The threat
landscape shifted
in 2025.
80 million security events. 110 APT campaigns. 7,800+ ransomware intrusions. Red Piranha's 2026 Annual Threat Intelligence Report distils operational intelligence from real monitored environments—not theoretical models—into strategic guidance for enterprise security leaders.
What the 2025 data
actually tells you
These aren't predictions. They're operational conclusions drawn from 80M+ real events, incident response engagements, and threat intelligence operations across 2025.
Espionage-first intrusions have overtaken ransomware-first activity
Attackers now optimise for durable access, identity abuse, and low-noise lateral movement before impact. The goal is presence, not just payload.
Ransomware is now a secondary payload—not the primary objective
Ransomware is increasingly used to monetise access, disrupt response, or create noise that obscures exfiltration and persistence already underway.
EDR bypass has matured into deliberate, structured tradecraft
Layered techniques—user-mode unhooking, telemetry suppression, BYOVD—are applied early and repeatedly until endpoint visibility is degraded.
Living-off-the-land and valid account abuse are now the default
Many 2025 intrusions achieved control without deploying traditional malware at all. Attackers look like administrators until they don't.
China-aligned operations dominate the strategic threat landscape—and they're evolving
Sustained targeting of government, telecoms, maritime, defence, and diplomatic infrastructure. Red Piranha observes a measurable transition from opportunistic disruption toward access persistence, identity abuse, and multi-stage intrusion planning.
Access is the product.
Impact is optional.
'Time to encryption' is no longer a reliable indicator of intrusion success or failure. The attacker may already have what they came for long before ransomware is deployed.
Recovery without forensics can be a strategic failure: you may restore services while leaving persistence intact—and losing the evidence trail entirely.
"Assume endpoint visibility will be degraded. Assume identity will be abused. Assume cloud and SaaS will be used as attack infrastructure. Design for independent detection planes that still work when one layer is blinded."
— Red Piranha 2026 Threat Report
Identity-Centric Intrusion Model — 2025
Volume is up.
The bigger story is precision.
The volume increase matters less than the behaviour change. Red Piranha observed that ransomware deployment increasingly followed access-establishment, reconnaissance, and control impairment phases—not the other way around. Manufacturing led sector exposure (~1,380 incidents), followed by Business Services (~1,250).
A small number of high-output groups drive disproportionate impact. Prioritise their tradecraft, not just their names.
Per-capita intensity reveals where extortion leverage is structurally highest—and where your IR investments matter most.
Advanced actors operate
inside normal workflows.
The most damaging campaigns look like IT work until the moment they don't. 2025 APT tradecraft prioritises stealth, legitimacy mimicry, and long-duration operational persistence.
Approximately 50 distinct operations assessed as likely China-linked, representing over 40% of all observed APT campaigns. Government (35 incidents) and telecoms (14) are the most targeted sectors.
Strategic access to decision-making systems, legal strategy, M&A data, and research pipelines. Financial/extortion motives account for 15.5%—including 'double-hat' operations used for funding or disruption cover.
Red Piranha assesses that defenders should plan for fewer but more strategically significant intrusions. The attacker business model is shifting toward efficiency: access acquired faster, tradecraft reused at scale, AI assistance compressing decision cycles.
Your next 90-day
cyber priorities
Distilled from the report's findings into concrete, actionable priorities for security and IT leadership.
What this report
means for your role
Every finding in this report reflects what attackers actually did inside monitored environments. Use it to pressure-test your detection architecture against real 2025 tradecraft.
- If our EDR telemetry drops, what detects it first?
- Can we detect session token abuse before it escalates?
- Do our playbooks preserve forensics before recovery?
- Which third parties have privileged access—and when did we last audit them?
The 2025 threat landscape demands a new risk model: access is persistent, ransomware is a distraction, and the biggest losses may be invisible. Bring the right numbers to your board conversations.
- How does our sector rank against per-capita exposure data?
- Are our SaaS and cloud control planes included in detection scope?
- Is our Zero Trust policy enforced—or aspirational?
- What's our harvest-now decrypt-later exposure for long-life data?
Your clients face the same threat landscape. This report gives you the operational intelligence to deliver advisory value, harden client environments, and position your SOC against 2025's dominant attack patterns.
- Are your MDR playbooks built for identity-centric intrusions?
- Can your clients detect threats when their EDR is compromised?
- Do your IR engagements preserve evidence for forensics?
- Are you tracking top actor tradecraft (Qilin, Akira, Clop) proactively?
The threat model
changed in 2025.
Has your defence?
Download the full Red Piranha Annual Threat Intelligence Report 2026. Free access. No paywalls. Operational intelligence your team can act on immediately.