Each year, Forescout Research – Vedere Labs analyzes the threat landscape based on attack telemetry and threat actor intelligence we collect.

The rising volume, sophistication, and cost of cyberattacks have made cybersecurity a board-level priority that will continue through 2026. Our new Threat Roundup report analyzes 2025 data and provides tactical insights and strategic recommendations to strengthen defenses this year.

Cyberattacks became more globally distributed and cloud-enabled in 2025. Threat actors prioritized exploiting rapidly shifting infrastructure, OT protocols, vulnerable web applications, and emerging AI platforms while escalating targeted attacks against critical industries in healthcare, manufacturing, government, energy, and financial services.

Here are several of the key findings and risk mitigation recommendations from the report. For more in-depth analysis, including details on the top attack commands, trends in malware, and much more, get the complete research document.

 

Key Findings

Explore the Data

Cyberattacks Were More Distributed

  • Attackers used IP addresses registered in a wider array of countries.
  • The top 10 countries accounted for 61% of malicious traffic observed — down nearly 20 percentage points from 2024.
  • The United States was the most targeted country, followed by India, then Germany.
  • In 2024, India and Germany swapped rankings but remained in the top three most targeted countries.
  • The total number of cybercriminals and state-sponsored actors were similar, but cybercriminals were responsible for nearly six times more incidents than state-sponsored actors.

Attack Infrastructure and Tactics Evolved Quickly

  • Attackers continued to favor compromised devices, but abuse of cloud services increased:
    • 59% of attacks originated from ISP-managed IPs — up from 57% in 2024.
    • 17% came from business and government networks — down from 33% in 2024.
    • 24% came from hosting or cloud providers — up from 10% last year.
  • Autonomous systems used for malicious activity shifted rapidly:
    • Two of the top 10 from 2024 dropped off the list entirely in 2025
    • Three new entries had not previously ranked in the top 500
  • Web applications remained the most attacked service type at 61%
    • This is up from 41% in 2024
    • This is followed by remote management protocols at 15%

Exploitation Grew Across OT, IoT, and IT

  • Attacks using OT protocols surged by 84%
    • Modbus led at 57%
    • Ethernet/IP ranked second at 22%
    • BACnet came in third at 8%
  • Exploits against IoT devices increased to 19%
    • In 2024, this was 16%
    • The most frequent targets: IP cameras and network video recorders (NVR)
  • For IT, network infrastructure remained the second most common attack area at 19% of exploits.

Vulnerabilities Increased — and Exploitation Patterns Shifted

  • 242 vulnerabilities were added to CISA KEV — a 30% YoY increase YoY.
  • 285 vulnerabilities were added to the Vedere Labs KEV — a 213% YoY increase.
  • 71% of exploited vulnerabilities were not in CISA KEV, indicating attackers continue to exploit issues not prioritized by major advisories.
  • One of the most exploited vulnerabilities affected Langflow, showing AI development tools are prime targets as AI adoption grows.

Go deeper: attend an upcoming presentation on the trends from 2025 with our research leaders or watch it on demand.

 

Mitigation Recommendations

Organizations should prioritize extending visibility, risk assessment, and proactive controls across an expanding attack surface, including network perimeter assets, operational technology environments, healthcare systems, and IoT assets.

At a minimum, organizations should:

  • Ensure full visibility into these assets, including their presence on the network, the software they run, and their communication patterns.
  • Understand asset risk profiles across vulnerabilities, weak configurations, exposure, and other factors.
  • Disable unused services and patch vulnerabilities to reduce the window of exploitation.
  • Change default or easily guessable credentials and use strong, unique passwords for each asset.
  • Enforce multifactor authentication (MFA) whenever possible.
  • Encrypt sensitive data in transit and at rest, especially personally identifiable information (PII), protected health information (PHI), and financial data.
  • Avoid exposing unmanaged or legacy assets directly to the internet unless absolutely necessary. Where exposure is required, ensure administrative interfaces require authentication, such as web UIs and engineering ports, and are secured behind IP-based access control lists or a VPN-protected management VLAN.
  • Apply IP-based access control lists to limit access to sensitive protocols, such as Modbus and BACnet in OT networks.
  • Segment the network to isolate IT, IoT, and OT assets, limiting network connections to only authorized management and engineering workstations or to the minimum set of asset-to-asset communications required for operations.

Once these controls are in place, ensure threat detection and response coverage spans the entire organization, including every asset type.

Explore the Data