How business leaders must respond to new security attacks - and how cyber threat intelligence can help

The cybersecurity landscape never stays still. In 2025, new threat tools, rising geopolitical tensions and growing hacktivist activity combined to make the overall threat larger and more diverse than ever before. 

The data proves it. According to Thales Threat Landscape Report 2025, 48,172 vulnerabilities were disclosed during the year. That’s 18 percent up on 2024. The study says the most common vulnerabilities allowed attackers to remotely execute malicious code, steal sensitive database information, or bypass access controls.

But it’s not just the volume of attacks that’s challenging security teams; it’s also the speed. The data reveals that, during 2H 2025, it often took less than a day for attackers to exploit a vulnerability after it had been published as a CVE (Common Vulnerability and Exposure.) The velocity of attack leaves organisations with little time to respond. 

In addition to speed, attackers are also getting more organised. Example? The zero-day attack, which exploits a software vulnerability that is unknown to the developers. The report says hackers are no longer relying on chance. Instead, they are deliberately targeting zero-days and weaponising newly disclosed vulnerabilities (N-days) faster than organisations can patch them.

It’s clear that the fast-moving threat landscape is asking new questions of leaders at board and state level. 

So how should decision makers respond?

Increasingly, Security Operation Centres (SOCs) know that high protective walls aren’t enough. Instead, they need to gather information about their enemies before they strike: who they are, which methods they use, when they will attack.

This information gathering is called Cyber Threat Intelligence (CTI) (see below). CTI combines knowledge of the risks to a specific sector with insight into more generic trends. This moves cyber defence from reactive to proactive.

Miguel Lopez Negrete, Global CTI Manager at Thales, has observed the increasing commitment of organisations to this form of defence over recent years. “Many companies now see CTI not as a cost but more as a form of investment,” he says. “As the general level of threat grows, CTI helps them to reduce the number of critical incidents - and that’s a competitive advantage in many cases.”

This is illustrated by the changing impact of cyber attacks on different industrial sectors. For example, the data shows that attacks in 2025 hit the manufacturing sector hardest, with 2,801 companies targeted - that’s 36.37 percent of the total across all verticals. 

Miguel Lopez Negrete explains: “Cyber criminals have started to focus on less mature sectors like manufacturing. If you look at the banks, for example, they have invested heavily in CTI and cybersecurity, so they are getting harder for criminals to access. Small and medium manufacturing companies are not so well protected. So, we are seeing more and more criminals attacking and then extorting these organisations.”

So, what’s behind the increasing speed and professionalism of the attackers? Unsurprisingly, artificial intelligence is the central factor. In 2H 2025, 87 percent of organisations experienced an AI-driven incident while AI-generated phishing now accounts for over 80 percent of email threats. 

Miguel Lopez Negrete says one of the key impacts of AI is how it democratises cyber crime. “Thanks to AI, attackers don’t need the same level of skill as before,” he says. “They can use AI to create fake identities, malware, campaigns and even entirely new TTPs (Techniques, Tactics and Procedures) that we have not seen before.”

Another by-product of AI automation is the rise of the cybercrime subscription model. These services allow attackers with no technical skills to pay a small monthly fee to run scams. The Threat Landscape Report 2025 reveals ‘extortion-as-a-service’ as the fastest rising threat. Here, criminals steal sensitive data and threaten to expose it to extract payments. They can pressure organisations to comply, even if strong backups or disaster recovery plans are in place.

Miguel Lopez Negrete explains: “Criminals can go to the dark or deep web and just sign up to an attack service like it’s Netflix. I think this is what’s behind the big rise in ransomware groups we’ve seen in recent years.” In fact, the data shows ransomware incidents hit 7,701 in 2025 (up 51.5 percent year on year) and that 63 new ransomware groups were identified.

Fortunately, the impact of AI works both ways. Miguel Lopez Negrete adds that CTI teams can use it too. He adds: “AI helps us. We are now using AI across the operation to improve detection capabilities, and automate our processes. With these tools we can ingest information from a wide variety sources, simplify it and better understand how criminals work.”

For business leaders, the lesson is clear: cybersecurity can no longer rely solely on perimeter defences. In a threat landscape shaped by automation, AI and industrialised cybercrime, organisations must invest in intelligence-led security - anticipating, rather than reacting, to attacks.

A short guide to Cyber Threat Intelligence

CTI is cybersecurity’s early warning system. 

CTI has become an essential component in the fight against cyber threats.  According to Precedence Research, the global CTI market was valued at $16.8 billion in 2025 and is expected to approach $65 billion by 2035. 

CTI teams go to a variety of sources to find information. They might start with internal intelligence gathered from customer systems such as security logs, incident reports and network telemetry. They can also explore open source intelligence from public forums including blogs, government alerts, social media forums and more.

Paying for curated intelligence from specialist CTI companies is another option. And finally, there’s the dark and deep web - hacker forums, stolen credential marketplaces and encrypted chat apps (such as Telegram or Signal) where so much cybercrime is currently organised.

CTI operatives group this information into three main types:

• Indicators of Compromise (IoCs)

Malicious IP addresses, domains, URLs, file hashes and more.

• Indicators of Attack (IoAs)

Behavioural patterns that indicate an ongoing attack: unusual login attempts or abnormal network traffic spikes.

• Techniques, Tactics, and Procedures (TTPs)

Descriptions of specific methods used by attackers, often mapped to frameworks like MITRE ATT&CK (a knowledge base of adversary tactics and techniques based on real-world observations).

Beyond these operational categories, some practitioners also distinguish a fourth type: strategic cyber threat intelligence. 

This reporting is less focused on immediate detection or response and instead provides higher‑level insights that help organisations anticipate risk, prioritise investments, and adapt their overall cybersecurity posture over time.

To help enterprises act on the above insights, CTI teams use visualisation techniques that turn large data sets into actionable pictures. These visual aids help the team to see who is attacking, where they are, how they are linked, and when they might strike. 

Data visualisation tools include geospatial or heat maps that show how different entities (IP addresses, domains, threat actors etc.) relate to each other. Another option is a timeline that lets teams see a play-by-play list of cyberattack events in chronological order.

Data snapshot: the changing cybersecurity threat in 2025

• 48,172 vulnerabilities reported in 2025, 18 percent more than in 2024
• Ransomware incidents in 2025 hit 7,701, up 51.5 percent year on year
• 63 new ransomware groups identified over the year, representing a 37 percent increase on 2024
• 87 percent of organisations experienced an AI-driven incident
• 2,801 manufacturing companies were targeted by cyber attackers - accounting for one in three across all verticals.