Looking at trends from incident response and investigation data in 2025, public application exploitation emerged as the most common initial access vector, increasing by 44% year over year. The vulnerability landscape is growing, amplified by misconfigurations and increasing complexity of application stacks, and the attack surface continues to expand. In particular, many exploited vulnerabilities do not require authentication, highlighting the need for tighter access controls, patch governance, and secure implementation methods.
The rapid growth in AI chatbot adoption has created an additional credential collection ecosystem. In 2025, over 300,000 ChatGPT credential sets were advertised on the dark web. This was primarily driven by information-stealing malware operators who expanded their target list to include AI services. Password reuse between personal and business accounts continues to create indirect attack paths where low-value consumer credentials are exploited for high-value business access.
Supply chain and third-party risks will accelerate. Major supply chain incidents have nearly quadrupled over the past five years, with attackers exploiting trusted developer identities, CI/CD platform and SaaS integrations, and downstream trust relationships to propagate breaches.
The ransomware ecosystem is more fragmented than ever, with attacks dominated by the top 10 groups decreasing by 25%. X-Force identified 109 different extortion groups in 2025, up from 73 in 2024. This signals lower barriers to entry for attackers, more opportunistic operations by attackers of varying levels of sophistication, and increased decentralization that favors smaller factions over larger, more well-known gangs.
Manufacturing remains the most targeted industry, followed by the financial services and insurance sectors.
Geographically, North America had the highest concentration of activity, accounting for nearly one-third of all observed attacks.
