Every year CrowdStrike drops their Global Threat Report, and every year it gives us a look at what happened the previous year: the attacks, the TTPs, the threat actor personas, the whole picture. This year's edition is titled The Year of the Evasive Adversary, and the after digging into it, the name fits.
I'm not going to walk through the whole thing. It's a big document, and if you work in security or you're just interested in this space, you should download it and read it yourself.
What I want to do here is pull out the themes that keep coming up in conversations we're having with customers at Cypress. Whether you're in technology, retail, logistics, telecom, financial services, manufacturing, or healthcare, these apply. Nobody's off the hook. And if you're fighting for budget to grow your blue team capabilities, I'm hoping some of this gives you ammunition.
AI Is On Both Sides Of The Table Now
AI shows up all over the report, which is no shock. What's worth paying attention to is that there are really two separate stories here.
First, adversaries are using AI, and they're getting a lot faster because of it. AI-enabled attacks are up 89% year over year across multiple vectors, and social engineering is one of the big ones. Attackers are using public models, some are building and training their own, and frankly a lot of it looks like experimentation (which, if you think about it, is probably not that different from how your own company is figuring out AI).
They're using it to script and code, evade security controls, and generate fake personas that make their interactions way more convincing. At the nation-state level, we're seeing things like entirely fake consulting firms being stood up to target people through job recruitment pipelines.
What this really means is that phishing, which was already a massive problem, has gotten incredibly hard to spot. Fake accounts, fake social media presences, deepfakes. The line between real and fake interactions is blurring in a way that should make everyone uncomfortable.
The other side of the coin is AI as a target. Your company is probably using AI to augment or replace business processes right now, and that means your AI services are quickly becoming tier-zero, business-critical infrastructure. Attackers know this.
They're using prompt injection to break your guardrails, poisoning your data, manipulating your models, and in some cases spinning up malicious services that masquerade as legitimate AI platforms.
If you're running AI in-house, securing those systems from abuse and misuse needs to be a real priority, not an afterthought you get to next quarter.
Speed Is The Name Of The Game
This section of the report genuinely stopped me. Here are the numbers:
- 29 minutes: the average time from initial breach to compromise of high-value assets
- 27 seconds (yes, seconds): the fastest observed breakout
- 4 minutes: from initial access to data exfiltration
- 42%: increase in zero-day exploits prior to public disclosure
Take a second with those and ask yourself honestly: can you respond at that speed?
We joke a lot about AI being jammed into every product and every conversation, but the reality is you need that capability. Human-speed detection and correlation isn't going to cut it anymore. Full stop.
And then there's the zero-day problem. If you're getting hit with something that doesn't have a public signature yet, it's entirely possible the intrusion happens and you don't catch the front door. So then what? Are you monitoring access throughout your environment? Are you using segmentation to limit lateral movement?
These are the questions you should be asking right now, before you need the answers.
Identity Is Challenging (And More Important Than Ever)
Identity is central to everything we do. And it's so easy to mess up or miss security controls around.
I know the phrase "attackers aren't breaking in, they're logging in" has been worn out, but it's true and the numbers back it up.
82% of detections in the report were malware-free. Attackers used valid credentials and moved through approved channels inside the organization. Valid account abuse accounted for over a third of cloud incidents.
If you're not treating your identity stack like your crown jewels, it's time to rethink that. Protecting it, monitoring it, and detecting anomalies inside legitimate identity paths can be the difference between shutting something down at the source and finding out about it months later.
Remember that 4-minute exfiltration I mentioned? Initial access in that case was convincing the victim to grant control through Quick Assist. That's it. No exploit, no malware. Just a user clicking yes.
Now let's pivot to an area that many organizations fall short in: identity recovery.
These days you've got on-prem, cloud, SaaS, and a mobile workforce. A single user exists in multiple places, using multiple services. If you're a hybrid identity shop (and almost everyone is), are you protecting, monitoring, and able to recover not just on-prem identity, but cloud identities, enterprise apps, trusts, and authorizations? If an attacker flattened your identity infrastructure tomorrow, could you recover?
My favorite analogy here is your phone contacts. If somebody deleted your contact list and you couldn't get it back, what would your day look like? I know my parents' numbers, a couple of random ones from childhood, and my wife's. That's it. Everyone else in my phone is a name I tap. I don't actually know your number. I don't know you from Adam.
Your identity platform is the same thing for your business. Treat its security and its recoverability seriously, because threat actors want nothing more than to get their teeth into it.
Tool Sprawl Is Now Its Own Risk
Security tool fragmentation has been a known pain point for analysts for years, and attackers are exploiting it. They stay off your well-protected endpoints and bet you can't assemble the kill chain fast enough while you're pivoting across 10, 15, or more different consoles.
Best-of-breed versus platform is an old debate. If I think back to the converged infrastructure days and the build-versus-buy conversations we've been having forever, this isn't new ground. What is new is that we're now seeing real, measurable risk tradeoffs from the scattered approach. Even if a wide toolset technically covers more control areas, the lack of interoperability, and the fact that attackers are actively exploiting the seams, has become a risk factor on its own.
Supply Chain Attacks Aren't Going Anywhere
The last area of the report I want to highlight, is that supply chain attacks into codebases are a real and persistent threat.
Picture this: you're the target, but instead of trying to breach your Fort Knox, the attacker goes after software you already use. Maybe they swap a dependency with a malicious version. Maybe they slip something into an update package that deploys remote access or C2. The Notepad++ compromise in 2025 is a good example, worth looking into if you haven't already.
You probably have controls for blocking novel, unsanctioned software, but do you have zero-trust controls around the software you already trust? Software guardrails and behavioral lockdowns are going to get more and more important. You should be able to define what your sanctioned applications are allowed to do, and catch them when they start acting like they're up to something.
Wrapping Up
That's what I've got for you, but recommend you download the full report, because it's worth your time to go more in-depth. My goal here was to pull out the themes I'm actually seeing in customer conversations and give you something useful to take back to your team.
If any of this hit close to home and you want to talk through it, that's what we do at Cypress so get in touch or reach out on LinkedIn.
