Turning Threat Intelligence Into Proof: 2025 Year in Review

Paul Reid

The State of Threat Intelligence in 2025

In 2025, security teams didn’t struggle because they lacked threat information. They struggled because adversary behavior moved faster than operational readiness.

AttackIQ’s Adversary Research Team (ART) exists to close that gap by turning real-world adversary behavior into practical validation so defenders can prove their controls work before an incident becomes a headline.

That mission mattered more than ever last year. Ransomware crews kept refining their playbooks and business models. Nation-state operators blurred the line between espionage and disruption. Vulnerabilities moved from disclosure to exploitation at unprecedented speed. At the same time, regulatory advisories increasingly demanded immediate action.

In response, ART focused on speed, fidelity, and outcomes. As new intelligence emerged, the team published adversary emulations, attack graphs, and guidance—often paired with advisory response—so security teams could test defenses against what mattered right now.

2025 by the Numbers: Cadence, Coverage, and Speed-to-Defense

Across the year, ART shipped 53 total releases, including 46 public releases and 7 customer-only internal releases.

Two patterns defined the year:

  • Ransomware dominance: More than half of public releases centered on ransomware activity, culminating in the six-volume Ransom Tales series (Volumes I–VI) and a companion threat report capturing recurring patterns observed across campaigns.
  • Regulatory responsiveness as a differentiator: ART typically published advisory responses in approximately 1 business day (median), with many same-day or next-day turnarounds. This speed enabled defenders to move from awareness to validation while threats were still active.

The headline takeaway: ART did not treat threat intelligence as a feed to read. It treated it as a set of behaviors to prove against.

The 5 Strongest Threat Intelligence Themes of 2025

1. Ransomware Became a Test Plan, Not Just “News”

If there’s one defining lesson of 2025, it’s this: ransomware behavior is not abstract—it’s testable.

Throughout the year, ART focused routinely on emulating the TTPs used by active ransomware families and translating them into repeatable assessments that security teams could run continuously as part of operational readiness.

Ransomware defense most often fails in the seams—credential access, lateral movement paths, staging, and execution chains that look routine until they are abused. By operationalizing ransomware behavior into testable sequences, defenders gained a practical way to validate those seams against real adversary playbooks.

2. Advisories Became Defense Drills

Threat intelligence only helps when it drives action. In 2025, ART approached threat advisories as blueprints for defender-led testing rather than static guidance.

When advisories arrived, primarily from the Cybersecurity and Infrastructure Security Agency (CISA), ART treated them as operational triggers, building and publishing adversary assessments that enabled security teams to test their own controls and identify gaps while threats were still active.

A clear example was CISA advisory AA25-239A ,where activity attributed to Chinese state-sponsored operators became a catalyst for measure defensive validation rather than awareness alone.

This approach consistently shortened the distance between public guidance and measurable readiness

3. Time Became a Risk Multiplier

Defenders increasingly had to move before intelligence fully matured.

LockBit 4.0 illustrated this reality. Early in its emergence, detailed TTP intelligence remained limited. Rather than wait, ART published an assessment template with sample-based scenarios so teams could start testing and refining detection immediately, then iterate as fidelity improved.

Perfect information rarely arrives on time. Acting early often matters more than acting with complete certainty.

4. “How” Adversaries Attack Mattered More Than “Who” is Attacking

Hybrid threats reinforced a persistent truth: how adversaries operate matters more than who they are.

 Espionage blended with disruption. Influence overlapped with extortion. Long term access increasingly intersected with opportunistic operations.

Two adversaries stood out:

  • Salt Typhoon: A patient, intelligence-focused adversary built around stealth and persistence. Its operations emphasize credential abuse, living-off-the-land techniques, and low-noise lateral movement to maintain access over extended periods without detection. For a deeper breakdown of its tradecraft and operational patterns, see the ART team’s full Salt Typhoon analysis.
  • RomCom:  An adversary that expanded from a single backdoor into a broader cyberwar toolkit. Its campaigns rely on phishing, staged payload delivery, and flexible infrastructure to support espionage, disruption, and influence operations. That evolution is detailed in the threat report, The Evolution of RomCom: From Backdoor to Cyberwar.

5. Proactive Testing and Validation Became Essential

In 2025, teams were not short on vulnerability alerts—they were short on confidence.

ART’s vulnerability-focused releases helped bridge that gap by translating high-impact issues into behaviors that can be tested. You can’t patch your way to certainty. Confidence comes from validating that detection and prevention controls function as expected in practice.

The Work You Don’t Always See

Some of ART’s most valuable work cannot be published in full detail.

Throughout 2025, the team produced customer-focused releases informed by TLP:AMBER and TLP:RED briefings and trusted relationships with public and private agencies. These insights shaped what to prioritize, what to emulate next, what to refresh, and where deeper instrumentation was required, while honoring confidentiality.

Being ahead of the curve responsibly means acting early without breaking trust.

AttackIQ Watchtower: AI-Driven Threat Intelligence Analyzer

In August, AttackIQ introduced Watchtower—a major step forward in making threat-informed defense more automated, hyperlocal, and actionable by aligning global threat intelligence to environment-relevant testing.

Watchtower is designed to help security teams continuously answer two questions:

  • “What should I be defending against today?”
  • “What should I prepare for tomorrow?”

This reflects the direction threat-informed defense is heading: continuous relevance aligned to what is most likely to matter in your environment, not a generic list of global threats.

Defensive Validation Priorities for 2026

Across ransomware, nation-state/hybrid activity, vulnerability response, and regulatory alignment, 2025 reinforced truths that will define 2026:

  • Ransomware readiness must be continuous, not episodic.
  • Advisories should become validation exercises, not “read and forward” alerts.
  • Hybrid actors demand behavioral understanding, not labels.
  • Confidential collaboration can responsibly accelerate defender readiness.
  • Threat-informed defense is evolving toward hyperlocal, always-on relevance.

ART’s work is designed to help you validate security controls continuously against the threats actually targeting your environment. If you’re evaluating AttackIQ, this is the proof: we don’t just track threats—we enable defenders to test against them.

Paul Reid

VP, Adversary Research Paul Reid is veteran of the complex, fast-paced world of cybersecurity, having served as a technology strategist for more than two decades for innovative technology companies. In these roles, he leveraged his deep expertise in cybersecurity, biometrics, network security, cryptography, and more, to guide customers, partners, industry analysts, and journalists through the intricate cybersecurity landscape. Most recently he has lead a team of Cyber Threat Hunters leveraging behavioral analytics to find emerging threats in the customers environment. Paul has been published numerous times and has shared his perspectives as keynote speakers at prominent industry conferences, such as the NATO Information Assurance Symposium, SANS@Night, and Microsoft TechED. Paul is a published author in the Prentice Hall Series in Computer Networking and Distributed Systems. He also holds several patents in CyberSecurity.

Related Posts