Strengthen your MFA policies, double-down on anti-phishing training, and for Jobs' sake, patch all your vulns right away. The past year of intelligence collected by Cisco's Talos threat hunters suggests that attackers are moving faster to exploit vulns, and fooling more staff than ever into giving up their credentials. 

Team Talos published its year in review on Monday, describing 2025 as a year of pace and scale that put sustained pressure on security teams around the world, in part thanks to attackers' use of artificial intelligence. 

Talos was shocked by how quickly criminals have been moving to exploit newly discovered vulnerabilities, pointing to December's React2Shell as the perfect example. Even though it was disclosed only in December, it quickly became the most-targeted vuln of the year.

"The vulnerability's immediate exploitation reflects near-instant weaponization, driven by automated tooling and widespread internet exposure, leaving defenders little to no time between disclosure and active abuse," Talos noted in the report. 

Talos also noticed that attackers were settling on identity control points as primary targets in 2025, with "the vast majority of top-targeted network infrastructure vulnerabilities" falling into this category. Compromising identity control tech like VPNs or application discovery controllers (ADCs) means attackers can easily move laterally, grant themselves enhanced access, bypass MFA, achieve persistence, and the like. In a similar vein, network management software, like vCenter Server, Cisco Security Manager, and Aria Operations for Networks, is often less tightly monitored than edge appliances, meaning that they're also easier to break into. 

As for how attackers are actually gaining access, phishing is still where it's at: 40 percent of intrusion response cases Talos investigated in 2025 began with a successful phish. 

The modern phishing lure is more sophisticated than ever. Gone are the misspellings, poor grammar, and other obvious errors, as AI helps attackers overcome language barriers and imitate real communications.

Core phishing lures - invoices, payments, document shares, meeting notices - remained consistent between 2024 and 2025, but the messages "looked less like generic spam and much more like everyday business, IT, and travel workflows that executives and employees routinely interact with," Talos said. Phishing messages also came from spoofed or compromised accounts 75 percent of the time last year, making it much harder to tell a sloppy attempt from a good one. 

The rising tide of AI, meanwhile, lifts all boats - including pirate ships. In 2025, baddies primarily used AI to improve on elements of existing attacks, but Talos predicts that AI will soon become a fundamental back-end part of cybercrime software, much like what's already happening in the commercial world. 

Good luck, cyber defenders

Cisco's report didn't include one single list of recommendations for cybersecurity professionals worried that the speed and craftiness of modern cybercrime will quickly overwhelm them, but there are some pretty important recommendations buried in the report, For example, security pros should prioritize network software and appliance patches for systems dealing with access management, when possible. 

• Smooth criminals talking their way into cloud environments, Google says
• RSAC 2026: Uncle Sam backs out, and AI agents are everywhere
• Ex-CISA head thinks AI might fix code so fast we won't need security teams
• Protecting democracy means democratizing cybersecurity. Bring on the hackers

More broadly, warns Talos, defenders will have smaller reaction windows and escalating consequences for even short-term exposure, so patch fast, and prioritize anything in the identity and access control spaces. 

As for helping end users help themselves, anti-phishing training is always welcome, but Talos noted that MFA "spray" attacks, where attackers try a bunch of common passwords, were also a considerable threat in 2025, and recommends ensuring that MFA systems have strong lockout policies, deploy conditioned access, enforce good password hygiene, and use strong session controls.

"Ultimately, Cisco Talos' 2025 report underscores that modern security requires a shift in focus from simply patching to securing the identity, supply chain, and management planes that govern the modern enterprise," Talos said of the report. 

In other words, get ready for a year of rethinking your security strategies. Attackers are definitely rethinking theirs. ®