Check Your Exposure

.

.

TRENDS, BENCHMARKS, AND STRATEGIES TO STRENGTHEN IDENTITY THREAT PROTECTION
Read the full report

The Security Perimeter Has Shifted

TABLE OF CONTENTS
Download PDF
Audio Recap

Houston, We Have an Identity Threat Problem

Most security leaders say they’re ready for identity-based attacks. Most were impacted in 2025 anyway. This disconnect between perception and reality reveals a dangerous confidence gap that attackers are eager to exploit.

86%

of security leaders express confidence in their ability to prevent major identity-based attacks.

Yet

85%

of organizations admitted to being affected by ransomware, with 31% experiencing 6 to 10 incidents last year

A mere

38%

can detect historical identity exposures that create risk due to poor cyber hygiene like credential reuse

Less than

20%

of teams are able to automate the remediation of identity exposures 

Critical Findings in This Year’s Report

This year’s findings show which threats are throwing teams off course – and what to fix first.

Phishing the #1 Risk and Entry Point

Phishing remains one of the most pervasive cyber threats because the data collected in a successful phish is so useful for the more malicious follow-on attack.

Phishing was the leading entry point for ransomware in 2025, reported as the initial access vector in 35% of ransomware attacks, up from 25% last year.

MOST COMMON ENTRY POINTS IN RANSOMWARE ATTACKS

UNMANAGED DEVICES
0 %
SUPPLY CHAIN OR VENDOR EXPOSURE
0 %
EXPOSED OR WEAK CREDENTIALS THAT ENABLED ACCOUNT TAKEOVER
0 %
STOLEN COOKIES / TOKENS THAT ENABLED SESSION HIJACKING
0 %
EXPOSED OR WEAK APIs
0 %
PHISHING / SOCIAL ENGINEERING
0 %

No End in Sight for Infostealer Malware

This year’s research shows that nearly 1 in 2 corporate users have now been infected with infostealer malware sometime in their digital history, and 66% of infections occurred on protected devices.

Despite takedown efforts mid-year, LummaC2 dominated the infection count, continuing to drive risks from user exposure.

Line chart showing daily infection counts of the top 5 stealer variants from January to June 2025. LummaC2 leads consistently with the highest volume, followed by Redline, Rhadamanthys, Stealc, and RisePro, each showing fluctuating but sustained activity.

Supply Chain Threats Multiply

A darknet exposure analysis in this year’s report shows that the IT, telecom, and software industries face 6X, 5X, and 4X higher identity threat levels, respectively.

IT

6X

TELECOM

5X

SOFTWARE

4X

MANUFACTURING

3X

RETAIL

3X

HEALTHCARE

2X

ENERGY

2X

UTILITIES

2X

EDUCATION

2X

INSURANCE

1X

FINANCIAL SERVICES

1X

HOSPITALITY

1X

GOVERNMENT

1X

RISK VS. BASELINE (X)

Nation-State Threats Raise Concern

The much-publicized North Korean fraudulent IT worker scheme and other APTs bumped nation-state adversaries near the top of security teams’ concerns this year, along with phishing, ransomware, and threats caused by unmanaged or unauthorized devices.

Top Security Threats by Area of Concern

AI-Powered Attacks…and Defense

92%

of organizations agree that AI-powered cybercrime has intensified risk

This year opened the door to broad use of AI for personalized phishing, automated malware development, and voice synthesis for social engineering at scale. Teams list investing in AI-powered security tools as a top priority for the year ahead.
Bar chart showing top security priorities for the next 12 to 18 months. Top responses include improving team collaboration (34%), ransomware prevention and response (33%), AI-powered security tools (31%), malware visibility and response (30%), and phishing prevention (30%)

Survey says: Focus on building operational maturity

  • DON’T IGNORE THE BASICS
  • ANCHOR IN IDENTITY FIRST
  • PAIR THOUGHTFUL AI WITH GOOD DATA
  • ACTIVATE AUTOMATION FOR IDENTITY RESPONSE
  • COORDINATE AND CLARIFY ROLES FOR A UNIFIED FRONT

Why this report matters

Our collection of recaptured identity records grew 24% this past year. This is a problem that isn’t going away.

If you own identity security, incident response, IAM, SOC operations, or CTI, this report provides concrete benchmarks to spot gaps in your program and a pragmatic playbook to close them.

Use it to:

  • Benchmark against your peers’ identity threat monitoring, investigation, and remediation maturity.
  • Prioritize identity-centric controls that shift your perimeter and actually prevent attacks to lessen business impact.
  • Pressure-test your entry point defenses.
  • Build the case to automate the boring-but-critical parts of exposure remediation.

Expand your mission scope & defend the new perimeter

Read the full report for threat insights and to benchmark your identity threat defense program against your peers.

Get the full report
Download infographic

Prefer to listen?

Press play for an audio recap of key findings from our team.

Identity Threat Report FAQs

🪐 New research: The 2025 Identity Threat Report is here

Got it!
X

FAQs

An identity threat report is a comprehensive analysis that examines the current state of identity-based cyberattacks and defensive capabilities across organizations. Our 2025 Identity Threat Report represents the evolution of traditional security reporting to address the fundamental shift in how modern cybercrime operates.

Based on our comprehensive analysis, the top identity-based threats creating extreme concern for security teams are: phishing and social engineering, ransomware, nation-state adversaries and insider threats, and infostealer malware. The weaponization of AI has accelerated these threats, enabling attackers to generate sophisticated attack campaigns with unprecedented efficiency.

Identity exposure and data breaches are distinct but interconnected concepts in cybersecurity. A data breach is a specific incident where unauthorized parties gain access to protected information, typically involving the compromise of databases, systems, or networks containing sensitive data. It’s an event with a defined beginning, middle, and end. Identity exposure, however, represents the ongoing risk created when personal or corporate identity fragments become available to threat actors through various means, like breaches, malware infections, phishing attacks, or even poor cyber hygiene practices like credential reuse.

The key distinction lies in persistence and scope. While a breach might be contained and remediated, identity exposures create lasting vulnerability. Once credentials, session tokens, or personally identifiable information circulate on the darknet, they remain accessible to cybercriminals indefinitely unless actively remediated.

Identity remediation is mission-critical because cyberattacks don’t end when the initial incident is contained – they create persistent windows of opportunity for future exploitation.

When attackers compromise identities through phishing, malware, or breaches, they don’t just use that access once. Without proper remediation, criminals can return repeatedly or sell access to other threat actors to launch other attacks like ransomware. Our data reveals that only 54% of organizations routinely reset passwords after malware infections, and just 33% invalidate exposed user sessions – leaving doors wide open for follow-on attacks.

Detecting malware-infected identities requires visibility beyond traditional endpoint protection. Our analysis reveals that 66% of malware infections occur on devices with endpoint security or antivirus solutions installed, highlighting the stealth nature of modern infostealers. Darknet identity intelligence provides early warning when employee or customer credentials exfiltrated via infostealer malware appear in underground forums or data dumps.

Preventing account takeover requires layered defenses that address both detection and remediation of exposed credentials. Continuous exposure monitoring forms the foundation – organizations need visibility into when and where their employee and customer identities appear in breach databases, malware logs, and darknet marketplaces. This early warning system combined with automated remediation enables proactive credential resets before attackers can exploit stolen data.

The most effective approach combines darknet identity intelligence with clear workflows that coordinate response across IT, IAM, and security teams.