2025 Cybersecurity Year in Review

Executive Summary: 2025 at a Glance

If 2024 was the year we talked about AI in cybersecurity, 2025 was the year we felt it. From the weaponization of generative AI in social engineering to the massive consolidation of industry giants, the landscape has shifted fundamentally.

This past year saw the largest credential leak in history, state-sponsored actors burrowing deep into global telecommunications, and the U.S. government finally pulling the trigger on strict enforcement for defense contractors.

2025 wasn't just another year of breaches; it was the year the "asymmetric advantage" officially flipped. For a decade, attackers had the advantage of needing to find only one open door while defenders had to secure the entire perimeter. In 2025, with the widespread adoption of Agentic AI in Security Operations Centers (SOCs), defenders began to close that gap—automating remediation at machine speed.

However, the adversaries adapted. We moved from "smash and grab" ransomware to "persistent silence" espionage. We saw the U.S. government finally draw a hard line in the sand with defense contractors. And we saw the market punish "point solutions" in favor of massive, integrated platforms.

Here is the Kedge Security 2025 Cybersecurity Year in Review, recapping the major cyber news, breaches, and trends, and our predictions for the year ahead.

Threat Landscape: "Living off the Land" & The Death of Privacy

1. Salt Typhoon: The Wiretap in the Machine

The defining breach of the year was undoubtedly Salt Typhoon. While it was identified in late 2024, more details including the attribution to Chinese state-sponsored actors came over 2025. Most technically significant was the target: the Lawful Intercept infrastructure.

• The Attack Vector: Unlike traditional exploits, attackers compromised the very "backdoors" (CALEA compliance interfaces) that ISPs are legally required to maintain for law enforcement wiretapping.

• Technique: The group utilized "Living off the Land" (LotL) binaries, using legitimate administrative tools to blend in with normal network traffic, maintaining persistence within Verizon, AT&T, and Lumen networks for months before detection.

• Why It Matters: This wasn't about data destruction; it was about intelligence supremacy. It forced a complete rethink of how we secure "privileged access" for law enforcement interfaces.

2. The "Credential Buffet" & The Rise of Session Hijacking

The leak of 16 billion credentials (the "Credential Buffet") was notable not just for its size, but for how it shifted attack economics.

• The Shift: With passwords being replaced with more secure authentication methods, 2025 saw a 400% spike in Session Token Theft. Info-stealers didn't bother cracking passwords; they simply stole the session_id cookies from browser caches, bypassing MFA entirely.

• The Defense: This single event accelerated the adoption of Token Binding and forced major IDPs (Identity Providers) to shorten session lifetimes to minutes rather than days.

3. SaaS Supply Chain: The OAuth Abuse

The compromise of the Drift integration for Salesloft (and subsequent lateral movement into Salesforce instances) highlighted the "Shadow SaaS" problem.

• Technical Detail: Attackers didn't hack Salesforce; they hacked a trusted third-party app with over-scoped OAuth permissions (e.g., Full Write access when Read Only was needed).

• Takeaway: In 2026, "Third-Party Risk Management" (TPRM) is no longer about sending questionnaires; it's about automated auditing of OAuth scopes and API keys.

Industry Moves: The M&A "Super Cycle" of 2025

2025 will be remembered as the year of the Mega-Acquisition. As CISOs demanded fewer tools with better integration, the market responded with massive consolidation. The M&A market in 2025 was driven by a single C-Suite directive: "Vendor Consolidation." 

Google Acquires Wiz ($32 Billion)

In the biggest cybersecurity acquisition in history, Google gained clearance to acquire cloud security unicorn Wiz for $32 billion.

• The Strategy: Google is betting the house on "Cloud-Native Application Protection" (CNAPP) to compete with AWS and Azure, aiming to secure the entire cloud lifecycle from code to runtime.

  
  

ServiceNow Buys Armis ($7.75 Billion)

Announced in late 2025, ServiceNow made a massive play for the Operational Technology (OT) and IoT space by acquiring Armis.

• The Strategy: This bridges the gap between IT service management and asset visibility. It suggests a future where "patching a vulnerability" is an automated workflow triggered instantly by asset discovery.

  
  

Veeam Acquires Securiti AI ($1.7 Billion)

Data resilience giant Veeam acquired Securiti AI, signaling a shift from "backup" to "data governance." It acknowledges that in the age of AI, you don't just need to save your data; you need to know what it is, where it lives, and who has access to it.

• The Strategy: This integrates Data Security Posture Management (DSPM) into the backup layer. It bets that "blind" recovery is no longer sufficient; organizations must now understand the content and sensitivity of their data (identifying PII, shadow AI models, and sovereignty risks) to ensure safe, compliant restoration.

Cisco + Splunk Integration

While the acquisition closed in 2024, 2025 was the year the Cisco + Splunk integration actually hit the market.

• The Result: A unified "Data-to-Action" platform. Network telemetry (Cisco) and log analytics (Splunk) finally merged, allowing for real-time, automated blocking of threats based on log anomalies.

• Market Impact: This put immense pressure on standalone SIEM (Security Information and Event Management) providers, forcing smaller players to merge or exit.

The "Sovereign Cloud" Expansion

With geopolitical tensions rising, 2025 saw the rise of "Sovereign Cloud" security—tools designed specifically to ensure data never crosses national borders. European and APAC markets drove massive investment in localized data residency solutions, impacting how global companies architect their security stacks.

Regulatory Deep Dive: CMMC & FedRAMP

For the Defense Industrial Base (DIB) and Cloud Service Providers (CSPs), 2025 was the year of implementation.

CMMC 2.0: Phase 1 is Live

With the effective date of the 48 CFR Final Rule (DFARS Case 2019-D041) on November 10, 2025, the DoD’s phased rollout is officially underway.

• Current State (Phase 1): We are deep in the "Self-Assessment" era. Participation is no longer theoretical; if you are bidding on a new contract with the CMMC clause (DFARS 252.204-7021), a valid self-assessment score posted in SPRS is a hard gate for eligibility.

• The Revision Trap: Many contractors are aggressively implementing NIST SP 800-171 Rev 3 (released May 2024), assuming newer is better.

  • Correction for Pros: The CMMC program (per 32 CFR Part 170) is legally anchored to Rev 2. Rev 3 introduces changes that do not map 1:1 with the CMMC Assessment Guide. If you assess against Rev 3, your System Security Plan (SSP) will be technically non-compliant.

• Looking Ahead (Phase 2): The countdown to November 2026 has begun. This marks the start of mandatory C3PAO Level 2 Certifications as a condition of contract award. The bottleneck is real—C3PAO schedules are filling up 6–9 months out. If you haven't booked your assessment, you are already risking your Q4 2026 pipeline.

FedRAMP "20x": The Automation Mandate

The GSA's "FedRAMP 20x" initiative, launched in March 2025, has fundamentally changed the Authorization to Operate (ATO) process.

• OSCAL is King: The Open Security Controls Assessment Language (OSCAL) is no longer optional. The new FedRAMP dashboard only accepts machine-readable packages.

• Phase 2 Active: We are currently in the "Moderate Pilot" phase. The goal is to reduce the authorization timeline from 18 months to roughly 3 months by automating the validation of controls.

• Impact: If you are a SaaS provider wanting to sell to the government, you need to stop hiring technical writers and start hiring Compliance Engineers who can code compliance into your CI/CD pipeline.

2026 Outlook and Predictions

As we look toward 2026, here is what Kedge Security sees on the horizon:

1. AI Agents vs. AI Agents

In 2026, we expect to see Autonomous Threat Agents—AI models that can scan, identify vulnerabilities, and execute exploits without human intervention. Conversely, "AI Defenders" will auto-patch systems in milliseconds. The speed of cyber warfare is about to exceed human reaction time.

2. The Rise of "Non-Human Identity" (NHI) Security

While we have mostly solved user identity, the next frontier is Service Accounts, API Keys, and Bots. In 2026, we predict that attacks will increasingly target NHIs, which often have high privileges and zero MFA. Expect a market surge in "NHI Security" platforms.

3. The Death of the "Best-of-Breed" Stack

The massive M&A activity of 2025 proves that the market is tired of managing 50 different security vendors. 2026 will be the year of Platformization. Companies will rip out point solutions in favor of unified platforms (like Google/Wiz or Palo Alto Networks) that offer a "single pane of glass."

4. Agentic AI vs. The SOC Analyst

The "Tier 1 SOC Analyst" role is disappearing. In 2026, AI Agents will handle 90% of Triage and Containment. The human role shifts to "Threat Engineering"—building the logic and guardrails that the AI agents execute.

5. Identity Verification 2.0 (The Anti-Deepfake)

With "ClickFix" and deepfake Zoom calls bypassing traditional training, 2026 will see a surge in biometric liveness detection and hardware-based identity verification keys (FIDO2) becoming the only acceptable standard for privileged access.

6. Post-Quantum Cryptography (PQC)

With the countdown to "Q-Day" (when quantum computers break current encryption) ticking and NIST finalizing the Post-Quantum Cryptography (PQC) standards (ML-KEM, ML-DSA), 2026 will be the year enterprise governance teams start mandating crypto-agility—auditing their code to ensure they can swap out encryption algorithms when the time comes. Expect auditors to start asking: "Where is your cryptographic inventory?" You don't need to migrate everything yet, but you should know what cryptography you're using and where your vulnerable RSA/ECC keys are located.

Ready for 2026?

The rules of the game changed in 2025. Whether you are navigating the new CMMC requirements or looking to consolidate your security stack, Kedge Security is here to help you steer through the noise.