Annual Cyber
Threat Report

The Top Security Gaps Driving Incidents (And Why They Can't Be Ignored)

Analysis of 2025 customer incidents pointed to the same foundational control gaps at the center of most incidents. Five were the same issues we highlighted in last year's report, an indication that attackers are still targeting the same weaknesses. New in 2025 are password policy and control failures. No matter how sophisticated or varied an attacker's methods, ignoring these basics leaves organizations exposed.

Introduction: 4-Minute Warning—Speed Wins When Identity Fails

Our Annual Cyber-Threat Report distills 365 days of frontline data into 1 strategic guide. We strip away the noise to provide an evidence-based breakdown of the specific tactics, techniques, and procedures (TTPs) that shaped the 2025 landscape. Use these insights to benchmark your security posture against real-world outcomes, see where your defenses hold, and pinpoint what must change to stop the tactics that are working right now.

In 2025, AI contributed to the success of intrusions more than ever before. We saw adversaries weave AI and automation into their tradecraft not just to move faster, but to generate convincing lures at scale.

But AI wasn’t the only accelerant. Attackers also got more efficient at initial access by breaking trust instead of infrastructure. Through aggressive social engineering—from IT help-desk vishing to North Korean fake worker schemes and “ClickFix” tactics—adversaries bypassed technical perimeters and secured valid credentials with elevated privileges from the start.

With that foothold, many attackers no longer need to “smash and grab.” They live off the land, blend into normal traffic, and repurpose legitimate tools as weapons. For defenders, that means hunting for a single IOC quickly becomes a dead end. Security has become less about spotting a malicious file and more about correlating behavior across users, endpoints, and cloud activity to catch the moment a trusted identity starts acting untrustworthy.

These tactics are lowering breakout times and raising the stakes for defenders. This year, we saw average breakout time—the interval between initial compromise and lateral movement—drop by 29%, from 48 minutes to 34 minutes. But some attackers are moving much faster than the average. The fastest intrusions reached lateral movement in just 4 minutes and achieved data exfiltration in 6 minutes post-entry.

But speed is only half the story. We also saw slow-burn operations, especially from nation-state actors, where attackers stayed quiet, persisted, and expanded access over months by abusing legitimate tooling and trusted components.

Defenders now face two simultaneous problems: machine-speed breakout and long-dwell persistence, both hiding inside legitimate activity. That changes what “automation” needs to deliver. Playbook-based automation helps, but it requires constant upkeep and still depends on human follow-through.

With AI-assisted investigation and response, defenses can adapt to this divergent threat landscape, reducing routine workload and keeping execution consistent across varied security stacks. The threats in this report will challenge defenses, but the pages ahead show you how to close the gaps attackers exploited this year, and how to build the resilience needed to outlast them in 2026.