Skip to main content

Key Takeaways

Speed is now the defining factor in cyberattacks. Average breakout time fell to 29 minutes in 2025, with the fastest attack taking just 27 seconds. Manual, human-driven detection alone is no longer fast enough.

  • Most attacks do not use malware. 82 percent of detections in 2025 involved no malicious software, relying instead on stolen credentials and legitimate tools. Multi-factor authentication is one of the most effective defenses against this trend.
  • AI is accelerating existing attack methods and creating new targets. A 90 percent rise in AI-enabled attacks was accompanied by incidents in which attackers manipulated company AI tools.
  • Edge devices such as routers, firewalls, and VPNs are increasingly targeted, particularly by nation-state groups, and are often the least monitored part of a network.
  • Cloud environments and software supply chains saw significant increases in targeting, underscoring the importance of vendor security and access management.
  • A layered, proactive approach, MFA, patching, monitoring, employee awareness, and automated detection, remains the most effective response to a faster-moving threat landscape.

Every year, CrowdStrike’s Global Threat Report gives the cybersecurity industry a reality check. It is built from intelligence gathered by CrowdStrike’s threat hunters, who tracked more than 280 named adversary groups throughout 2025. The 2026 edition, released in February, is one of the most alarming yet. CrowdStrike is calling 2025 “the year of the evasive adversary,” and the data backs that up. Attackers are moving faster, hiding better, and using artificial intelligence to do both.

For small- and mid-sized businesses in the Bay Area, this report can feel as if it were written for enterprise security teams with dedicated analysts and unlimited budgets. It was not. The trends in this report affect every organization that relies on email, cloud accounts, and connected devices, which is to say, every organization. 

Here is what the report found, and what it means for businesses.

Attacks are happening at a speed no human team can match

The single most striking number in the report is breakout time; the amount of time it takes an attacker to move from their initial point of entry to other systems on the network. In 2025, the average breakout time for financially motivated cybercriminals dropped to just 29 minutes. The fastest recorded breakout took only 27 seconds.

Think about what that means practically. If an employee clicks a phishing link at 9:00 a.m., the attacker could be moving through other parts of the network by 9:30 a.m., the current average, often before anyone notices anything unusual. A security model that relies on a person to review an alert, log in, and investigate is already too slow. This is one of the clearest arguments for automated detection and response tools that can act the moment suspicious behavior appears, rather than waiting for a person to react.

Abstract visualization of high-speed digital data streams, representing the rapid pace of modern cyberattacks

Malware is no longer the main way in

For years, cybersecurity advice centered on antivirus software and not clicking suspicious attachments. That advice is increasingly outdated. According to the report, 82 percent of attacks detected in 2025 involved no malware at all. Instead of writing malicious code, attackers are simply logging in with stolen but valid usernames and passwords, then using the organization’s legitimate tools to browse, gather information, and steal data.

This is a meaningful shift. A stolen password does not trigger antivirus software. Someone using a company’s own remote access or administrative tools does not appear suspicious to traditional security software because, technically, they are not doing anything unusual. 

They are using real credentials and real tools. This is exactly why multi-factor authentication (MFA) has become non-negotiable. A stolen password is far less useful to an attacker if it takes a second form of verification to actually get in. It is also why many cyber insurance policies now require MFA as a condition of coverage.

AI has become both a weapon and a target

Artificial intelligence is the theme running through nearly every section of this year’s report. CrowdStrike found an 89 percent increase in attacks by AI-enabled adversaries compared to the year before. Importantly, the report notes that AI is not necessarily creating brand new categories of attacks. Instead, it is acting as an accelerant for tactics that already existed. Attackers are using AI tools to write more convincing phishing emails, generate working malicious code in programming languages they do not personally know, build fake job-recruiter profiles on professional networking sites, and automate reconnaissance of a target organization.

More concerning for businesses that have adopted AI tools is a second trend: attackers are now targeting AI systems directly. The report documents more than 90 organizations in which legitimate, company-approved AI tools were manipulated by malicious prompts to generate harmful commands or leak sensitive data. As more businesses roll out AI assistants and automation tools, those tools become a new part of the attack surface that needs to be secured, monitored, and governed, not just adopted and forgotten.

Split red and blue digital brain made of circuit patterns, symbolizing artificial intelligence as both an attack tool and a target

Nation-state activity is increasingly aimed at everyday infrastructure

While much of the report focuses on financially motivated cybercriminals, nation-state activity also increased sharply in 2025. North Korea-linked groups saw a 130 percent increase in incidents, driven largely by financial theft, including a single cryptocurrency heist worth 1.46 billion dollars, the largest ever recorded. China-linked groups, meanwhile, showed a strong preference for targeting edge devices such as VPNs, routers, and firewalls. Forty percent of the vulnerabilities these groups exploited were found in exactly this kind of internet-facing equipment.

Why does this matter to a smaller business that is not a government target? Because edge devices like routers and firewalls are common to nearly every network, and they are often the least monitored part of a company’s infrastructure. These devices typically do not run antivirus software and are rarely checked as closely as laptops or servers. Attackers know this, and state-sponsored groups have become remarkably quick to exploit newly disclosed vulnerabilities in this kind of equipment, sometimes within hours of a patch being released. 

Keeping edge devices patched and monitored is no longer optional busywork. It is one of the more exposed parts of a modern network.

Cloud and software supply chains are under pressure

The report also highlights a 37 percent overall rise in cloud-focused intrusions, with state-sponsored actors increasing their cloud targeting by 266 percent. At the same time, software supply chain attacks, where attackers compromise a trusted vendor, developer, or software package to reach a much larger set of victims, remain a serious concern. Attackers are exploiting stolen developer credentials, poisoned open-source packages, and abused authentication tokens to quietly work their way into downstream organizations that never interacted with the attacker directly.

For a business that relies on outside vendors and cloud-based software, and nearly every business today does, this is a reminder that your security posture depends partly on the vendors you trust. Reviewing who has access to your systems, limiting unnecessary integrations, and asking vendors about their own security practices are no longer just enterprise concerns.

What this means for your business

Attackers are moving faster and getting smarter, yet the businesses that hold up best against these trends are not the ones with the biggest budgets. They are the ones with the basics locked down: strong access controls, patched systems, and a plan for when something goes wrong. Speed now favors whoever is prepared before the attack starts, not whoever reacts fastest after it does.

Frequently Asked Questions

Does this report apply to small and mid-sized businesses, or just large enterprises?

It applies broadly. While CrowdStrike’s customer base skews toward larger organizations, the tactics described in the report, credential theft, phishing enhanced by AI, and exploitation of unpatched edge devices, are not expensive or exclusive tools. They are widely available to attackers of all skill levels, which makes smaller businesses with fewer defenses attractive, lower-effort targets rather than protected ones.

If 82 percent of attacks are malware-free, is antivirus software still worth having?

Yes, antivirus and endpoint protection remain an important layer of defense, but they cannot be the only layer. Since so many attacks now rely on stolen credentials and legitimate administrative tools rather than malicious files, businesses need additional protections such as multi-factor authentication, identity monitoring, and behavioral detection tools that can flag unusual activity even when no malware is present.

What is the single most practical step a business can take after reading this report?

If you have not already enabled multi-factor authentication across email, remote access, and any system holding sensitive data, that is the highest-impact, lowest-cost step available. From there, ensure edge devices like firewalls and routers are on a regular patching schedule, since attackers are exploiting newly disclosed vulnerabilities in this equipment faster than ever. A professional IT assessment can help identify which of these gaps exist in your specific environment.

See Where Your Business Stands

The Swenson Group offers a complimentary assessment that provides a clear, no-obligation snapshot of your current security posture, highlighting gaps such as missing MFA, unpatched edge devices, and unmonitored access points. If you would like to know where your business stands, reach out to The Swenson Group to schedule your assessment today.

About TSG

The Swenson Group (TSG) is an award-winning Bay Area Managed Service Provider that has helped thousands of organizations achieve more by leveraging cost-effective technologies to become more productive and secure. Services include Managed Print, Document Management, IT Services and VoIP. Products include MFPs, Copiers, Printers, Production Systems, Software and Solution Apps. For the latest industry trends and technology insights, visit TSG’s main Blog page.