What are cyber adversaries doing and why? Understanding cyber trends in 2025

The cyber threat landscape of 2025 has so far been defined by professional velocity and identity-based precision. This velocity, highlighted by CrowdStrike research, is the result of adversaries adopting a professional, business-like structure, refining their successful strategies and optimising operations for extreme speed. Adversaries have largely abandoned noisy, brute-force exploits in favour of high-speed, stealthy intrusions that exploit human trust and systemic vulnerabilities. Analysis of threat intelligence from leading vendors, reveals a professionalised attack ecosystem that is not only optimising for speed but also exploiting deep structural weaknesses within organisational defences.

This fundamental shift in Tactics, Techniques, and Procedures (TTPs) is best summarised by the acceleration of the attack lifecycle. Research from CrowdStrike confirms that the average eCrime breakout time, the critical window between initial compromise and lateral movement, has plummeted to just 48 minutes, with the fastest intrusions recorded at a staggering 51 seconds. To achieve this velocity, adversaries are prioritising malware-free operations. CrowdStrike reports that between 79% and 81% of observed hands-on-keyboard intrusions are now relying on the abuse of legitimate tools and, critically, valid user credentials. The focus has therefore migrated entirely, making the identity layer the primary perimeter of failure. This is further evidenced by the explosion of social engineering techniques, with voice phishing attacks, skyrocketing by 442% between the first and second halves of 2024.

Two major forces which are driving this accelerated adaptation: technological leverage and structural weakness. On the technology side, Generative AI acts as a powerful threat force multiplier. AI-enabled tools allow criminals to scale sophisticated, tailored social engineering campaigns, including crafting highly convincing phishing content and generating deepfake voice calls. This widespread accessibility of AI-driven tools has levelled the playing field, enabling even low-skilled attackers to deploy once-elite tactics at scale to dramatically increases both the volume and the sophistication of initial access attempts. Structurally, the vulnerability lies in the supply chain, where third-party breaches rose 100% year-on-year, now accounting for 30% of all breaches in 2025, according to Security Scorecard. This systemic risk was acutely demonstrated in high-profile UK incidents involving Marks and Spencer (M&S), Co-op Group, and Jaguar Land Rover (JLR). These organisations shared a common structural weakness: the outsourcing of critical IT and helpdesk functions, which became high-leverage targets for identity-based attacks. The M&S and Co-op incidents specifically highlight how the TTP of helpdesk impersonation intersected with the supply chain vulnerability at the outsourced service desk, leading to catastrophic financial fallout, with JLR alone facing estimated losses of approximately £10 million per day of manufacturing shutdown.

Defending against accelerated, identity-based intrusions requires a unified framework that prioritises speed, context, and ultimate resilience. The first imperative is to eliminate the initial access opportunity and prevent the 48-minute breakout by mandating the aggressive adoption of phishing-resistant MFA across all privileged and SaaS accounts. This must be paired with continuous auditing and real-time threat intelligence to restrict permissions and detect hands-on-keyboard activity immediately, reducing the available time for lateral movement.

The second imperative, addressed by a study from Sumo Logic, is modernising the Security Operations Centre (SOC) to match the adversary’s speed of analysis. Legacy Security Information and Event Management (SIEM) systems struggle with the volume and speed of cloud telemetry. Therefore, organisations must transition to cloud-native SIEM platforms and strategically leverage Artificial Intelligence and User and Entity Behaviour Analytics (UEBA). Sumo Logic research highlights that 90% of security leaders consider AI critical for enhancing operational efficiency. AI must be used not to replace analysts, but to enhance capability by correlating high alert volumes and providing immediate contextual risk scoring, ensuring security teams can act before the breakout window closes. At Red Helix we have seen a significant advantage coming from teaming our analysts with AI capable tools in this manner.

The final imperative is guaranteed resilience against the ultimate threat of ransomware and extortion. As general endpoint products have been bypassed by modern ransomware variants, a purpose-built anti-ransomware platform is essential. These platforms, such as Halcyon, utilise AI/ML models trained exclusively on ransomware, focusing on pre-execution prevention, automated host isolation, and, critically, offering encryption key capture and automated decryption capabilities. This dedicated layer provides a robust, final fail-safe that guarantees business continuity and mitigates the immense downtime costs seen in major UK breaches.

The cyber security contest now hinges on speed and identity control, driven by professionalised crime groups leveraging AI and exploiting supply chain and outsourcing weaknesses. Over the next six months, AI will further scale deepfake and vishing attacks, making identity protection the top priority. With cloud intrusions surging, SIEM modernisation is vital to deliver the speed and context needed to detect and contain lateral movement. Finally, ransomware will increasingly be used as a catalyst for geopolitical disruption, the focus must shift decisively from mere detection to guaranteed business resilience. Winning the next six months will require practitioners to leverage controls that operate at machine speed to beat the 48-minute clock and decisively defend the identity perimeter.