Global Cyber Threat Landscape Summary

Date: 2025-11-27 β€’ Horizon: past 90 days β†’ 12–24 month outlook πŸ‡ΊπŸ‡Έ Happy Thanksgiving! πŸ‡ΊπŸ‡Έ

1. Executive Summary

Region: Global β€’ Industries: Cross-sector β€’ Confidence: Med-High

  • Breach volume remains high. October 2025 alone saw 20 publicly reported cyber attacks and data breaches and at least 21.2 million records breached worldwide.
    Source: IT Governance – "Global Data Breaches and Cyber Attacks in October 2025 – At least 21.2 Million Breached Records", 2025-11-14.
  • Cloud concentration risk is now systemic risk. Two hyperscaler outages – AWS US-EAST-1 (20 Oct) and Microsoft Azure Front Door / portal (29 Oct) – were widely reported to have disrupted thousands of services globally, creating visibility gaps and weakened controls during failover.
    Sources: The Guardian, Wired – AWS outage, 2025-10-20; AP News, Microsoft Azure outage, 2025-10-29.
  • AI-enabled threats are scaling faster than controls. 2025 has seen a sharp rise in AI-generated phishing and deepfake-driven social engineering, with some reports estimating >40–50% growth in AI-enabled attacks and >1,000% growth in phishing aided by generative AI compared with pre-AI baselines.
    Sources: StrongestLayer AI Phishing Report 2025; DeepStrike AI Attack Statistics 2025; Hoxhunt Phishing Trends 2025.
  • Sectoral incidents show supply-chain, SaaS and OT exposure. Examples include the Western Sydney University breach via a cloud-hosted student management system and Jaguar Land Rover's multi-week production shutdown following a cyber incident that rippled across the UK auto supply chain.
    Sources: Western Sydney University incident statements (Oct 2025); Guardian/AP/Reuters/JLR post-attack coverage (Sep–Oct 2025).
  • Workforce & certification demand remains intense. Global cyber workforce is ~5.5 million with an estimated 4.8 million-person gap, and >514,000 U.S. cyber job postings between May 2024 and April 2025 – with cloud security, IAM, DevSecOps and AI-security among the top skill demands.
    Sources: ISC2 2024 Cybersecurity Workforce Study; CyberSeek/CompTIA workforce data 2025; SQMagazine job-demand analysis 2025.
Takeaway: The last 90 days highlight a landscape where cloud outages, AI-enabled phishing, and supply-chain/third-party compromises dominate risk – against a backdrop of persistent staffing shortages.

2. Signals & Trends (AI, Crypto/Blockchain, Quantum, SDLC/SaaS)

2.1 AI Threat & Defense Signals

Region: Global β€’ Industries: Cross-sector β€’ Confidence: High

  • AI-generated phishing goes mainstream. Multiple studies and surveys in 2025 show:
    • AI-crafted emails now routinely outperform human-written phishing in click-through and bypass of user suspicion.
    • A global survey found most adults could not reliably distinguish AI-generated phishing from legitimate emails, with only ~46% correctly identifying AI phishing.
    • Reports cite phishing volume increases >1,000% compared with pre-generative-AI baselines, driven by cheap, localized, and personalized campaigns.
    Sources: eSecurity Planet; NYPost survey; DeepStrike AI attack statistics; Hoxhunt report; CM-Alliance.
  • Deepfakes and voice cloning move from proof-of-concept to operational use.
    • Universities and enterprises warn that video and voice deepfakes of executives are being used for urgent-payment fraud (BEC 3.0).
    • Group-IB and others document AI voice "vishing" attacks that drain millions via convincingly spoofed internal calls.
    Sources: UNC ITS Awareness 2025; Group-IB deepfake vishing analysis; CM-Alliance Phishing 3.0.
  • LLM-enabled attack tooling matures.
    • Google's Threat Intelligence Group and others observe commercial AI-enabled "attack assistants" advertised on underground forums for phishing, lure generation, infrastructure management, and basic malware dev.
    • Academic work shows autonomous LLM agents can plan and execute end-to-end attacks in enterprise-like environments in controlled tests.
    Sources: Google GTIG AI Threat Tracker; CMU "When LLMs autonomously attack"; industry AI security reports.
  • Defensive AI is catching up, but unevenly.
    • Major vendors roll out AI-driven anomaly detection and incident triage, but many SMEs lack the data quality and tuning expertise to rely on these tools alone.
    • Regulatory and governance pressure around AI models (EU AI Act, NIST/ENISA guidance) is increasing, but adoption is still early-stage.
Takeaway: Over the next 12–24 months, AI-amplified social engineering and identity abuse should be treated as a top-tier risk, on par with ransomware.

2.2 Blockchain / Crypto Signals

Region: Global β€’ Industries: Financial, DeFi, National-state β€’ Confidence: Med-High

  • High-value heists persist despite security "win" months.
    • Chainalysis and others estimate >US$2 billion in cryptoassets stolen in 1H 2025.
    • High-profile incidents include the Bybit US$1.5 billion theft attributed by the FBI to DPRK-linked actors and DeFi protocol exploits such as Balancer (>US$100–120 million) and SwissBorg/Nemo Protocol hacks.
    Sources: Elliptic & Chainalysis coverage; Guardian/Business Insider on Bybit; The Record, Infosecurity, Halborn on Balancer and DeFi hacks.
  • State-linked crypto theft is now a strategic funding stream.
    • DPRK-linked groups (e.g., Lazarus ecosystem) continue to use crypto theft for sanctions evasion and weapons funding.
    • Attribution is increasingly public and rapid, but asset recovery remains limited.
  • Operational pattern:
    • Initial access via stolen keys, compromised CI/CD, or supplier staking infrastructure (e.g., SwissBorg/Kiln).
    • Movement of funds through mixers, cross-chain bridges, and OTC brokers still frustrates enforcement.
Takeaway: For any organisation touching crypto, key management, supplier due diligence, and on-chain monitoring are now foundational security controls.

2.3 Quantum & Post-Quantum Cryptography (PQC)

Region: Global β€’ Industries: Critical Infrastructure, Finance, Government β€’ Confidence: Med

  • Standards are here; migration is not.
    • NIST has released initial post-quantum cryptography (PQC) standards and guidance on migration timelines, noting a 10–20-year typical transition horizon for major cryptographic shifts.
    Sources: NIST IR-8547; NIST CSRC PQC guidance; NCSC (UK) PQC migration timelines.
  • Roadmaps emphasise discovery over "big bang" change.
    • NIST NCCoE and DHS PQC guidance stress crypto inventories, discovery tools, and risk-based prioritisation, starting with:
      1. Long-lived confidentiality needs (e.g., medical & national-security data).
      2. High-assurance identities and control-plane cryptography (e.g., PKI, VPN, code signing).
    Sources: NCCoE PQC Migration project; DHS Post-Quantum guidance; GSA PQC Buyer's Guide.
Takeaway: In the next 12–24 months, PQC readiness = visibility + pilots; full migration will span a decade, but discovery work is time-critical.

2.4 SDLC, SaaS & Cloud-Native Trends

Region: Global β€’ Industries: SaaS, Tech, Public sector β€’ Confidence: High

Key patterns from ENISA, Verizon DBIR, and 2025 incident reports:

  • Misconfigurations, identity & access weaknesses, and third-party SaaS integrations remain the leading root causes for breaches.
  • ENISA's 2025 Threat Landscape (4,875 incidents analysed, Jul 2024–Jun 2025) highlights:
    • DDoS as the dominant incident type (β‰ˆ77% of reported incidents) in the EU public-administration data set.
    • Ransomware remains the single most impactful threat across sectors.
    Sources: ENISA Threat Landscape 2025 & sectoral public administration report; IndustrialCyber/ENISA summaries; WEF Global Cybersecurity Outlook.
  • SaaS/CI-driven SDLC:
    • Outages and auth failures (see Section 3) increasingly block access to CI/CD, artifact repositories, SOC tooling and backups, forcing teams into degraded, less secure operating modes.
    • Security teams are under pressure to treat pipeline and SaaS uptime as part of security resilience, not just availability.
Takeaway: For modern SDLC and SaaS ecosystems, identity & configuration management plus third-party risk drive more breaches than "novel zero-days" in most environments.

Table 1 – Macro Signals (Last ~12 Months)

Vector 2025 Signal Snapshot Region / Industry Focus
AI-enabled phishing 40–50%+ growth; most adults cannot reliably spot AI phishing; 1,000%+ phishing rise Global β€’ All industries
Ransomware Still most impactful threat in EU & healthcare EU, Healthcare, Critical Infrastructure
DDoS 77% of incidents in ENISA public-admin dataset EU Public Administration
Crypto/DeFi theft >US$2 B stolen H1 2025; DPRK steals >US$2 B alone Global β€’ Financial / DeFi / National-level
Quantum-safe migration PQC standards published; migration guidance emphasises inventory first Global β€’ Gov, Finance, Critical Infrastructure
← Scroll horizontally to view full table β†’

3. Recent Cloud/SaaS Outages

Operational focus: Last 30 days β€’ Region: Global β€’ Industries: Cross-sector β€’ Confidence: High

Note: No hyperscaler-scale outages have been widely reported in the last 7 days as of 2025-11-14. The outages below from the past ~3–4 weeks continue to have operational and risk implications.

Table 2 – Major Cloud/SaaS Outages (Recent)

Provider / Service Date Duration Impact Severity Publicly Reported Cause
AWS (US-EAST-1, DNS / infra) 20 Oct 2025 Not specified in cited sources Major outage affecting 2,000+ companies and consumer apps (Snapchat, Roblox, Ring, Coinbase, banking, HMRC, etc.). πŸ”΄ High Media reports described DNS and database issues in the US-EAST-1 region.
Microsoft Azure (Front Door & portal) 29 Oct 2025 Not specified in cited sources Global Azure portal and Front Door disruption; impacted Microsoft 365, Xbox, Minecraft, airlines, retail, NZ gov services. πŸ”΄ High Provider public status information (no detailed root cause disclosed).
Azure Front Door (pre-fix period) 9 Oct 2025 Not specified in cited sources Underlying AFD issues were reported by vendors as a "SecOps blackout" scenario; SIEM/SOAR tools hosted in the same cloud became unavailable – SOC blindspots for hours. 🟠 Medium Provider public status information (no detailed root cause disclosed).
← Scroll horizontally to view full table β†’

Sources: The Guardian, Wired on AWS outage; AP News on Azure outage; vendor SecOps-resilience write-ups.

Risk themes:

  • Cloud concentration risk: Single-region and single-vendor dependencies led to broad operational impact.
  • Degraded-mode security: During outages, organisations often disable conditional access, MFA, or strict firewall rules to keep business running.
  • Telemetry gaps: When SIEM/SOAR/MDR platforms share the same provider, investigations during outages become almost impossible.
Takeaway: Cloud outages must be treated as cybersecurity events, not just availability incidents – including playbooks for secure-degraded operations and cross-cloud failover.

4. Regional Insights

Last 90 Days

Europe (EU/UK)

  • High activity, rising hacktivism. ENISA's 2025 Threat Landscape highlights EU-wide increases in hacktivist DDoS, especially targeting public administration, and confirms ransomware as the most harmful threat.
  • Automotive / manufacturing disruption. Jaguar Land Rover (JLR) suffered a major cyber incident (Aug–Sep 2025) forcing 30+ days of production shutdown, supply-chain disruption, and hundreds of millions of pounds in losses.
    Sources: ENISA Threat Landscape 2025; Guardian, AP, Reuters, Times of India, CBT News on JLR.

North America

  • Healthcare at sustained high risk.
    • 2023 set records with >133 million U.S. healthcare records exposed; 2025 trend data shows monthly breach counts still elevated with dozens of incidents per month.
    • Ransomware attacks on healthcare providers and vendors rose β‰ˆ30% vs the same period in 2024.
      Sources: HIPAA Journal stats; IndustrialCyber healthcare ransomware report; AHA Cyber Intel 2025.
  • Cloud/SaaS reliance is pervasive. U.S. federal and state agencies were among the entities affected by the Oct AWS/Azure outages, highlighting critical-infrastructure dependency on commercial cloud.

Asia-Pacific

  • Higher-education & cloud vendor exposure.
    • Western Sydney University reported data stolen after "unusual activity" in August 2025 on its cloud-hosted student management system, run by a third-party provider. Exposed data reportedly includes passport, banking, tax and health information.
      Sources: Western Sydney University statements; ACS Information Age; Australian cybersecurity commentary.

Middle East / Strategic Regions

  • Crypto-linked and state-aligned operations. Regional actors are implicated in both state-directed espionage and crypto revenue operations, often tied to global infrastructure and exchanges.
Takeaway: Region-specific patterns matter – EU sees DDoS/hacktivism + industrial impact, U.S. sees healthcare & cloud dependency risks, and APAC higher-ed shows cloud-SaaS third-party exposures.

5. Industry Deep Dives

5.1 Healthcare

Region: Primarily U.S. but global relevance β€’ Confidence: High

  • 2023 saw 725 breaches and >133 million records exposed in U.S. healthcare alone; 2025 data shows dozens of large incidents per month, with many involving third-party vendors.
  • An AHA analysis notes that >80% of stolen PHI in its sampled dataset was taken outside core EHR systems – from business associates, cloud services, and non-hospital providers.
  • Comparative analyses suggest 293+ ransomware attacks on direct-care providers and 130+ on healthcare-adjacent businesses in the first nine months of 2025.

Core pattern: legacy systems + overlapping cloud vendors + specialised third-party services (billing, imaging, analytics) create complex, hard-to-map attack surfaces.

5.2 Financial Services & Crypto-Adjacencies

  • Traditional FSI incidents still largely revolve around credential stuffing, account takeover, and business email compromise, but:
  • Crypto and FinTech rails are increasingly embedded in mainstream offerings; large crypto heists (Bybit, Balancer, SwissBorg) create second-order risk for banking partners, liquidity providers, and customers.
  • North Korea-linked campaigns underline how financial crime, national security, and cyber operations converge.

5.3 Higher Education

  • Western Sydney University (AU):
    • Identified unusual activity (6 & 11 Aug 2025) on a cloud-hosted student management system operated by a third-party provider.
    • The breach led to compromise of identity, financial, and health-related data for students and staff; subsequent phishing campaigns leveraged stolen data.
  • Higher-education generally relies on federated identity (SSO), cloud-based LMS, student systems, and research SaaS, making identity federation and vendor governance critical.

5.4 Technology & Manufacturing / OT

  • JLR cyber incident:
    • Forced proactive global systems shutdown, halted production across UK plants for over a month, and required phased restart.
    • Impacted thousands of suppliers and staff; UK government extended financial support to stabilise the supply chain.
  • Trend: manufacturing and OT-heavy sectors increasingly face cyber-physical risk, where IT compromises disrupt production, logistics, and safety systems.
Takeaway: Healthcare, finance, higher-ed, and manufacturing share a common theme: third-party and cloud-embedded services now sit at the heart of their most damaging incidents.

6. Sectoral & Technical Trends + Incidents (Last 60–90 Days)

6.1 Notable Incident Clusters

  • October 2025 Breach Cluster (Global):
    • IT Governance tallied 20 publicly reported incidents and 21.2 million confirmed records breached in October alone.
    • Other analyses cite five very large breaches totalling ~193 million records in October (exact numbers vary by methodology).
  • AWS & Azure Outages (Cloud-wide):
    • AWS US-EAST-1 and Azure Front Door outages triggered global knock-on effects on banking, government, retail, and consumer apps.
  • JLR and Western Sydney University (Sectoral exemplars):
    • JLR incident demonstrates OT + IT disruption in automotive manufacturing.
    • WSU breach demonstrates cloud SaaS student-system exposure in higher ed.

6.2 Technical Patterns

  • Identity & session abuse:
    • CISA and vendor reports emphasise exploitation of session tokens, cookies, and IdP misconfigurations, especially following outages and during "emergency" policy changes.
    • AI-assisted phishing and deepfake vishing are used to harvest MFA prompts and conditional-access bypasses.
  • KEV & high-impact vulnerabilities:
    • CISA's Known Exploited Vulnerabilities (KEV) catalog continues to expand with vendor-agnostic flaws (Citrix, F5, WatchGuard, Fortinet, etc.).
    • Recent additions include:
      • WatchGuard Fireware CVE-2025-9242 – out-of-bounds write in VPN/IKE process enabling RCE.
      • Citrix NetScaler "CitrixBleed 2" CVE-2025-5777 – unauthenticated memory over-read exposing session tokens and credentials.
    • CISA has shortened patch deadlines for some KEV entries to 24 hours for U.S. federal agencies, underscoring severity.

Table 3 – Recent KEV Themes

Vendor / Tech Example CVE / Issue Typical Impact Recommendation
WatchGuard Firebox CVE-2025-9242 (Fireware OS) Remote code execution via VPN/IKE Patch by vendor deadline; restrict WAN.
Citrix NetScaler CVE-2025-5777 "CitrixBleed 2" Session token & credential disclosure Patch; rotate creds; purge sessions.
F5 / ADC Recent KEV additions Device compromise β†’ lateral movement Tighten mgmt plane, monitor configs.
← Scroll horizontally to view full table β†’
Takeaway: In the last 60–90 days, identity/session theft, cloud outages, and KEV-listed edge devices have posed more practical risk than exotic new attack classes.

7. Labor Market & Certification Signals (12–24 Month Outlook)

7.1 Workforce & Demand

  • ISC2 estimates 5.5 million cybersecurity professionals globally with a workforce gap ~4.8 million (β‰ˆ47% unmet demand).
  • CyberSeek/CompTIA report 514,000+ U.S. cyber-related job postings between May 2024 and April 2025, up from ~470,000 in the prior period.
  • Surveys indicate β‰ˆ2 in 3 organisations report cyber staffing shortages, and >60% say shortages directly increase operational risk.

7.2 Skills & Certification Tilt

Current 2025 data and hiring-trends studies highlight:

  • Top skills gaps (often cited):
    1. AI & ML security
    2. Cloud security (CSPM, CNAPP, Kubernetes)
    3. Identity & Access Management (IAM/IdP)
    4. Incident response & forensics
    5. DevSecOps / secure coding
  • Certifications & credentials seeing strong signal in hiring:
    • "Core": CISSP, CISM, Security+.
    • "Cloud & SaaS": vendor-specific cloud security certs (AWS/Azure/GCP), CCSK/CCSP, CNAPP-aligned micro-credentials.
    • "DevSecOps / AppSec": CSSLP, cloud-native DevSecOps training, SRE-security hybrids.

Table 4 – Labour & Certification Signals

Indicator Recent Signal
Global workforce ~5.5 M active professionals
Estimated global gap ~4.8 M unfilled roles
U.S. postings (May 24–Apr 25) 514k+ cyber-related job openings
Most in-demand roles Cloud Security Eng/Arch, DevSecOps, AI-Sec, IAM
Most cited skills gaps AI security (β‰ˆ34%), Cloud (β‰ˆ30%), IAM, IR, DevSecOps
← Scroll horizontally to view full table β†’

Sources: ISC2 2024 Workforce Study & 2025 Hiring Trends; CyberSeek; SQMagazine & regional recruitment analyses.

Takeaway: Over the next 12–24 months, identity, cloud/SaaS, AI-security and DevSecOps skills will remain high-leverage for both employers and practitioners.

8. Risk Implications & Cross-Industry Priorities (0–6 Months)

Across healthcare, finance, higher-ed, tech, and manufacturing, the next 0–6 months point to a consistent set of priorities:

  1. Identity & Access as the primary control plane
    • Harden IdPs, enforce phishing-resistant MFA, monitor session hijack patterns, and treat SSO/SaaS connectors as crown-jewel assets.
  2. Cloud & SaaS Resilience as Cyber Resilience
    • Assume cloud outages will recur. Design playbooks for:
      • Running securely in "degraded mode" (no portal access, broken SSO).
      • Cross-region / cross-cloud failover for critical security tooling (SIEM, EDR Mgmt, ticketing, IR comms).
  3. Third-Party & Supply-Chain Governance
    • Map critical data flows into vendors (student systems, billing, staking providers, logistics platforms).
    • Require incident-notification SLAs, logging guarantees, and key-management standards in contracts.
  4. AI Threat-Informed Training & Controls
    • Re-tool awareness from "spot bad English" to deepfake, voice, and highly polished spear-phishing recognition.
    • Apply technical controls (content filters, anomaly-based detection, risk-based MFA) rather than relying on users alone.
  5. KEV & Edge Device Hygiene
    • Treat CISA KEV as a minimum patch baseline, especially for VPNs, edge firewalls, load balancers, and ADCs.
    • Combine with network segmentation and strict management-plane hygiene.
Takeaway: Short-term, the most effective cross-industry investments are in identity-centric security, resilient cloud/SaaS architectures, and rigorous third-party/KEV management.

9. Watchlist & Source Highlights

9.1 Watchlist (Next 6–12 Months)

  • Repeat hyperscaler outages and their downstream effects on SecOps visibility, CI/CD, and identity platforms.
  • Escalation of AI-enabled social engineering – particularly deepfake voice/video and highly localized spear-phishing against finance and leadership.
  • Industrial & OT ransomware targeting automotive, energy, and manufacturing supply chains (JLR as a template incident).
  • Education & public-sector breaches via cloud-hosted core systems (student management, taxation, citizen portals).
  • PQC transition milestones – vendor shipping timelines for PQC-enabled modules and FIPS 140-3 validated implementations.

9.2 Selected Source List (Non-exhaustive)

  • Global breach & incident stats: IT Governance monthly breach reports (Oct 2025), BreachSense, Wheelhouse IT executive briefs.
  • Cloud outages: The Guardian, Wired – AWS outage 20 Oct 2025; AP News – Azure outage 29 Oct 2025; specialist SecOps-resilience blogs.
  • Regional threat reporting: ENISA Threat Landscape 2025 & sectoral public-administration report; IndustrialCyber summaries; WEF Global Cybersecurity Outlook 2025.
  • Sector-specific: HIPAA Journal, AHA Cyber Intel, healthcare breach and ransomware analyses; Western Sydney University incident notices & AU press; JLR incident reporting from AP, Guardian, Reuters, Times of India, CBT News.
  • AI & crypto: DeepStrike AI Attack Statistics 2025; Hoxhunt Phishing Trends; Google GTIG AI Threat Tracker; StrongestLayer; Group-IB vishing analysis; Elliptic & Chainalysis crypto-crime reports; Bybit/DeFi incident coverage.
  • Workforce & labour: ISC2 2024 Workforce Study & 2025 Hiring Trends; CyberSeek/CompTIA; SQMagazine job-demand analytics; regional recruitment reports.