Every year the security industry publishes dozens of threat reports. The signal-to-noise ratio is mixed. Some reports reflect genuinely novel data from millions of observed incidents. Others recycle prior-year conclusions with new graphics. This report synthesises findings from the major 2025 publications — Verizon DBIR, CrowdStrike GTR, IBM X-Force, and Mandiant M-Trends — into a practitioner-focused summary of what actually changed in the threat landscape and what the defensive implications are.
All statistics cited in this report are derived from the published 2025 editions of the referenced industry reports. Where figures differ between sources we note the variance and prefer the source with the larger, more geographically diverse dataset.
The Biggest Shift: Encryption-Free Ransomware
The most significant structural change in ransomware operations this year was the growth of extortion-only attacks that skip encryption entirely. CrowdStrike documented a 40% year-on-year increase in adversary groups conducting data theft followed directly by ransom demands, without deploying an encryptor. The economics make sense from the attacker's perspective: encryption requires victim-specific key management infrastructure, creates detectable endpoint activity, and leaves evidence in memory. Exfiltration alone achieves the same leverage with less operational overhead.
Verizon's DBIR found that extortion was present in 32% of all financially motivated breaches in 2025, up from 24% the prior year. Critically, the median dwell time before extortion demand dropped to 5.5 days, compared to 8 days for traditional ransomware. Defenders have less time than ever to detect and contain an intrusion before the leverage is established.
Initial Access: Credential Theft Still Dominates
Verizon's 2025 DBIR found that stolen credentials were the number one initial access method for the fourth consecutive year, involved in 38% of breaches. The mechanism has shifted: the dominant delivery channel is no longer direct phishing of target employees but rather purchase of credentials harvested by information-stealer malware deployed via malvertising, trojanised software downloads, and cracked software repositories.
| Initial Access Method | Share of Breaches (2025) | Year-on-Year Change |
|---|---|---|
| Stolen credentials (purchased/infostealer) | 38% | +4 pp |
| Phishing (direct to target) | 22% | -3 pp |
| Exploitation of public-facing applications | 19% | +2 pp |
| Trusted relationship / supply chain | 12% | +5 pp |
| Valid accounts (insider/misconfiguration) | 9% | Flat |
IBM X-Force reported that the average time from initial infostealer infection to credential deployment in a separate targeted attack was 22 days. This gap represents the window available for credential monitoring to detect and remediate before an attacker makes use of the stolen material.
Vulnerability Exploitation: The Speed of Weaponisation
CrowdStrike tracked the median time from CVE publication to active exploitation at 62 hours in 2025, down from 84 hours in 2024 and 5 days in 2022. The compression is being driven by automated exploitation frameworks that generate working exploits from patch diffs within hours of a fix being published. For organisations with 30-day or quarterly patch cycles, this data point should prompt a fundamental rethink of patching SLAs for internet-facing infrastructure.
CVE Weaponisation Timeline (CrowdStrike GTR 2025)
CVE disclosed (Day 0)
|
+-- Patch released (same day ~60% of cases, within 7 days ~35%)
|
+-- Proof-of-concept published (median: 28 hours after CVE disclosure)
|
+-- Active exploitation observed (median: 62 hours after CVE disclosure)
|
+-- Broad threat actor adoption (median: 14 days after CVE disclosure)
|
+-- Average enterprise patch deployment (30-90 days after CVE disclosure)
^
| This gap is the attack windowThe most heavily exploited vulnerability classes in 2025 were: edge device firmware (VPN appliances, firewalls, load balancers) at 29% of exploited CVEs; web application frameworks at 24%; and cloud management interfaces at 18%. Mandiant noted that edge device exploitation was the single most common enterprise intrusion vector in their incident response caseload for the second consecutive year.
AI-Assisted Attacks: Moving Beyond Hype
Last year's reports were heavy on AI threat speculation. This year's data shows concrete operational adoption in two specific areas: phishing content generation and vulnerability research automation.
IBM X-Force analysed 8,000 phishing emails attributed to tracked threat groups and found that AI-generated content had reached a quality threshold where linguistic analysis tools could no longer reliably distinguish it from legitimate correspondence. The same groups were deploying AI-generated phishing in five languages simultaneously, targeting multinational organisations without the per-language staffing costs that previously constrained international campaigns.
CrowdStrike documented nation-state actors using LLM-assisted vulnerability research to generate candidate exploits for target software, reducing research time by an estimated 60%. The capability is currently limited to actors with the resources to run private model instances — public commercial APIs are not being abused at scale for this purpose due to content filtering. That constraint is expected to erode as capable open-weight models become more accessible.
Supply Chain: CI/CD as the New Attack Surface
Mandiant M-Trends 2025 documented a 210% increase in intrusions targeting software build and deployment infrastructure compared to 2023. The XZ Utils backdoor (discovered in 2024 but active for over a year) catalysed significant threat actor interest in the pattern: a single successful compromise of a widely-used open-source dependency or build tool can provide access to thousands of downstream environments simultaneously.
The most common supply chain intrusion vectors in 2025 were: compromised CI/CD credentials exposed in public repositories (41%); malicious packages published to open-source registries (28%); and social engineering of open-source maintainers to accept malicious pull requests (19%). The last category is the most difficult to defend against and requires community-level governance responses rather than organisational security controls alone.
Sector-Specific Findings
| Sector | Top Threat | Key Statistic |
|---|---|---|
| Financial Services | BEC / account takeover | Median loss per BEC incident: $140k (FBI IC3 2025) |
| Healthcare | Ransomware / data extortion | 62% of all ransomware reports involved healthcare targets (HHS 2025) |
| Critical Infrastructure | Nation-state pre-positioning | ICS-CERT responded to 1,200+ OT incidents, up 38% (CISA 2025) |
| Technology | Supply chain / credential theft | SaaS platform credentials in 44% of tech sector breaches (IBM X-Force 2025) |
| Education | Phishing / credential compromise | Underfunded security functions with high-volume external exposure (Verizon DBIR 2025) |
Defensive Priorities for 2025
Synthesising the findings above into a prioritised defensive roadmap, the highest-return investments are consistent across all five major reports:
- 01Phishing-resistant MFA deployed to all users, not just privileged accounts. Credential theft is the leading initial access method. Phishing-resistant MFA (hardware keys, passkeys) directly blocks the most common attack chain.
- 02Patch SLA reform for internet-facing infrastructure. A 30-day patch cycle means living with a 28-day attack window on every critical CVE. Edge devices and VPN appliances should be patched within 24-48 hours of a critical advisory.
- 03Credential monitoring and infostealer hygiene. Subscribe to a credential intelligence feed. The 22-day gap between infostealer infection and targeted use is a detection opportunity that most organisations are not using.
- 04CI/CD pipeline security. Audit all workflow files for credential exposure, enforce branch protection, pin third-party action versions by SHA, and implement mandatory code review for pipeline configuration changes.
- 05Detection capability for data exfiltration. With dwell time before extortion demand dropping to 5.5 days, detection engineering should prioritise large outbound data transfers, Rclone usage, and bulk file access events.
The single finding most consistent across all five 2025 reports: organisations with phishing-resistant MFA and a mature vulnerability management programme for external attack surface were significantly underrepresented in breach data relative to their peers. Neither control is complex to implement. The gap is consistent execution, not lack of knowledge.