Cyber attacks more than doubled in 2025, with Health-ISAC’s 2025 Fourth Quarter Health Sector Heartbeat reporting a 55% year-over-year increase in cyber incidents. 

While attacks continue to grow in frequency, the more alarming shift is in their impact. As attacks against governments and critical infrastructure like healthcare and manufacturing are intensifying in both scale and ambition, the cybercrime losses are staggering. According to the FBI’s 2025 Internet Crime Report, US cybercrime losses hit a historical high of nearly $21 billion, a 26% YoY increase.

We’ve analyzed recent cyber attacks within the past 6 months and a larger sample within the past 5 years to identify important patterns, trends, and actionable takeaways that can help organizations understand emerging threats and shifting criminal tactics and improve their resilience to help prevent cyber attacks.

Recent Cyber Attacks 2026

This year marks a noticeable escalation in cyber attacks against the defense industrial base (DIB), government agencies, and critical infrastructure providers. More adversaries are shifting from direct and often opportunistic attacks for the purposes of quick financial gain, immediate disruption, and traditional espionage toward sophisticated, persistent operations that target trusted, widely-used tools in order to:

• compromise supply chains
• disrupt operations and production capacity on a global scale, and 
• maintain a long-term foothold for ongoing data theft, sabotage, and economic damage.

Below are eight of the most notable cyberattacks so far this year, their impacts, and what organizations can learn from them.

1. Iranian cyber attacks on OT devices across U.S. critical infrastructure

Date: April 2026

Impact: Disruptions to U.S. critical infrastructure and financial loss

According to an advisory issued jointly by several government agencies including the FBI, CISA, and NSA in early April, Iran-affiliated advanced persistent threat (APT) actors began launching an attack targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley used to control critical sectors. 

The FBI reported that this attack resulted in financial loss and operational disruption across several U.S. critical infrastructure sectors including water utilities, energy networks, and local government facilities. 

According to a report from Censys, this APT campaign threatened more than 5,000 industrial control devices around the world, including roughly 3,900 in the U.S.

Key learning

As a result of these escalating campaigns targeting OT operators, a group of U.S. government agencies released a new publication dedicated to supporting critical infrastructure organizations in applying zero trust principles to their OT environments. 

Zero trust is a critical shift in enterprise network security that focuses on:

• defending users, assets, and resources themselves, instead of network segments
• limiting threat actor movement and potential damage, instead of preventing entry

While this publication is just one of the latest examples in decades-long effort to get federal agencies and critical infrastructure organizations to embrace zero trust principles, this is particularly important for OT operators since many use legacy technology, lack adequate resources and budgets for cybersecurity, and are less tolerant of disruptions than IT environments, which makes zero trust even more challenging to implement. 

However, those that do invest in transitioning to zero trust architecture can help mitigate the risk of losing visibility or control of critical systems that affect the nation’s ability to provide energy, water, transportation, communications, and more and the catastrophic outcomes of such cyber incidents.

Recent Cyber Attacks 2025

In 2025, cyberattacks became more sophisticated, faster to execute, and impacting more sectors. 

The incidents below reveal several patterns worth noting:

• A single threat group (Scattered Spider) executed coordinated campaigns across insurance, retail, and aviation in the same quarter, demonstrating how adversaries now operate at industrial scale across sectors. 
• Ransomware operators and nation-state actors alike shrank their attack timelines from days to hours.
• The line between cybercrime and espionage continued to blur, with defense contractors, federal software vendors, and critical infrastructure all targeted in the same year.

Together, these incidents paint a picture not just of increasing volume, but of increasing strategic intent.

9. Opexus insider threat attack

Date: February 2025

Impact: Government system outages and deletion of dozens of government databases and thousands of files

Opexus, a major software service contractor for the U.S. government, experienced an insider threat attack in early 2025. 

Since Opexus handles sensitive data for nearly every U.S. federal agency, the insider attack resulted in a massive federal data breach, with two employees allegedly destroying 30 government databases that contained data from the General Services Administration and exfiltrating approximately 1,800 files related to one government project. An investigation also uncovered that these malicious insiders caused an outage of two key software systems used by government agencies to process and manage their records, and in some cases a permanent loss of data.

Key learning

This breach highlights growing software supply chain threats, particularly for federal governments. As a result of vendor breaches like these, many government agencies are tightening cybersecurity requirements and enforcement across their supply chains. 

While the DIB is in the middle of its phased implementation of CMMC requirements contractually, the General Service Administration (GSA) released its own CUI framework earlier this year. Because of its differences from CMMC, this release has raised concerns about the patchwork of cybersecurity requirements that some federal contractors will have to navigate. 

However, the bigger takeaway is that increased assurance of cybersecurity compliance is becoming an integral part of federal procurement so federal contractors must prioritize implementing these contractual requirements and being able to provide verification. The stakes are not just contract-eligibility, but operational continuity and national security. 

11. WestJet cyber attack

Date: June 2025

Impact: Intermittent disruptions on website and mobile app

In June, Canadian airline WestJet disclosed a cybersecurity incident that disrupted access to its website and mobile app. While flights and operations were unaffected, internal systems were compromised, and customers encountered intermittent access issues. WestJet stated it was still investigating whether sensitive data had been accessed.

The FBI later warned that the attack could be linked to Scattered Spider, a threat group increasingly targeting the airline sector. The group uses social engineering tactics to trick IT help desks into granting access to internal systems, often by impersonating employees and bypassing MFA protections. Once inside, they exfiltrate sensitive data and may deploy ransomware as a secondary tactic.

Key learning

Organizations must adopt a multi-layered defense that includes regular security awareness training, especially around social engineering tactics. Educating employees, especially IT and support teams, on recognizing impersonation attempts can prevent attackers from gaining a foothold.

Recent Cyber Attacks 2023

In 2023, the cybersecurity landscape was defined by disruption at scale. Threat actors launched attacks that shut down production lines, compromised cloud environments, and affected tens of millions of consumers globally. The year’s biggest incidents weren’t just about data loss. They had serious implications for public safety, national security, and economic stability.

Key themes across 2023 breaches included:

• The rise of data extortion without deploying ransomware
• Attacks on managed service providers to gain downstream access
• Growing interest in healthcare and critical infrastructure
• Continued exploitation of known but unpatched vulnerabilities

Looking back at these events provides valuable insight into threat actor behavior and the defense strategies that proved (in)effective under pressure. Each example is a case study in how lapses in patching, access control, or third-party oversight can have ripple effects across entire industries.

21. ICBC Financial Services ransomware attack

Date: November 2023

Impact: Disruption of the US Treasury market

In November, a subsidiary of the Industrial and Commercial Bank of China (ICBC), the ICBC Financial Services, experienced a ransomware attack that disrupted some operating systems, including those used to clear US Treasury trades and repo financing. As a result of this disruption, the brokerage was unable to settle trades for other market players and temporarily owed BNY Mellon $9 billion. 

This not only highlights the growing payment interruption risk that financial institutions face due to cybersecurity incidents — it also reflects the increasing scale of such incidents. Because financial systems and business operations are increasingly interconnected, the impact of a cyber attack is rarely limited to the target organization. Instead, it has a ripple effect that can affect organizations and economies across the world. 

The attack on ICBC Financial Services, for example, disrupted the US Treasury market, which plays a crucial role in global finance. 

Key learning

Cyber attacks like this are expected to increase as threat actors continue to target important financial institutions and infrastructure in major economies. If successful, an attack on one organization can impact partners, suppliers, and customers across the globe. 

This emphasizes the importance of supply chain risk management. Supply chain risk management involves identifying and assessing threats throughout the supply chain and developing mitigation strategies to protect the integrity, trustworthiness, and authenticity of products and services within that chain. Having a defined process in place can help your organization minimize the likelihood and magnitude of these risks to the supply chain.

22. MGM Resorts phishing attack

Date: September 2023

Impact: Over $100 million in financial losses

After detecting a cyber attack that disrupted its operations in late September 2023, MGM Resorts International shut down its systems to contain the damage. It then reported that it would take a $100 million hit to its third-quarter results, as it worked to restore its systems. The casino giant also expected to incur a one-time cost of approximately $10 million related to the attack.

It appears that the hackers used a social engineering technique known as vishing. After finding an employee’s information on LinkedIn, the hackers impersonated the employee in a call to MGM’s IT help desk to obtain credentials to access and infect the systems. 

Key learning

Social engineering attacks are expected to increase in sophistication and frequency due to AI, which enables threat actors to create more convincing and legitimate sounding phishing emails, deepfakes, vishing calls, and more. 

Organizations that extensively use AI and automation to enhance their cybersecurity capabilities will be best positioned to defend against this weaponized use of AI by cybercriminals. In a study by Capgemini Research Institute, 69% of executives said that AI is necessary to effectively respond to cyberattacks and results in higher efficiency for cybersecurity analysts.

23. Boeing ransomware attack

Date: October 2023

Impact: 43GB data leak 

In October 2023, Boeing, one of the world's largest defense and space contractors, suffered a cyber attack that impacted its parts and distribution business. This attack was traced to a vulnerability in Citrix’s software, known as Citrix Bleed, that was exploited by the ransomware group LockBit 3.0. LockBit later leaked more than 43 gigabytes of data allegedly stolen from Boeing’s system when the aerospace company refused to pay the demanded ransom.

Exploitation of CitrixBleed impacted other major organizations as well, including the U.S. branch of ICBC and logistics firm DP World. The majority of affected systems were reported to be located in North America. It’s estimated that US organizations hit by LockBit paid as much as $90 million in ransom between 2020 and mid-2023.
As a result of the incident at Boeing, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and Australian Cyber Security Center issued a cybersecurity advisory urging organizations to patch against the actively exploited flaw immediately if they haven’t done so already. 

Key learning

In October, Citrix posted a security bulletin rating the bug a 9.4 out of 10 on the CVSS severity scale. However, in November, thousands of instances where the tool was used were still vulnerable to the issue, including nearly 2,000 in North America alone. There was widespread exploitation of the Citrix vulnerability in unpatched software services throughout both private and public networks as a result. 

Managing exposure to discovered vulnerabilities is a key aspect of vulnerability management, alongside discovering, categorizing, and prioritizing vulnerabilities and analyzing the root cause of vulnerabilities. Having a robust vulnerability management program can help an organization develop a comprehensive understanding of its risk profile, understand what controls need to be implemented for risk mitigation, and prevent repeat vulnerabilities. 

24. The British Library ransomware attack

Date: October 2023

Impact: Major disruptions to systems and operations and 600GB data leak

The UK's largest library was hit by a cyber attack on the last weekend of October. While the British Library took immediate action to isolate and protect its network, its online systems and services were massively disrupted, its website went down, and it initially lost access to even basic communication tools such as email.

On January 15, it began a phased return of certain key services, starting with the restoration of a reference-only version of its main catalog. However, the disruption to some of its operations is expected to persist for months, possibly until next fall or even longer.

In total, the cost of recovering the British Library’s IT systems is estimated to be as high as £7 million, which represents about 40% of its unallocated cash reserves. 

Key learning

To help prevent lengthy and costly recoveries in the event of a successful ransomware attack, organizations must update their cyber resiliency measures, including putting a disaster recovery plan in place. 

Having a disaster recovery plan in place that is well-designed and regularly maintained can help organizations minimize downtime, reduce financial losses, protect critical data, and provide peace of mind for employees. 

25. TruePill data breach

Date: August 2023

Impact: Data breach impacting 2.3M patients

Truepill experienced a data breach in late August, which exposed the personal data of more than 2.3 million patients. Postmeds, the parent company behind TruePill, published a data breach notice that explained that the attackers accessed files containing sensitive patient data, including names, unspecified demographic information, medication type, and the name of the patient’s prescribing physician.

While the company did not say how its systems were compromised or what specific measures it implemented to prevent future breaches, a class action lawsuit alleges that the cybersecurity incident was the result of inadequate data security measures — including the failure to encrypt sensitive healthcare information stored on its servers.

Key learning

Healthcare is one of the most targeted industries by threat actors. In 2022, 89% of the healthcare organizations experienced an average of 43 attacks in the past 12 months, which equates to almost one attack per week. The healthcare industry was also the most common victim of third-party breaches in 2022, accounting for almost 35% of all incidents.

While third-party security is critical across industries, it’s particularly important in the healthcare industry due to its susceptibility to cyber attacks. Conducting third-party risk assessments, tracking metrics and KPIs like pass rate for security questionnaires, and using automation can help strengthen a healthcare organization’s third-party risk management program and protect it from data breaches like this one.

26. 23andMe hack

Date: October 2023

Impact: Data breach impacting 6.9 million users

23andMe disclosed that hackers accessed about 14,000 accounts in a cybersecurity incident in October. The scope ended up being much larger due to 23andMe’s DNA Relatives feature, which matches users with their relatives. By accessing those 14,000 accounts, hackers were also able to access the profile information of millions of other users. In total, the data breach is known to affect roughly half of 23andMe’s total reported 14 million customers.

When disclosing the incident in October, 23andMe said the data breach was caused by customers reusing passwords. Hackers were able to use publicly known passwords released in other companies’ data breaches to brute-force the victims’ accounts.

Key learning

While the 23andMe breach showed the impact that poor password hygiene can have on data security, it also highlighted the need for organizations to take responsibility for protecting user data. 

Maintaining a strong incident response plan is one security tactic that organizations can implement. For example, following the data security incident, 23andMe required all users to reset their passwords and now requires all new and existing users to use two-step verification when logging in to the website. 

27. Mr. Cooper ransomware attack

Date: October 2023

Impact: Data breach impacting 14.7M customers and $25Min response and recovery costs

After reviewing a cyberattack that took place in October 2023, Mr. Cooper determined that personal data on every current and former customer of Mr. Cooper Group was stolen, which amounted to more than 14 million people. 

Mr. Cooper shut down multiple systems after it discovered the cyberattack, which prevented millions of customers from making payments and processing mortgage transactions. The company set up alternative payment methods for customers after the attack, including by phone, mail service, Western Union and MoneyGram..

The mortgage and loan giant expected vendor expenses related to its response, recovery, and identity protection services to reach $25 million in the fourth quarter.

Key learning

Mr. Cooper is just one of many financial services firms that was hit by a suspected ransomware attack in 2023. Other notable examples include LoanDepot, Fidelity National Financial, and First American Financial. 

Since these cyberattacks undermine the security and confidence in national and international financial systems and endanger financial stability, regulatory expectations for all financial services institutions have increased. More regulation has passed, expanded, or been increasingly enforced to ensure these institutions have a comprehensive information security program in place, including the FTC Safeguards Rule and New York Department of Financial Services (NYDFS) NYCRR 500. 

Meeting these regulatory requirements can not only help avoid penalties and fines — it can also help protect the security and confidentiality of customer information held by financial institutions.

28. Dollar Tree third-party breach

Date: August 2023

Impact: Data breach impacting 2M people

In August 2023, Dollar Tree was impacted by a third-party data breach affecting approximately 1.98 million people. One of its vendors, Zeroed-In Technologies, LLC, suffered a security incident in which threat actors stole the information of Dollar Tree and Family Dollar employees and customers, including names, dates of birth, and Social Security numbers (SSNs).

Allegedly, Dollar Tree shared the private, unencrypted information of its employees and customers with Zeroed-In, which stored that information in an unencrypted, Internet-accessible environment on its public network. An unauthorized party then gained access to the company’s systems. 

Key learning

Many organizations work with outside vendors to cut down on costs or better serve customers, which requires them to share access to sensitive information with third parties. That means organizations must put the same amount of scrutiny on the risk management practices of outside vendors as they do their own.

A vendor risk management program provides companies with visibility into who they work with, how they work with them, what security controls each vendor has implemented, and their security posture over time, which can help them identify potential threats before they impact their business. 

29. DP World Australia cyber attack

Date: November 2023

Impact: Major disruptions to operations that led to 30K shipping container backlog

DP World Australia is one of the country's largest ports operators and manages approximately 40% of Australia’s total flow of goods. In November 2023, it experienced a cyber attack that crippled its operations at container terminals in Melbourne, Sydney, Brisbane, and Fremantle. 

Once it detected unauthorized access to the company’s Australian corporate network, DP World Australia disconnected the network from the Internet in order to contain the incident. This shut down port operations across Australia for three days, prompting a backup of some 30,000 shipping containers. 

Key learning

The DP World cyber attack represents one of the latest large-scale criminal attacks on critical infrastructure and has prompted demand for governments to prioritize and invest in cybersecurity measures, especially for critical infrastructures like ports. The demand is especially high in Australia, since attacks against the country’s critical infrastructure, businesses and homes have surged recently, with one attack happening every six minutes according to the Australian Cyber Security Centre.

Cybersecurity measures can help protect the availability and resilience of critical infrastructure and the essential services it provides.

30. Ardent Health Services ransomware attack

Date: November 2023

Impact: Critical care impacted in at least three states

Ardent Health Services owns and operates 30 hospitals and more than 200 sites of care with more than 1,300 aligned providers in six states. When it was hit by a ransomware attack in November 2023, the company proactively took its network offline, suspending all user access to its information technology applications.

This resulted in disruptions to operations in facilities across multiple states. Some had to reschedule non-emergent, elective procedures and divert emergency room patients to other area hospitals until systems were back online. Patients also reported being unable to refill prescriptions and make appointments online, and having their procedures rescheduled or postponed.

Key learning

According to a report by the FBI’s Internet Crime Complaint Center (IC3), the FBI received 870 reports of ransomware attacks aimed at organizations belonging to 16 critical infrastructure sectors and the healthcare sector topped the list with 210 reports of ransomware attacks.

Increasingly sophisticated and malicious cyber campaigns targeting critical infrastructure like the example above threaten the public and private sector as well as the American people’s security and privacy. In response, the US government has created several information security standards and frameworks for reducing risk and improving data security. 

Federal contractors and government agencies typically comply with these federal standards and frameworks, but any organization can benefit from implementing these stringent and comprehensive requirements. Doing so will have important ramifications for the public sector, the private sector, and ultimately national security and privacy.

Cyber attack trends

Cyberattacks are constantly evolving, and so must your defenses. Looking across major breaches over the past two years, we’ve pulled out high-level trends to help you better understand the latest threat landscape.

These aren’t just headlines. They’re signals that attackers are adapting faster, targeting more strategically, and taking advantage of emerging technologies and global instability. Understanding these trends is essential for strengthening your defenses and aligning with security frameworks that address modern risks.

1. AI-generated attacks are scaling threats at unprecedented speed

AI not only lowers the bar for entry into cyber crime, it also enhances attacker capability by improving the scale, speed, and effectiveness of existing attack methods.

Patrick Smyth, Principal Developer Relations Engineer at Chainguard, points to the decrease in time to exploit, the time from when a vulnerability is publicized until an exploit for that vulnerability has been discovered in the wild, as a practical measure of how AI has dramatically enhanced real-world attacker capability. On average, time to exploit was over 700 days in 2020. It dropped down to only 44 days in 2025.

As a result of the speed that AI offers, cyber attacks by AI-enabled adversaries are increasing rapidly, with CrowdStrike’s 2026 Global Threat Report reporting an 89% YoY increase. 

Experts at the Center for Strategic and International Studies emphasize that this is the biggest threat today: not fully autonomous AI cyber attacks, but how AI vastly reduces the cost, time, and skill required to mount effective attacks using pre-existing methods. For example, research from Google’s M-Trends 2026 report found that attackers are shifting away from mass email campaigns to hyper-personalized, rapport-building social engineering thanks to large language models (LLMs) acting as a strategic force multiplier.

Rapid patching, sophisticated identity controls, and defense-in-depth are all operational necessities to counter AI-enabled adversaries that work much faster and stealthily.

2. Cyber attacks are increasingly complex, coordinated, and disruptive

Cyber operations are becoming more "industrialized," with initial access brokers, ransomware operators, and data exfiltration specialists working in tandem, each playing a specialized role to maximize damage. And they're coordinating faster than ever.

According to the M-Trends 2026 report, the median time between an initial access event and hand-off to a secondary threat group dropped from more than 8 hours in 2022 to just 22 seconds in 2025. That's not an incremental improvement in attacker efficiency. It's a huge leap forward.Defenders who once had hours to detect and contain an intrusion before it escalated now have almost none.

The targets are also shifting. Attacks increasingly focus on governments, critical infrastructure, and multinational corporations, often involving cross-border collaboration between cybercriminal groups, hacktivists, and state-sponsored actors. The convergence of financial crime, espionage, and geopolitical disruption into single campaigns makes these threats harder to attribute, harder to anticipate, and harder to recover from.

3. Cyber attacks increasingly driven by disruption and espionage, not just financial gain

Financial motivation is no longer the defining force behind cyber attacks. In 2020, 38% of incidents were financially driven. In 2025, that figure had dropped to 30%, according to M-Trends 2026.

Increasingly, attacks are designed to gather intelligence, disrupt critical services, influence political outcomes, or establish long-term footholds in strategic networks, not to extract an immediate payout. This shift is visible in the rise of APT activity targeting governments, defense supply chains, and critical infrastructure, where the primary objective is persistence and leverage rather than ransom.

This doesn't mean financially motivated crime is declining in scale. It isn't, as we’ll explain below. But it does mean defenders can no longer assume that disruption or data theft is always a precursor to a ransom demand. Sometimes disruption is the goal.

4. Cybercrime losses are hitting record highs

Even as a growing share of attacks are motivated by espionage or disruption rather than direct financial gain, the economic toll of cybercrime continues to climb. According to the FBI's 2025 Internet Crime Report, US cybercrime losses hit a historical high of nearly $21 billion, a 26% year-over-year increase. In the EU, cyber-enabled fraud alone cost $64.1 billion in 2025, according to Europol's IOCTA 2026.

These record highs aren’t contradictory to the diversification of attack motives; they reflect two parallel realities:

• Financially motivated crime (fraud, ransomware, business email compromise) continues to scale in volume and sophistication, largely due to AI. 
• Attacks motivated by disruption or espionage carry their own massive economic costs: operational downtime, recovery expenses, legal liability, and lost contracts.

The Stryker attack in early 2026 is a clear example. While the attacker's motivation may not have been a ransom payout, the financial impact of the attack was material enough to affect quarterly earnings and trigger lawsuits. The record losses are a reminder that the cost of recovering from a cyber attack extends well beyond any ransom paid.

5. Supply chain attacks are targeting trusted tooling

Attackers have learned that breaching a well-defended organization directly is harder than compromising something that organization already trusts. By targeting software distributors, managed service providers, and widely-used developer tools, a single successful attack can cascade to thousands of downstream victims, without ever touching their perimeters directly.

The scale of this shift is significant. According to IBM's 2026 X-Force Threat Intelligence Index, large supply chain and third-party compromises have nearly quadrupled since 2020. And the targets are getting more strategic: from compromised developer tools to exposed AI libraries, threat actors are increasingly pursuing what researchers call "ecosystem-level targeting,” compromising a single trusted component to gain indirect access to high-value targets at scale and often impact millions of users with a single breach.

What makes these attacks particularly difficult to detect is that once inside, adversaries move laterally using legitimate credentials and processes. Nothing looks obviously wrong. The Trivy supply chain attack in March 2026 illustrated this precisely: a widely-used vulnerability scanner was compromised for roughly 12 hours, silently harvesting CI/CD secrets from pipelines that appeared to be running normally.

For ransomware groups in particular, this one-to-many attack vector is expected to remain a top priority through 2026 and beyond. Defenders need to treat their software supply chain with the same scrutiny they apply to their own systems.

6. Ransomware is evolving and still the top threat

According to Recorded Future Intelligence, publicly reported ransomware attacks increased 47% year-over-year.

Already one of the biggest global threats, ransomware is expected to continue to increase due to advancements in AI and threat actors employing increasingly sophisticated techniques, including multi-extortion tactics and supply chain compromises. Ransomware groups are no longer just encrypting data, they are actively targeting backup infrastructure, identity services, and virtualization management planes in order to ensure organizations can’t restore the data instead of paying the ransom. They’re also increasingly exfiltrating data rather than encrypting it, and then threatening to publicly release it unless ransom demands are met. 

Ransomware-as-a-service platforms also continue to democratize access to ransomware tools, enabling even more cybercriminals (especially low-skilled affiliates or disgruntled insiders) to participate in extortion schemes and launch their own attacks. 

However, with ransomware groups reportedly making less money despite a significant increase in attacks, some groups are shifting away from mobilizing affiliates through RaaS and instead focusing on recruiting corporate insiders or gig workers to steal data.

7. Zero-day exploitation stabilizing, prioritizing edge devices

Zero-day vulnerabilities, flaws that are exploited before vendors release patches, are now central to many high-profile attacks. Threat actors are weaponizing zero-days not just for access, but also for privilege escalation, lateral movement, and data exfiltration.

While the volume of zero-days in 2025 (90) is lower than the record high observed in 2023 (100), Google Threat Intelligence Group (GTIG) continued to observe that enterprise software and edge devices remain prime targets. Marking a new high, 48% of 2025’s zero-days targeted enterprise-grade technology, which consists of highly interconnected platforms that provide privileged access across networks and data assets.

State-sponsored espionage groups continue to prioritize edge devices and security appliances as prime entry points into victim networks, with just over half of attributed zero-day exploitation by these groups focused on these technologies.

8. Time between disclosure and exploitation is shrinking fast

One of the most alarming trends is how little time defenders now have. According to CISA’s Known Exploited Vulnerabilities (KEV) data, over 25% of vulnerabilities exploited in Q1 2025 were attacked within 24 hours of being disclosed.

This trend, sometimes called “patch gap exploitation,” puts intense pressure on IT and security teams to move quickly from detection to remediation, often with incomplete context or limited resources. Automation and prioritization are now essential for effective vulnerability management.

9. CVE volumes are overwhelming defenders

The number of known vulnerabilities continues to explode. From 2020 to 2025, CVE submissions increased 263%. In 2024, over 40,000 CVEs were disclosed, and 2025 reached nearly 50,000. The volume alone makes it difficult to identify which issues to patch first, especially as attacker playbooks grow more dynamic.

Vulnerability exploitation was linked to 20% of breaches in the 2025 Verizon Data Breach Investigations Report (DBIR), putting it on par with stolen credentials and ahead of phishing as a breach vector. This means defenders must focus not only on quantity but on prioritizing what matters most, with the help of tools like CVSS scoring, threat intelligence, and AI-based vulnerability triage.

How to prevent cybersecurity attacks

Cybersecurity attacks aren’t just increasing in number. They’re evolving in speed, complexity, and impact. 

While no defense is foolproof, there are proven strategies that can dramatically reduce your organization’s risk exposure and ability to recover from an attack.

The tips below combine technical, procedural, and organizational best practices to help mitigate the likelihood and impact of a successful cyberattack. Many of these are also foundational requirements in security frameworks like SOC 2, NIST 800-53, CMMC, and ISO 27001, making them not only smart security decisions but essential steps for compliance.

1. Provide security awareness training to employees

A comprehensive training program can help employees understand common cyber threats such as phishing attacks, social engineering tactics, and malware, identify suspicious emails, links, and attachments, and understand the importance of following best practices and reporting any security incidents promptly.

Having a program in place that trains employees as they onboard and on a recurring basis about cybersecurity best practices, common threats, and their roles and responsibilities in safeguarding sensitive information can help your organization reduce the risk of human error leading to cyber attacks and breaches. It can also help you meet security and privacy compliance requirements for SOC 2®, HIPAA, PCI DSS, GDPR, and other frameworks. 

2. Implement security controls to reduce your risk exposure

You can reduce your organization’s exposure to some types of cyber attack on systems that are exposed to the Internet by implementing security controls like:

• Malware defenses
• Boundary firewalls and internet gateways
• Password policy
• User access controls
• Patch management

3. Comply with cybersecurity standards and regulations 

Cybersecurity frameworks require organizations to implement robust security measures, establishing a baseline of protection against cyber threats. By adhering to these standards, organizations must conduct regular risk assessments, identify vulnerabilities and potential attack vectors, and implement technical and administrative safeguards. These controls bolster defenses and mitigate the likelihood and impact of cyber attacks.

4. Continuously monitor for threats and misconfigurations

Attackers move fast, sometimes within hours of gaining access, so real-time detection is critical. Continuous monitoring helps you spot suspicious behavior, unauthorized changes, or misconfigured systems before they’re exploited. Continuous monitoring also supports compliance and audit readiness by maintaining visibility into your control environment.

5. Evaluate and manage third-party risks

Vendors, contractors, and other third parties can introduce serious vulnerabilities into your environment. Many recent breaches began not with a direct attack on the victim organization, but through a trusted partner or service provider.

Establish a formal third-party risk management (TPRM) process. Assess the security posture of your vendors, ensure they meet your security requirements, and monitor their compliance over time. Include third-party security in your incident response and business continuity planning.

6. Implement Secure-by-Design principles

Patching and scanning are still necessary, but they can no longer keep pace with today’s exploitation speed and scale. To stay ahead of attackers, organizations must rethink how systems are built in the first place.

CISA and its international partners are calling on every technology provider to take ownership at the executive level to ensure their products are “secure by design.” Secure by design means embedding security into every stage of system development and procurement, not just bolting it on after deployment. This includes minimizing the attack surface, eliminating default credentials, disabling unnecessary features, and enforcing strong authentication by default. 

Reducing the exploitability of software and infrastructure upfront is key to long-term security resilience.

How Secureframe can help bolster your cybersecurity posture

Organizations today are challenged with mitigating increasingly complex risks and threats and continuing to comply with an increasing depth and breadth of regulation.

Secureframe can help by simplifying and automating manual tasks related to security, privacy, and compliance. With Secureframe, you can:

• Consolidate compliance and risk data in one source of truth via 300+ native integrations and the Secureframe API.
• Automate cloud remediation, risk assessments, policy management, and security questionnaires with AI.
• Closely monitor and manage your third-party vendor relationships.
• Conduct continuous monitoring to look for gaps in controls to maintain continuous compliance
• Automate the assigning, tracking, and reporting of required security and privacy compliance training.
• Get personalized advice based on your company’s unique risks and industry requirements from our in-house compliance team.

To learn more about how Secureframe can play an integral part in enhancing your security and compliance posture, request a demo today.