.

TRENDS, BENCHMARKS, AND STRATEGIES TO STRENGTHEN IDENTITY THREAT PROTECTION

The Security Perimeter Has Shifted

Houston, We Have an Identity Threat Problem

Most security leaders say they’re ready for identity-based attacks. Most were impacted in 2025 anyway. This disconnect between perception and reality reveals a dangerous confidence gap that attackers are eager to exploit.

86%

of security leaders express confidence in their ability to prevent major identity-based attacks.

Yet

85%

of organizations admitted to being affected by ransomware, with 31% experiencing 6 to 10 incidents last year

A mere

38%

can detect historical identity exposures that create risk due to poor cyber hygiene like credential reuse

Less than

20%

of teams are able to automate the remediation of identity exposures

Critical Findings in This Year’s Report

This year’s findings show which threats are throwing teams off course – and what to fix first.

Phishing the #1 Risk and Entry Point

Phishing remains one of the most pervasive cyber threats because the data collected in a successful phish is so useful for the more malicious follow-on attack.

Phishing was the leading entry point for ransomware in 2025, reported as the initial access vector in 35% of ransomware attacks, up from 25% last year.

MOST COMMON ENTRY POINTS IN RANSOMWARE ATTACKS

UNMANAGED DEVICES

0 %

SUPPLY CHAIN OR VENDOR EXPOSURE

0 %

EXPOSED OR WEAK CREDENTIALS THAT ENABLED ACCOUNT TAKEOVER

0 %

STOLEN COOKIES / TOKENS THAT ENABLED SESSION HIJACKING

0 %

EXPOSED OR WEAK APIs

0 %

PHISHING / SOCIAL ENGINEERING

0 %

No End in Sight for Infostealer Malware

This year’s research shows that nearly 1 in 2 corporate users have now been infected with infostealer malware sometime in their digital history, and 66% of infections occurred on protected devices.

Despite takedown efforts mid-year, LummaC2 dominated the infection count, continuing to drive risks from user exposure.

Supply Chain Threats Multiply

A darknet exposure analysis in this year’s report shows that the IT, telecom, and software industries face 6X, 5X, and 4X higher identity threat levels, respectively.

TELECOM

SOFTWARE

MANUFACTURING

RETAIL

HEALTHCARE

ENERGY

UTILITIES

EDUCATION

INSURANCE

FINANCIAL SERVICES

HOSPITALITY

GOVERNMENT

RISK VS. BASELINE (X)

Nation-State Threats Raise Concern

The much-publicized North Korean fraudulent IT worker scheme and other APTs bumped nation-state adversaries near the top of security teams’ concerns this year, along with phishing, ransomware, and threats caused by unmanaged or unauthorized devices.

AI-Powered Attacks…and Defense

92%

of organizations agree that AI-powered cybercrime has intensified risk

This year opened the door to broad use of AI for personalized phishing, automated malware development, and voice synthesis for social engineering at scale. Teams list investing in AI-powered security tools as a top priority for the year ahead.

Survey says: Focus on building operational maturity

Why this report matters

Our collection of recaptured identity records grew 24% this past year. This is a problem that isn’t going away.

If you own identity security, incident response, IAM, SOC operations, or CTI, this report provides concrete benchmarks to spot gaps in your program and a pragmatic playbook to close them.

Use it to:

Benchmark against your peers’ identity threat monitoring, investigation, and remediation maturity.
Prioritize identity-centric controls that shift your perimeter and actually prevent attacks to lessen business impact.
Pressure-test your entry point defenses.
Build the case to automate the boring-but-critical parts of exposure remediation.

Expand your mission scope & defend the new perimeter

Read the full report for threat insights and to benchmark your identity threat defense program against your peers.

Prefer to watch or listen?

Press play for an audio recap of key findings from our team.

Hi. I'm Trevor Hillegas. I am the senior vice president of SpyCloud Labs. Hi. I'm Damon Fleury. I am the chief product officer at SpyCloud. So do we just wanna do a segment here where we just kinda throw around this confidence gap problem where eighty six percent of leaders express confidence in their ability but eighty five percent also experienced at least some level of ransomware incident whether they experienced it themselves or they experienced it through a partner or something about ransomware impacted them. Eighty five percent of them reported that. So what gives here? How is this even possible? Yeah, it's interesting. I mean, I think there's like, I don't know, maybe even a philosophical question to this. We definitely see the same threats that we've seen year over year. And I think at the end of the day, really, it doesn't, I would say that it doesn't matter quite as much what the actual means of access or the way that access was obtained. It's the fact that access was obtained. Right? So one of the other things that we noted pretty significantly is that phishing is still a huge problem. In fact, it's even a bigger problem today than it was last year just based on the numbers. And we're seeing the same kind of thing with phishing that we saw with malware where more and more threat actors are turning to commodity level kits that are created and polished and available for sale. And I think what that means, going back to the kind of the point of this of access, is that the barrier to entry is much lower, and it doesn't really require the level of sophistication that it once did in order to get access to, you know, networks or systems. And then, you know, you add in the financial motivations of of ransomware. I don't I don't think it's it should be much of a surprise that we see a lot of, you know, ransomware arising from phishing. And, you know, squaring the circle of that confidence gap is I think challenging. I probably don't have the credentials to speak to the psychology potentially at play there, but it is concerning that we seem to overestimate our preparedness. Yeah, I think that's interesting about this report overall is that, you know, there's a lot of conflicting data within this report in itself and that, you know, there's so many data points that show that we as an industry think we've got a good handle on security. And then even in the survey results, then we point out that we are still constantly falling prey to what are the most sophisticated of attacks. And then how do you, you know, how do you reconcile this? And then if you look at the SpyCloud data, what we bring into the report, you find at the same time that it's true. We are falling prey to all these attacks, right? There is rampant malware, rampant phishing. And so I think one of the data points in the attack and sorry, in the report is that forty five percent of CIOs and CISOs report feeling very confident in their ransomware defense capabilities, but only twenty eight percent of security directors and their teams and their team leads say the same thing. So, you know, then of course, our data shows that, you know, the vast majority of these organizations are seeing constant malware, constant phishing, constant identity threats as well. I mean, I look at this and think, do we have leaders that are just kind of inflating the capabilities of their organizations? Or maybe we have leaders that trying to show that they have confidence that even though they cannot stop the attack, right, that they have the right team in place, they have the right tools in place, that they'll be able to weather the attack. Like I know most organizations now, now what, twenty years into ransomware ish, they can handle a ransomware attack. Like they get hit by ransomware, they are not likely to shut down the business anymore. Most, you know, I'd say bigger than small enterprise. You know, so they have the backups in place, they have the team in place, they'll figure out a way to get through it. It will be costly but they will live. So maybe that's what they're trying to say. That's what they're trying to convey that we're not at zero here with our capabilities. I don't know. What do you think? Yeah. I think proximity probably plays a role here as well. Mean, you know, I once upon a time, I was probably closer to that security director role in terms of being a little bit more pessimistic about the reality and the threats that we face. I think there's another way to say that as being perhaps a little bit more realistic. Because I do think you said something in your preamble there, was that the sophistication of attacks. And what I've kind of come to over the past couple years and I think that this continues to be proven right I would say is that sophistication is not really the right way to think about this because, you know, time and time again, we see sophistication of adversaries kind of being immaterial to their rate of success. I mean, as we're recording this, you know, obviously, the whole sales loft slash drift thing just just happened and and hit the news a couple weeks ago. And by all accounts right now, that seems to basically be due to some tokens that were left in a in a GitHub repository. And obviously I don't want to speculate on how that access that GitHub repository was made. At the end of the day, we're not talking about some kind of highly sophisticated zero day or even an end day. We're talking about secrets that were left in a place that they shouldn't have been left. So I think that is also very transitive to the conversations about, like we were just talking about phishing kits becoming a commodity, malware having been a commodity for a very long time now, and that just becoming more and more of a factor of cybersecurity is that criminals can just buy access instead of having to go through this longer, more thought out and more sophisticated attack plans or developing their own tooling. I don't know. Do think there's some proximity at play to why we do see this imbalance between CISOs thinking that they're much more prepared than people that are a little bit more close to say instant response or more of a work a day defensive practices. But I also think that the environment has changed such that the sophistication of threat actors is a lot less of a factor influencing success than it used to be. And so I think that plays well into another topic that the report wants to talk to a little bit. And that's specifically like AI and, you know, how is AI impacting what you just described, that sophistication of that actor? The report talks to ninety percent of organis sorry, ninety two percent of organisations agree that AI powered cybercrime has intensified risk and that they're seeing cybercriminals use it. At the same time, we're a little slower as an industry to adopt AI and to use it to defend ourselves with only forty seven percent of organisations saying that they leverage AI tools in some way. And I've certainly seen that in all the conversations that we have with customers that while actors do not care at all about the compliance issues of AI and about what data is used for training and they are more than happy to use Cursor to write their malware or more than happy to use ChatGPT to help them do translation. And there's no questions at all about what they can and can't do. So they're fast. They're happy to take it. And that's going to make everything slightly more effective. The businesses are we're looking at our capability to respond to this and we wanna think about it before we are ready to adopt it for good reason. There's an impact to the business. What do you think there? I mean, it's an interesting dichotomy. It's an interesting problem. Yeah. No. It remind this every time I hear this, it reminds me of a a DEFCON talk that I attended years probably ten years ago now. It was a and I I wish I could credit the actual speakers, but that that nugget of memory has long since left my brain. But I remember they were a Singaporean research group, if that is meaningful to anyone listening. They did analysis on phishing emails. So if you craft a really well done phishing email, go on their LinkedIn and you find their title or maybe where they live. So you integrate some of that almost like a social engineering level of very targeted phish versus the Nigerian prince with misspellings and all crazy stuff we see in most phishing emails. They actually found that there was no, from what I recall at least, hopefully I'm remembering this right, actually found that there was no significant difference in the success rate between the two. And I believe their kinda conclusion there is that if you're if you're the type of person that's likely to click click on a fish, you're probably not really evaluating the context of that message all that much. You're kind of skipping ahead. So the reason that makes every time I kind of talk about AI that I think about that is I think AI is really impactful on the margins, less so kind of at the mean. So I think AI becomes very interesting in cybercrime when you talk about what AI can do to either a very low tech, a very, you know, unsophisticated cybercriminal and or a very sophisticated, you know, somebody on the other end of that spectrum. So for, like, the very low tech, think about maybe a member of the comm or somebody that's just getting into this cybercrime world, give them AI, maybe they're going to be able to do some vibe coding and make something that resembles malware. Or maybe they can start with something that's available in a public GitHub repository and then using AI, can adapt that into something that does maybe more malicious things. And then on the other end of the spectrum, have those, I'll use the term sophisticated actors that maybe with AI, they can scale up a little bit. They can do more than they would have been able to do where they're doing things manually or that phishing example. Maybe scale was the problem there and that research ten years ago, AI can do a better job of making those targeted phishes. Then if we look at that on the margins, maybe most people are going to click on it regardless. But those few that won't be fooled by the Nigerian Prince scam would be fooled by what ChatGPT comes up with. Would imagine ChatGPT would probably say no to this request, but DarkGPT comes up with. Right? And so to me, think that's the really interesting part there. And it's kind of plays well with that earlier conversation we had about lowering the barrier to entry. AI allows people to do things that they probably couldn't do without AI. Anybody who's waited through the stack overflow question responses, It's not always super clear. AI makes that a lot more consumable. And cursor, it'll do the changes for you. So yeah, I think that's where my brain goes. It's less of a, you know, does this really shift the needle dramatically for everything and and more so, you know, what does this do on the margins? Yeah, I think those are great points and I think when it comes to the industry, right, and the industry adopting tools, if you really look at the bulk of capabilities that are out there now, the AI that's really being baked into most offerings is really like kind of taking the concept of generative AI or natural language conversation with the AI and you're using that to enhance the ability of the person in your SOC or your CTI analyst, right? It's making research faster. And I think it's basically taking their tedious tasks and speeding them up. So it's making them a little bit more powerful in their capabilities. That in itself is not going to dramatically fix a cybercrime problem specifically. I think we're at the very beginning of the industry using the LLMs to do really powerful things, right? And I think we've kind of moved to a place where finally security companies are starting to bake LLMs into their offering to figure out how can we do analysis that goes way beyond what we were able to do without LLMs, right? How can we better detect crime? How can we predict what the next crime is going be? And certainly that's what we're doing with the Spikelab products. But think as an industry, those are things that are new, right? Those are things that we don't know how to understand how effective they are, how well they work, how to deploy them, how to do these things at scale. Those are all things that are new. So I think the CISOs, the survey, I mean it kind of shows that they're looking at AI with a little bit of skepticism like well how is it really going to move the needle? And I think we're only at the beginning of starting to understand that. Let's see, so Trevor let's talk about malware. Oh my favorite. I know, so malware this report talks to you a little bit about the changes in the malware environment. I know that we've you and I have talked you know, in the industry, we've talked a lot about what's happened with Redline diminishing in the world and Luma jumping up in the world. What's the latest? What's going on as far as malware goes? Yeah. So just to kind of position this, obviously, we're we're talking about a very specific kind of malware, generally called info stealers. I would include keyloggers in that, although we don't see as many keyloggers as we used to. But these are what I would refer to as commodity malware. A lot of them are sold as malware as a service, which is basically just a model of selling something where you have the, you know, the the actual software itself as well as support for that software as well as all of the tools that you would need to actually make use of that software. So just like, you know, everybody knows, I think at this point what SaaS is, there's a there's a, you know, an equivalent in mass that is has know, not this is not a new thing. This has been happening for years, but certainly gaining prominence even more so. As far as, you know, that where we are, you mentioned Redline Back in twenty twenty four, we saw some fantastic work by US and international law enforcement to take down Redline. That also impacted Meta, which was at the time basically a fork of Redline. That has effectively gotten rid of those, which is objectively a win and I think we should all celebrate that. However, not to put a damper on the enthusiasm here, it has not solved the problem. This type of infosteeling malware continues to be a huge threat in volume, in targeted attacks, you name it. I would say the king of the hill at this point is Lumacy two. That targets Windows exclusively. It's relatively cheap. It's relatively full featured. It's very well supported. It perceives regular updates. Has a vibrant community of users that share tips and tricks on how to infect the most victims and earn the most money. We see a lot of kind of the proceeds then go certainly towards ransomware and more enterprise focused attacks, but also much lower skill, lower effort things like crypto draining and financial fraud, that kind of stuff. So that's kind of the king of the hill. See some other Radimathus is still there. We see Stlc occasionally. Certainly, Lumacy two has it for Windows. And then on the macOS side, we do see Atomic, also called Amos online, is still on the order of a few thousand a month at least infections. We have another stealer, another macOS targeted stealer that we haven't been able to figure out what the actual name is yet per month of unique infections of Mac products, macOS running products. And that's also kind of an interesting subtext too because as we see businesses turning more towards using Mac devices, I've heard from several people that are kind of going through these processes. One of the reasons that they cite often is security. They're not infallible or families that target macOS. They do a pretty good job of pulling things like key chain and secrets from those devices. I would say the TLDR of that is they're still happening. We've seen some success. Law enforcement has done some great work on taking down some of these families. But unfortunately this is an engine that just keeps on running and I really don't see an end in sight. Let's talk about phishing for a moment. Survey respondents talked about how phishing was seen by them as the entry point for ransomware in thirty five percent of attacks, up ten percent from last year. And so, you know, we definitely see phishing is the problem that just will not go away. I feel like it's been here since the creation of the computer, it feels like almost, but probably not quite that long. And we certainly are starting to see it be industrialized by the criminals, right, where there's this phishing as a service platforms are only scaling up and their capabilities. What are you seeing as far as phishing and growth in the phishing ecosystem goes? Yeah, this is so funny because I think actually I'm pretty sure somebody's gonna there's gonna be a Wikipedia that's gonna prove me wrong when I say this, but I'm pretty sure the first phish was like in the late 90s or something like that. I remember being on AOL Instant Messenger in the early 2000s and getting like obvious phishing messages. Right? Think so yeah. Phishing is not new, which is it's it's so funny that this continues to be such a huge problem. But it absolutely does. And and honestly, I mean, phishing has gone the way of malware and turned into a commodity. We you know, as of the recording, we track eighteen distinct kits, named kits that are being sold and used. A lot of them are are well, I don't know. They they range in in in, you know, how how good they are or how well written they are. But a lot of them are quite good, and we do see a lot of, you know, very large enterprises, unfortunately, showing up in the in the Phish data. So they're making an impact. There's definitely a path between Phish, phish data and ransomware, especially for some of the more sophisticated kits that can, for example, be a man in the middle for cookies. MFA bypass effectively is what the goal there is. We also see phishes targeting things like non human identities, like API tokens. We see them targeting things like crypto seed phrases. There's just a range of threats that these phish kits pose. And I think the the availability of them and and kinda how cheaply they are to obtain makes them pretty dangerous. And I I do I do think we will see more fish kits, more commodity kits, and better commodity kits in the years to come unfortunately. Yeah, think it's been interesting for me in talking to enterprises and CSOs that everybody understands the phish threat exists. Everybody fights it with security awareness training or some move into human risk management but I still think most enterprises don't quite realise the scale of what's happening with phish and the reason that it continues to be a business for the criminals is that it continues to work and they just get more and more sophisticated in how these systems do the work for the other actors, right, and the providing of that service. And it's so easy to phish and you just need a few clicks. You get one admin credential and man, just made a ton of money on what is a really low cost service that's being provided. And so it's a very interesting part of the dark net and it's so effective even if the numbers of victims are low, but they're not, they're very high. It's so effective it is not going away. This is only going to continue to scale just like we continue see malware scale until we figure out a way to really make those credentials that they're stealing and those assets that they're stealing completely ineffective, right. And that's really the big step we need to take as a group. Yeah, thanks for joining our conversation and for more information about all of the details we've talked about and those stats, please check out our new identity threat report available at spycloud dot com.

.

.