Brands

Hot News

Inside the Talos 2025 Year in Review: A discussion on what the data means for defenders
Publish Time: 02 Apr, 2026

Every year, the Cisco Talos Year in Review captures the patterns shaping the threat landscape. The 2025 report paints a clear picture: Attackers are moving faster than ever, while using identity-related attacks as the primary battleground. 

To unpack the biggest takeaways and what they mean for security teams, we brought together Christopher Marshall, VP of Cisco Talos, and Peter Bailey, SVP and GM of Cisco Security.

Here's the highlights of their conversation. For the full discussion, head over to the Cisco Talos blog where you can also download the Year in Review report.

Old vulnerabilities, new speed

Marshall:
 One of the clearest trends in this year's data is the contrast in how vulnerabilities are being exploited. We saw React2Shell disclosed in December and within weeks it became the most targeted vulnerability we tracked. 

At the same time, a 12-year-old vulnerability still appeared in the top 10 most exploited list. So we're seeing very rapid weaponization (likely fuelled by AI given the compressed timeline from initial proof of concept to large-scale exploitation, across multiple languages and platforms) alongside continued success with legacy flaws.  

Bailey:
 There's always a lot of focus on the latest zero-day, and rightly so. The industrialization of vulnerability exploitation is extremely concerning. But at the same time, many attacks are still leveraging vulnerabilities that have been around for years.

Organizations are dealing with complexity. Large environments. Long device lifecycles. Change management processes that take time. But attackers don't care about those constraints. They actually count on them.

This is where we need to repeat that the fundamentals still matter. Patch management, asset visibility, lifecycle discipline... We still have work to do there as an industry.

Marshall:
 And then you have 40% of the top 100 exploited vulnerabilities being effective because organizations were running end-of-life devices. That's a measurable problem. When infrastructure is no longer supported, attackers know it. They scan for it, and then they target it. Technical debt becomes operational risk.

Bailey:
 Absolutely. In most cases it's not that customers don't want to patch. It's that their critical networking infrastructure has been stable for years, and taking it offline can disrupt the business.

As an industry, we need to reduce that friction. Cisco is a big part of that, with built-in protections in our networking equipment that can be applied without downtime, and options to shield systems when patching can't happen immediately.

Identity as the primary target

Marshall:
 If there's one area where attackers are consistently investing their time and energy, it's identity. In 2025, identity-based attack techniques were central to major phases of operations, like lateral movement, privilege escalation, and persistence. Controlling identity effectively means controlling access across the environment.

One of the most striking data points in the report is that fraudulent device registration increased 178 percent year over year. In many cases, attackers convinced administrators to register devices on their behalf through vishing (or voice phishing). They targeted administrator-managed registration flows at three times the rate of user-driven ones. There's a clear preference for high-value victims.

Bailey:
 And unfortunately these stolen credentials are widely available. Logging in is often easier than breaking in. Once attackers obtain legitimate access, they can blend in. 

For defenders, identity controls need to go beyond authentication. You need continuous monitoring. You need risk-based adjustments to access. You need to detect abnormal behavior quickly. 

Marshall:
 We're also seeing a rise in internal phishing. More than a third of phishing incidents we observed involved attackers sending messages from already compromised accounts.  

Once inside, they create mailbox rules to hide replies and suppress visibility. They explore shared drives and collaboration platforms. They look for sensitive information that can help them expand access. This all means defenders need strong visibility into normal user behavior. If accounts suddenly start sending far more messages than usual or accessing data they never touched before, that should stand out.

Bailey: 
Identity is no longer just an authentication problem. It's a monitoring and governance problem, as well.

Read full post on the Cisco Talos blog

We'd love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram

Breaking the wireless AI paradox: Turning challenges into competitive advantage Building Trust in Generative AI Together: Cisco's Role in the NIST GenAI Program
Cisco Talos Common Vulnerabilities and Exposures (CVE) Identity Security Intelligence threat
I’d like Alerts: