices like VPN gateways and firewalls. In fact, one analysis noted a nearly 8× increase in attacks targeting VPNs and other edge devices over the past year. These are exactly the types of systems that, if unpatched, give attackers a foothold into the network. Compounding the issue, Verizon found that almost half of known perimeter-device vulnerabilities remained unremediated by organizations. It’s a troubling gap: while defenders might be focusing on application or server patches, many are behind on patching the very devices that guard the front door.
Another trend is exploit chaining where threat actors combine multiple vulnerabilities to breach a target. CrowdStrike observed that attackers are increasingly chaining exploits to bypass defenses and achieve remote code execution. For example, an adversary might exploit a less critical bug to gain a foothold, then immediately exploit another vulnerability to escalate privileges or move laterally. This makes purely “reactive” patch strategies dangerous even lower-severity vulnerabilities can be a piece of a chain and shouldn’t be ignored if they’re exposed.
The key insight for executives is the need for a smarter vulnerability management strategy. With thousands of new CVEs every year (over 30,000 were published in 2024 alone), no organization can patch everything immediately. But because only a sliver will ever be exploited, using threat intelligence (like CISA’s Known Exploited Vulnerabilities list or EPSS scores) to prioritize the truly dangerous flaws is essential. Focus on patching what matters most, and patch fast when it does matter. Additionally, consider that some older exploited vulnerabilities may go dormant. Cyentia’s report notes that many vulnerabilities stop being actively targeted after a while. Just because an exploit isn’t widespread today doesn’t guarantee it won’t resurface, but it suggests defenders can tailor their remediation urgency based on whether a vuln is seeing active abuse or not. As always, a defense-in-depth approach including virtual patching, robust intrusion detection, and network segmentation can buy breathing room when immediate patching isn’t possible.
Third-Party and Cloud Ecosystem Risks
The 2025 Verizon DBIR delivered a stark statistic: breaches involving a third-party (partners, vendors, or supply chain) doubled compared to the previous year. Approximately 30% of breaches analyzed involved a third-party organization’s contribution – for instance, attackers compromising a vendor to get to your data, or a breach in a software supplier that trickles down. This trend highlights the growing “attack surface” beyond your company’s walls. Even if your own security is strong, you could still be compromised via a weakness in an outside partner. A classic example is the software supply chain attack – something the industry saw in high-profile incidents in recent years – where updating a trusted third-party app or service introduces malware into your environment. But even more common are scenarios like managed service providers or contractors getting breached and inadvertently handing attackers a gateway into their clients’ networks.
Contributing to this rise is the intersection of identity and third-party risk. Verizon’s report noted that leaked credentials and secrets are a major driver of third-party breaches – credentials stolen from one environment (like a vendor’s developer who leaked an API key on GitHub) can be reused to penetrate another organization. Indeed, the DBIR data showed third-party breaches jumping from 15% to 30%, with many traced back to stolen secrets and credentials being abused across ecosystem connections. When an attacker can log in through a vendor’s account or use a supplier’s VPN access, it bypasses a lot of your perimeter defenses.
Simultaneously, cloud infrastructure has become a prime target. As companies migrate more critical operations to cloud platforms, attackers are following suit. CrowdStrike identified new threat actors that specialize in cloud-focused attacks, exploiting misconfigurations or flaws specific to cloud services. Similarly, Red Canary observed adversaries compromising cloud accounts and then escalating privileges by abusing identity roles in the cloud environment. In some cases, attackers who gain access to a cloud console will try to disable security logging or firewall rules to cover their tracks – the kind of “living off the cloud” techniques that can be hard to spot if you’re not actively monitoring your cloud admin activity.
A particularly novel cloud-era threat is what Red Canary calls “LLMJacking.” With the rapid adoption of cloud AI services (such as AWS Bedrock, Azure OpenAI, Google Vertex AI), attackers have started hijacking cloud AI resources for profit. Essentially, if an adversary can compromise your cloud account, they might spin up expensive AI model training jobs or use your API keys to access AI services – then sell that access to others. The victim ends up footing the bill while the attacker builds their own illicit AI capabilities or resells your paid cloud AI time as a black-market service. It’s a reminder that cloud breaches can have consequences beyond data loss – they can directly hit the bottom line via abused resources.
The overarching message is that the modern organization’s security boundary is porous. You have to assume risk in your supply chain and cloud providers, and manage it accordingly. This means vetting the security of vendors (do they follow good practices? how do they vet their employees and protect credentials?), enforcing least-privilege access for third parties (if a partner is breached, their account into your system should have minimal permissions), and monitoring for unusual third-party activity. On the cloud side, investing in cloud security posture management and cloud-native monitoring is a must – misconfigurations continue to be an easy win for attackers, and they often arise from simple human errors in complex cloud settings. The 2025 reports all echo this: whether it’s a supplier or a cloud instance, attackers are finding footholds in the gaps between companies and across hybrid environments. Security strategy must extend to these areas, not just on-premise networks.
Proactive Defense: Testing and Validation of Security Readiness
Facing this onslaught of ransomware, identity-based threats, speedy exploits, and supply chain risks, what can leaders do? The clear consensus is that waiting to respond to incidents is not enough. Organizations must get proactive. “Proactive” means two things here: actively fortifying defenses (based on the latest threat trends) and regularly validating that those defenses actually work against real-world attack techniques.
The reports provide some candid reality checks. Despite companies deploying layers of security products, breaches still happen at an alarming rate. Red Canary’s analysis revealed that none of the threats they catalogued were blocked by the victims’ prevention tools. This includes top-tier endpoint protection platforms and identity access management systems. In other words, attackers found ways around the walls we put up. This underscores the importance of assumption of breach as a mindset. Assume determined attackers will get in, via a phishing email or a missed patch or a compromised partner. Then ask: how quickly can we detect and stop them? To answer that confidently, you need to test yourself. This is where continuous security validation comes in. By regularly simulating the kinds of attacks described in these reports be it a fake phishing campaign to test user awareness, a red team exercise to see if a ransomware attack can be caught in time, or a configuration audit to spot open cloud storage buckets you can find weaknesses before an actual adversary does.
Executives should champion a culture of continuous improvement in security. Encourage your security team to read these annual reports and adapt your defenses accordingly. For example, given the surge in identity attacks, invest in stronger identity governance: ensure strict MFA is in place, implement user behavior analytics to catch suspicious logins, and reduce reliance on long-lived credentials (use ephemeral tokens and keys where possible). In light of faster exploits, make sure your vulnerability management SLAs are aggressive for critical issues and consider services that provide early warning on emerging threats (so-called “virtual patching” or threat intelligence feeds that integrate with your patch prioritization). With ransomware so prevalent, revisit your backup and disaster recovery plans and test them to minimize business interruption if the worst happens. Also consider network segmentation and “blast radius” reduction, so that if one account or machine is compromised, it doesn’t lead to a domain-wide meltdown.
Finally, don’t overlook the human element in defense. The Verizon DBIR reminded us that 60% of breaches involve a human element of some kind (errors, misuse, or social engineering). Ongoing security training, executive phishing drills, and clear incident response playbooks are as crucial as any technology. When attacks are coming faster and attackers are getting stealthier (recall CrowdStrike observed 79% of intrusions are now malware-free, relying on legit credentials and living-off-the-land tactics), having a well-prepared team that can quickly recognize and react to abnormal activity is your ace. Speed matters: CrowdStrike clocked the average “breakout time” how fast an attacker expands from patient zero to the wider network at just 48 minutes in 2024, with some as fast as 50 seconds. This emphasizes the need for 24/7 monitoring and practiced responders.
In summary, the latest cyber reports sound a wake-up call: threats are not only growing in volume, but in agility. Ransomware, identity-based breaches, AI-enhanced attacks, lightning-fast exploits, and supply chain blind spots all pose serious challenges. The organizations that thrive in this environment will be those that take a proactive stance – hardening their systems, drilling their incident responses, and continuously validating that their security controls can withstand real-world attacks. While there’s no finish line in cybersecurity, staying ahead of attackers means never staying still. Use the insights from these reports as actionable intelligence to inform your strategy, invest in areas of weakness, and most importantly, test and adapt. The cost of complacency is simply too high in the face of 2025’s threat landscape. By fostering a culture of vigilance and continuous improvement, executives can lead their organizations to not just survive, but confidently navigate the stormy cyber seas ahead.
