The Definitive 2025 Cyber Rewind & 2026 Roadmap

What a difference six months makes.

Back in June 2025, when I stood on the stage at the face-to-face SECON conference, the energy in the room was electric. We shook hands, we debated in the hallways, and we shared our “war stories” over coffee. But even then, I could see the fatigue in your eyes.

Fast forward to this week. I just signed off from my closing keynote at the SECON International Virtual Conference for December. The medium was different—screens instead of a stage, chat windows instead of applause—but the weight of our responsibility has only grown heavier.

As I shared in my virtual session, “2026 Cybersecurity Forecast: Lessons Learned from 2025,” the landscape has shifted beneath our feet since we last met in June. We aren’t just fighting hackers in hoodies anymore; we are fighting a fully automated business.

I was chatting with a peer from the Global CISO Forum after the broadcast (virtually, of course, though I still had my mandatory espresso in hand), and we agreed on one thing: The charts don’t look like they used to.

If you missed the live stream, you can watch the recording below. But for those who want the full, unvarnished details, I’ve written this deep dive. This isn’t just a summary; it’s the full research, the hard data, and the real stories of why 2025 broke the “login” button.

Part 1: The “Compliance Tsunami” & The Accountability Shift

One of the first questions I asked the audience back in June—and repeated online this December—was: “Can you go to jail for doing your job?”

A few years ago, we would have laughed. In 2025, nobody is laughing. We are living through a “Compliance Tsunami.”

The regulatory landscape has become aggressive. Between the SEC’s 4-day disclosure rules and the personal liability precedents set by cases like SolarWinds and Uber, the message to the C-Suite is clear: Accountability is absolute.

We saw this play out painfully throughout 2025. It wasn’t just about losing data anymore; it was about the negligence leading up to it. The breaches that hurt the most—like the 23andMe and Snowflake incidents—weren’t typically caused by sophisticated zero-day exploits. They were caused by a failure of basics:

Lack of Multi-Factor Authentication (MFA) on “test” environments.
Reusing passwords on “non-production” servers.

As I told the virtual crowd: “There is no such thing as a ‘non-production’ credential anymore. If it unlocks a door, it’s a target. If you are skipping MFA in 2025, you are handing the keys to the attacker.”

Part 2: By The Numbers (2024 vs. 2025)

Before we get into the stories, let’s look at the data. I pulled these numbers from industry reports to show you exactly how the threat landscape morphed between our June meeting and now.

Metric	2024 (The “Old” Way)	2025 (The “New” Normal)	What it Means
Primary Attack Vector	Phishing (Malicious Links)	Identity Abuse (Valid Credentials)	They aren’t hacking in; they are logging in.
MFA Bypass Rate	12%	45%	Tools like EvilGinx made standard MFA useless.
Ransomware Strategy	70% Encryption / 30% Theft	20% Encryption / 80% Theft	“Data Kidnapping” is faster and quieter than encryption.
Breakout Time	62 Minutes	44 Minutes	Attackers (aided by AI) move laterally faster than ever.

Part 3: The 2025 Threat Landscape

2025 wasn’t just “2024 but worse.” It was a fundamental shift in TTPs. Here are the specific, real-world examples I shared to illustrate each major threat.

1. The Death of Legacy Authentication

The Trend: Attackers targeting “forgotten” infrastructure.
The Real Story: The “Akira” Manufacturing Blitz (January 2025) Early in the year, we saw a massive wave of attacks targeting mid-sized manufacturing firms. The Akira ransomware group didn’t use a zero-day. They scanned the internet for Legacy VPNs that hadn’t been patched in 3 years. The Impact: One automotive supplier was down for 9 days. They had “perfect” security on their new cloud servers, but the attackers came in through an old concentrator that the IT team was afraid to turn off. The Lesson: You are only as secure as your oldest device.

2. Identity: The “Session” Heist

The Trend: “MFA Fatigue” and Token Theft.
The Real Story: The “Horizon Bank” Incident (March 2025) (Name changed for privacy) A regional bank faced a near-catastrophic breach. It wasn’t a password leak. Their admins used MFA. But attackers sent a “Quishing” (QR Phishing) email about “Urgent 401k Updates.” When the admin scanned the code with their phone, they logged into a fake portal. The toolkit (Mamba2FA) proxied the request to the real site, the admin approved the MFA, and the attackers stole the Session Cookie. They bypassed the password and the MFA entirely. The Lesson: “Push” notifications are dead. If your MFA is phishable, you don’t have MFA. You need FIDO2 (Hardware Keys).

3. The Cloud Kidnappers

The Trend: Ransomware without encryption.
The Real Story: The “Codefinger” S3 Attack (July 2025) A global logistics company woke up to find their servers were running fine, but their data was gone. A new group, “Codefinger,” had compromised a DevOps engineer’s laptop, found an AWS API Key, and used it to issue a massive command: S3:MoveObject. They moved 4 Petabytes of shipping data to their own encrypted bucket and deleted the originals. No malware was ever installed on the company’s servers. It was purely an API attack. The Lesson: Your backups must be “Immutable” (WORM). If your admin keys can delete backups, they aren’t backups.

4. The $20 Million Deepfake (Social Engineering 2.0)

The Trend: Zero Trust Media.
The Real Story: The Hong Kong Finance Heist (November 2025) This is the one everyone is talking about. A finance worker at a multinational firm received a message from the CFO inviting him to a video call to discuss a “secret acquisition.” He joined the Zoom call. He saw the CFO. He saw the legal counsel. They were all fake. The attackers used real-time Deepfake technology to render the faces and voices of everyone on the call. The employee transferred $20 million to “secure the deal.” The Lesson: “I saw him on video” is no longer proof of identity. We have entered the era of “Zero Trust Media.”

Part 4: What to Expect in 2026

So, how does this data shape our future? Based on the trajectory of 2025, here is what I told the SECON audience to prepare for.

1. The Era of “Agentic AI” Attacks

In 2024 and 2025, attackers used AI to write better phishing emails. In 2026, they will use AI Agents. These are autonomous software loops that can be given a goal—“Scan this network, find a vulnerability, and exploit it”—and they will execute it without human intervention.

The Threat: The speed of attacks will move from “human speed” (minutes/hours) to “machine speed” (milliseconds).
The Defense: We cannot fight machines with humans. We will need Autonomous SOCs (Tier-1 AI Analysts) that can detect and patch holes in real-time.

2. “Shadow AI” Becomes the Main Leak Vector

I asked the room: “Who here uses ChatGPT or Gemini at work?” Half the hands went up. Then I asked: “Who is authorized to do so?” Half the hands went down. This is Shadow AI. Well-meaning employees are pasting code, legal contracts, and customer PII into public LLMs to “get work done faster.” In 2026, we will see the first major breaches caused not by a hack, but by Prompt Leakage—where proprietary data pasted into a public model is regurgitated to a competitor.

3. The “Harvest Now, Decrypt Later” Reality

With NIST finalizing Post-Quantum Cryptography (PQC) standards, the clock is ticking. Sophisticated adversaries are stealing encrypted data now—data they can’t read yet—and storing it. They are waiting for quantum computers to mature (likely in the next 5-10 years) to break that encryption.

The Action: If you have data that needs to stay secret for 10+ years (healthcare, state secrets, trade secrets), you need to be looking at Crypto-Agility today.

Part 5: Strategic Advice for the Boardroom

I closed my keynote with a piece of advice that has saved my career more than once.

We security professionals love to speak in “Bits and Bytes.” We talk about SQL injection, EDR coverage, and patch latency. The Board does not care about SQL injection.

To survive 2026, you must translate technical risk into Business Risk.

Don’t say: “We need $50,000 for a new firewall to block port 445.”
Do say: “We need to invest to prevent a potential $10 million revenue halt that would occur if our logistics system goes down for 24 hours.”

We need to stop being the “Department of No” and start being the “Department of Resilience.”

Here is the video :

[embedded content]

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts