The cybersecurity landscape in 2025 has presented a paradox: we have more data, more visibility, and more tools than ever before—yet we have never been so overwhelmed by alerts. The challenge is no longer understanding what is happening, but transforming information into action. With more than 6 billion new credentials detected and a 65% increase in targeted phishing against the financial sector, five trends stand out as critical for preparing security teams in 2026.

What you will find in this report:

• Edge devices become a priority target for intrusions
• Social engineering shifts toward IT teams and developers
• Triple extortion replaces traditional ransomware
• Supply chain attacks become strategic
• AI agents reshape both offense and defense
• How Axur’s CTI and EASM help strengthen protection
  
  

1. Edge devices: the new preferred entry point for cybercriminals

Attacks on edge devices—especially VPNs and firewalls—solidified in 2025 as one of the most critical intrusion vectors. The CISA Known Exploited Vulnerabilities Catalog recorded active exploitation of devices from manufacturers such as Cisco, Fortinet, Ivanti, Palo Alto Networks, and SonicWall throughout the year.

These attacks are particularly concerning due to their diverse motives. Some attackers deploy ransomware for financial gain, while state-sponsored groups target critical infrastructure for espionage. Home routers were also added to Mirai-based botnets for DDoS attacks and criminal proxy activity.

Frequently exploited vulnerabilities include flaws that allow remote command execution and multi-factor authentication bypass. In some cases, attackers circumvented MFA by exploiting vulnerabilities or abusing leaked one-time code generation keys.

2. Social engineering evolves: IT teams and developers become primary targets

A major shift in 2025 was the migration of social engineering attacks from end users to IT professionals and developers. The Scattered Spider group demonstrated how fraudulent phone calls to support teams can result in compromised credentials and full corporate network access.

Attackers impersonate legitimate users requesting password resets or technical help. High-profile incidents in the UK retail sector led to substantial losses.

Developers also became strategic targets through fake job offers and typosquatting in repositories like npm and PyPI. Criminals send “job opportunities” requiring installation of supposed test tools—which are actually credential-stealing malware able to extract access tokens from corporate repositories.

3. Triple extortion: ransomware becomes only one part of the threat

Ransomware evolved into a triple-extortion model, multiplying the pressure on victims. Beyond encrypting files, attackers now combine data exposure threats with coordinated DDoS attacks.

In many cases, attackers skip encryption entirely, relying solely on the threat of data leaks—particularly effective when cloud backups allow quick recovery. Some groups even employ “lawyers” to assist during negotiations.

Groups like RansomHub and Qilin were responsible for hundreds of new victims in 2025, while Scattered Spider developed its own ransomware, abandoning its previous role as an affiliate.

4. Supply chain attacks become systematic and strategic

Supply chain attacks have shifted from opportunistic to deliberate and strategic. In 2025, criminals intentionally targeted SaaS platforms and suppliers to maximize campaign impact.

The Salesloft incident exemplifies this: attackers compromised a GitHub engineer’s credentials via social engineering, accessed cloud infrastructure, and extracted OAuth tokens from Drift’s chatbot. Since these tokens granted access to customer Salesforce CRMs, multiple companies were breached through a single point of failure.

In Brazil, attacks on PSTIs in the financial sector (C&M Software and Sinqia/Evertec) resulted in fraud exceeding R$ 1 billion via Pix, exploiting vulnerabilities in integrations between institutions. These incidents show that Brazilian attackers are no longer limited to small-scale operations.

Software supply chains were also hit through tampering with npm and PyPI packages after stealing maintainers’ credentials.

5. AI agents: the next frontier for both defense and offense

The most disruptive trend for 2026 is the rise of autonomous AI agents. Tools that today act as assistants will soon make operational decisions—escalating responses, prioritizing investigations, and triggering remediation without human oversight.

But defenders aren’t the only beneficiaries. In 2025, we observed:

• Phishing pages created in minutes with tools like Lovable, perfectly mimicking legitimate interfaces
• Hyper-personalized campaigns generated automatically by language models
• AI-guided fuzzing accelerating vulnerability discovery
• Browser vulnerabilities in Perplexity Comet and ChatGPT Atlas enabling new attack vectors: invisible-text steganography read by OCR, persistent malicious prompt injection, and arbitrary code execution via unprotected APIs
  
  

Strategic impacts for CISOs

The 2025 threat evolution is not only technical—it is strategic. CISOs must adopt a holistic approach focused on:

• Visibility beyond the perimeter: most exposures originate outside internal assets.
• Protection of internal high-value targets: developers and support teams have become key weak points.
• Third-party surface mapping: one compromised vendor can propagate malicious code or grant broad access.
• Preparation for autonomy: AI agents require clear policies, operational limits, and audit mechanisms.
  
  

How Axur’s CTI and EASM help mitigate these threats

Axur’s Cyber Threat Intelligence plays a crucial role in identifying and mitigating risks linked to these trends. With continuous monitoring of external asset exposure and vulnerability mapping, the platform allows organizations to anticipate threats and prioritize actions before incidents unfold.

EASM identifies domains, subdomains, IPs, and exposed services, correlating them with known vulnerabilities (CVEs) and validating digital certificates, open ports, and protocol usage. This continuous analysis uncovers unknown assets, ranks critical vulnerabilities, and anticipates emerging risks.

Solutions combining CTI, EASM, and agent-based takedown unify automated intelligence with actionable insights—ensuring visibility across critical attack surfaces and equipping security teams to defend against an ever-evolving threat landscape.

Explore more in the Threat Landscape 2025/26 Report

The full Axur Threat Landscape 2025/26 report dives deeper into these trends and others, offering valuable insights for CISOs and security analysts. Download the complete report for a detailed view of the challenges and opportunities ahead.

If you’re facing cyber threats right now, Axur can help protect your organization. Schedule a meeting with our specialists to strengthen your digital security.