What 2025 Taught Us About Security (The Real Version)
Looking back at a year of breaches, vulns, and trends. What actually mattered versus what got the headlines.
On this page
Another year, another batch of “security predictions” articles. Instead of predictions, here’s what 2025 actually taught us.
No vendor pitches. No hype. Just the stuff that mattered.
The Year’s Defining Incidents
Edge Device Vulns Kept Coming
The pattern continued. Critical vulns in:
- Ivanti (again)
- Fortinet (again)
- Palo Alto (GlobalProtect)
- Cisco (IOS XE)
- Juniper (Junos)
The security industry’s answer to “how do we protect the network” keeps becoming the attack vector. Every major perimeter vendor had at least one bad day.
If you were running internet-facing appliances, you spent 2025 patching urgently or getting owned. There was no third option.
Supply Chain Wasn’t Just Theory
XZ Utils backdoor discovery (late 2024, fully analyzed in 2025) showed what sophisticated supply chain compromise looks like. Years of social engineering, careful code insertion, targeting compression in SSH.
GitHub Actions compromises showed the CI/CD attack surface. Chrome extension compromises showed browser extension risks.
Supply chain security moved from “we should think about this” to “we are actively being attacked through this.”
Infostealers Drove Initial Access
So many breaches this year started with infostealer malware on employee devices. Snowflake customer breaches, corporate VPN compromises, cloud account takeovers.
The attack path:
- Employee downloads cracked software or falls for malvertising
- Infostealer grabs all browser credentials
- Attacker buys logs from Telegram channels
- Attacker uses corporate credentials
- Breach
MFA didn’t help because session cookies were stolen. Password managers didn’t help because browser-saved passwords were grabbed. Endpoint security didn’t help because it was personal devices.
This pipeline is industrial scale and we’re losing.
AI Didn’t Break Everything
Remember the predictions about AI-powered attacks making everything worse?
What actually happened:
- AI-generated phishing exists but isn’t dramatically better than regular phishing
- Voice cloning fraud is real but targeted (not mass scale)
- AI-assisted malware development probably happening but hard to measure
- Defenders got AI tools too (mixed results)
The AI security apocalypse didn’t arrive. The incremental improvements in attack capability were matched by incremental improvements in defense. Net effect: probably a wash.
Voice deepfakes are the exception. Those are genuinely harder to detect and caused real fraud losses.
Ransomware Evolved (Again)
Ransomware gangs adapted to better defenses:
- Pure extortion (no encryption, just data theft and leak threat)
- Targeting backup systems specifically
- Hitting cloud resources, not just on-prem
- More “legitimate” negotiation tactics
The “restore from backup” defense pushed attackers toward pure extortion. If you can’t decrypt your way out of data exposure, the threat still works.
Healthcare, manufacturing, and education remained primary targets. Critical infrastructure attacks happened but were more measured (nobody wants military response).
What Actually Changed
Zero Trust Became Real-ish
Zero Trust went from buzzword to partial reality. Organizations actually:
- Deployed identity-aware access policies
- Reduced VPN dependency
- Implemented continuous verification
- Segmented networks more seriously
It’s not complete zero trust. But “trust but verify” is slowly becoming “verify then trust.” Progress.
Detection Engineering Grew Up
The “detection as code” movement hit mainstream:
- Sigma rules everywhere
- Detection repositories on GitHub
- CI/CD for detection logic
- Metrics on detection coverage
Security teams started treating detection development like software development. Version control, testing, deployment pipelines. This is how it should have always been.
CSPM Became Table Stakes
Cloud security posture management went from “optional nice-to-have” to “you don’t have this?” Basic misconfiguration detection is now expected.
The problem moved up the stack. Finding misconfigs is easy now. Fixing them and keeping them fixed is still hard.
Vendors Kept Failing
Every major security vendor had at least one embarrassing moment. Critical vulns in security products. Data exposures. Breaches at security companies.
The “who watches the watchmen” problem is real. Your security tools have bugs. Your security vendors get breached. Defense in depth means not trusting any single solution completely.
What Didn’t Change
Patch Management Is Still Hard
Organizations still can’t patch quickly enough. Emergency patches still take days to weeks. “Known exploited” still doesn’t mean “immediately patched.”
We know patching matters. We’ve known for decades. We’re still bad at it.
Users Still Click Things
Phishing click rates stayed roughly the same. Social engineering still works. Users are still the easiest path in.
Security awareness training exists. People still click. Maybe we should accept this and design systems that don’t rely on users not clicking.
Basics Still Get Ignored
In 2025 we still found:
- Default credentials
- Exposed admin panels
- Unencrypted sensitive data
- Missing MFA
- Outdated software
The sophisticated attacks get attention. Most breaches still start with failure to do the basics.
Security Teams Are Still Stretched
Not enough people, too many tools, too many alerts, too little time. The talent shortage continues. Budgets don’t match threat levels.
Nothing new here. Still true.
Looking at 2026
I don’t do predictions but here’s what I’m watching:
Edge device scrutiny. After years of bad vulns, organizations are questioning the whole model. Expect more SASE/zero trust adoption, less “firewall is our security.”
Post-quantum prep. NIST finalized standards. Migration is starting. It’ll take years but the work begins now.
AI in security operations. Not replacing analysts, but augmenting them. Summarization, correlation, triage assistance. Actually useful, not just marketing.
Regulatory pressure. NIS2 enforcement in EU. SEC cyber disclosure rules biting. More regulation coming in more places.
Supply chain focus. SBOMs becoming required. Dependency security actually getting attention. Maybe.
What I’d Tell 2024 Me
If I could go back a year:
-
Take infostealers more seriously. They drove more compromises than I expected.
-
Edge devices are liability. Every internet-facing appliance is a future zero-day waiting to happen.
-
Session tokens matter as much as passwords. Stealing sessions bypasses everything.
-
AI hype exceeded AI impact. Don’t reorganize your entire security program around AI threats yet.
-
Basics still matter most. Patching, MFA, segmentation. Boring but effective.
The Bottom Line
2025 wasn’t revolutionary. It was evolutionary. The same problems got slightly worse. The same defenses got slightly better. Attackers made money. Defenders lost data.
The industry is maturing but slowly. Detection is better. Prevention is still hard. Users are still the weak point. Complexity is still the enemy.
On to 2026.
Every year we say “this was a big year for security.” Every year we’re right. The question is whether we’re learning.
Related Articles
CISA's KEV Catalog Just Got Teeth: What the New BOD Means for You
The new binding operational directive expands KEV requirements beyond federal agencies. Here's what changed and why private sector should pay attention.
NIS2 Is Here and Most Companies Aren't Ready
The EU's NIS2 directive is now enforceable. A realistic look at what's required, who's affected, and why compliance programs are scrambling.
AI Phishing Isn't the Problem Everyone Says It Is (Yet)
Hot take: the panic about AI-generated phishing is overblown. The real AI threat to security is different than what the headlines suggest.