The Tidal Cyber 2025 Threat-Led Defense Report represents a groundbreaking shift in cybersecurity analysis by placing real adversary behavior at the forefront of defense strategies. Read the Full Report, or an overview of our findings below.
The Crisis of Traditional Detection
Traditional detection models have served cybersecurity experts for quite a while, but they are becoming outdated, especially with the changing cybersecurity landscape. Adversaries are now modifying their procedures and testing new techniques at a pace that traditional detection models cannot keep up with. The usual method of vulnerability patching and signature-based detection is failing under the weight of the attack speed of adversarial innovations.
The central idea of this report is to help CISOs reimagine their defensive posture. The reality of threats in 2026 demands that industry security experts move from reacting to Common Vulnerabilities and Exposures (CVEs) as they emerge to a method where mapping and validating actual adversary behaviors take precedence.
The data is quite revealing. Adversary threats are evolving faster than security teams can keep up with, leading to a decline in the ability to detect them. The traditional timing of annual security assessments and quarterly control updates cannot keep pace with evasion techniques that are being developed in real time by adversaries.
Deep Dive: TTP Evolution & Adversary Fluidity
For years, defenders assumed IOCs changed quickly, but TTPs stayed stable. Our 2025 data disproves that.
Adversaries are rapidly modifying procedures, testing new techniques, and shifting entire tactics across campaigns. meaning yesterday's coverage may no longer hold against today's behavior. Adversary TTPs are no longer fixed, and Void Rabisu, Scattered Spider, and Akira are proof of this. We derived our findings for this report from the Tidal Cyber Threat-Led Defense Platform.
Tactical Shifts (Void Rabisu)
Void Rabisu is a great example of how threat actors are changing their core operational objectives. This group’s objectives have changed from purely financial objectives into more sophisticated geopolitical espionage. This shift in focus has made it quite difficult to pinpoint their sphere of criminal activities, whether cybercrime or state-sponsored activity. For enterprise security teams, this tactical innovation makes risk profiling and attribution more difficult.
Whenever threat actors change their strategic intent, the implications flow down already prepared layers of defense. The defense mechanisms set up for financial frauds are often ineffective against espionage campaigns crafted to ex filtrate intellectual property or strategic communication. CISOs and security leaders must understand adversaries now move with multiple varying intents and must set up their defenses with this in mind.
Technique Variation (Scattered Spider)
Scattered Spider showcases the speed at which surface attacks evolve in cloud-native environments. Software-as-a-Service platforms like Slack, Confluence, and Microsoft Teams have become targets for this group as they have recognized them as high-value repositories of sensitive communications and operational data.
To the devastation of their victims, Scattered Spider has adopted the exploitation of virtualization infrastructure through methods like Virtualization/Sandbox Evasion (T1651). Through the exploitation of hypervisors and virtual machine management layers, adversaries facilitate lateral movement that evades conventional network segmentation and endpoint detection mechanisms. This variation in technique highlights a critical truth: threat actors are rapidly embracing novel attack vectors, outpacing organizations' ability to establish adequate visibility into these emerging threats.
Procedural Persistence (Akira)
Akira ransomware operators have combined procedural persistence and subtle evasion to exploit defenses. The group has repeatedly used certain command patterns, including the Windows Management Instrumentation (WMI) for shadow copy deletion, to obstruct recovery. While exploiting defenses, they also introduce minor procedural variations in execution timing, disguise techniques, and command sequencing to elude static signature detection.
This hybrid approach stumps defenders who have become reliant on one-to-one pattern matching. The key method stays stable enough for their attacks to work, but the minor variations in implementation are often enough to invalidate signatures. Security teams must understand that their detection logic has to evolve. They need to shift from simple indicators of compromise to behavioral analytics capable of detecting and identifying malicious intent across these variations.
High-Impact Macro Trends of 2025
According to Tidal Cyber's 2025 Threat-Led Report, four dominant themes are shaping enterprise risk and defense priorities. These trends illustrate a dynamic threat environment characterized by sophisticated exploitation techniques, targeted human vulnerabilities, hybrid ransomware tactics, and state-sponsored cyber escalation initiatives.
The Commoditization of Zero-Days
Once upon a time, zero-day vulnerabilities were rare and usually used by states for information breaches; now they have become routine tools used by both espionage groups and commodity crimeware adversaries. Our report shows that defenses have mere days to respond rather than weeks.
Threat actors have proliferated these capabilities on illicit marketplaces, facilitating access to previously elusive zero-day exploits. The traditional patch sequences have become quite incapable of coping with this proliferation, and CISOs must assume that unknown vulnerabilities can be easily exploited and should focus on detecting post-exploitation behaviors rather than relying on just zero-day preventive patches.
AI-Driven Social Engineering
The dawn of AI and its rapid sophistication has made social engineering easier for adversaries. Our report highlights how AI-powered phishing and voice phishing (vishing) campaigns have scaled to levels never before imagined. This has made it easier for bad actors to create personalized and contextual relevant deception quickly.
Generative AI gives adversaries the opportunity to better impersonate leaders and executives, forge mail, and automate information gathering. AI has enabled adversaries to exploit the human element, which has always been recognized as the weakest link in cybersecurity. AI-generated deception will significantly surpass traditional methods of awareness training.
The Leverage-Based Ransomware Model
The ransomware threat landscape has evolved past basic file encryption mechanisms. Major groups like Interlock and Medusa have begun implementing extortion strategies on multiple levels that target data theft and coercive language above technical encryption.
Threat actors are now bypassing encryption entirely and focusing on other more overt methods. They now ex filtrate sensitive data, threaten public disclosure, and leverage regulatory compliance obligations (GDPR, HIPAA) to maximize pressure. Organizations should recognize that backup and recovery strategies already in place might become insufficient against modern ransomware.
Geopolitical Blurring
Private actors are increasingly blurring the boundaries between hacktivism, espionage, and criminal enterprise, challenging the traditional boundaries of state-sponsored espionage. Private groups like the Handala Hack Team have shown how adversaries motivated by ideologies can carry out attacks on private sector infrastructures with the scale and resources often associated with nation-state operations.
The unpredictable nature of geopolitical cybersecurity risks exposes both private and public facilities to potential attacks. The now nebulous nature of international cyber conflict makes it difficult to easily pinpoint the scale of nation-state operations and the bad actors. CISOs can no longer segment their threat models into neat categories of cybercrime versus nation-state; the reality is far more chaotic.
Technical Spotlight: Emerging Offensive Techniques
Adversary Abuse of AI (T1588.007)
Our report indicates an astonishing 300% surge in the detection of adversaries using AI for offensive maneuvers.
Adversaries are utilizing artificial intelligence to create polymorphic payloads that dynamically alter to bypass signature-based detection mechanisms, while also automating reconnaissance efforts at unprecedented scales.
Machine learning models empower threat actors to scrutinize defensive telemetry, pinpoint detection vulnerabilities, and refine evasion strategies through continuous experimentation. This establishes a disparity in operational tempo, allowing adversaries to iterate and modify their tactics more swiftly than defenders can detect and counteract.
Sophisticated Social Engineering
There have been some sophisticated social engineering techniques employed in recent history. Two stand out in particular. Spearphishing Voice (T1598.004) uses AI-generated voices to impersonate executives and trusted contacts, which is usually combined with typical urgency tactics to bypass verification protocols. The other technique, Malicious Copy & Paste (T1204.004), uses the trust of users in ways that seem harmless to execute malicious code.
These techniques are successful because they focus on human behavior rather than searching for technical breaches. Security operatives must watch for human weaknesses and biases as they strengthen their technical defenses.
SaaS and Identity Exposures
In 2025, some of the latest targets of cyber threats will be cloud-based collaboration platforms and identity systems. The common OAuth token has become a target for aggressive exploitation, with features such as connected-app permissions now considered weaknesses. This often gives them room for perpetual access to SaaS environments.
Basic perimeter defenses no longer offer security against this sort of attack. This is primarily because a valid OAuth token or a compromised service account grants adversaries' legitimate access to organization credentials. Detection is difficult in this case, and CISOs need to employ multiple layers of deep instrumentation of identity and access management systems, authentication patterns, and SaaS API activity.
The Solution: Transitioning to Threat-Led Defense
The Tidal Cyber 2025 Threat-Led Defense Report provides three possible solutions that can be employed to transition to Threat-Led Defense.
Beyond Technique Mapping
We argue that the MITRE ATT&CK technique-level mapping has become a much more abstract system that does not cover the specificity needed for actionable defense. Frameworks are great for taxonomies, but CISOs must forge teams that are procedural at a granular level.
Knowing what an adversary uses provides a limited level of defensive information, but having a grasp on the specific tools, command sequences, and environmental conditions an adversary could exploit greatly improves targeted detection logic and control validation. Threat-led defense requires moving from abstract techniques to actionable procedures.
Continuous Validation
Most penetration tests are annual, and tabletop exercises fall under quarterly routines. These can no longer be sufficient defenses against enemies that are evolving weekly. Our report pushes for a more behavior-oriented validation that runs tests to determine whether available defenses can detect and stop the latest versions of adversary attacks.
This includes adding adversary emulation into regular security operations. To validate detection logic, purple team exercises are excellent for recreating real-world attack procedures and maintaining telemetry that identifies behavioral signs, not just static signatures. This should be done at least on a monthly basis for these defenses to remain effective and relevant.
The New Perimeter
Our report advocates for moving detection logic from traditional endpoints to identity, SaaS, and cloud-control layers.
Accessing identity provider logs, SaaS API activity, cloud control plane operations, and cross-tenant authentication are prerequisites for what a modern defense should look like. Organizations must implement telemetry that monitors the movement of identities across cloud environments, the processes by which permissions are allocated and utilized, and data transfer mechanisms between services. The endpoint remains significant; however, it has shifted from being the central focus of defense strategies.
Conclusion & 2026 Strategic Roadmap
In 2026, cyber resilience will be determined more by how an organization can adapt as fast as attackers do than by how well a defense mechanism is set up. Static controls are now old news, and annual assessments and reactive patching might not be sufficient to deal with adversaries who are changing their techniques in real time.
There are three key responsibilities CISOs now have. First, implement behavioral visibility at the procedural level. Second, invest heavily in telemetry for SaaS and identity systems. Third, ensure continuous defensive iterations to keep up with new waves of adversary attack iterations.
The Tidal Cyber report provides a roadmap, but execution requires organizational commitment. Security teams must be empowered to experiment, fail, and iterate. Budgets must prioritize behavioral analytics and cloud visibility over legacy infrastructure hardening. And leadership must accept that perfect prevention is impossible; the goal is resilient detection and rapid response.
The adversaries have already embraced continuous adaptation. The question for every CISO is whether their organization can match that pace or whether they will continue fighting tomorrow's battles with yesterday's strategies. The gap between those two futures is widening rapidly, and 2026 will separate the organizations that evolved from those that became case studies.