As we close out 2025, I keep coming back to the same uncomfortable thought:
This wasn't the year of flashy malware or clever exploits. It was the year our assumptions failed.
If 2024 was all about AI hype, then 2025 was about something far less exciting and far more damaging: the slow collapse of the edge.
Firewalls, VPNs, gateways, and management planes, the things we trusted to buy us time, became the first things to fall. And once attackers were in, they didn't rush. They blended in. They stayed.
Living off the Land Isn't "Advanced" Anymore
We've talked about Living off the Land (LotL) for years. In 2025, it stopped being a niche technique and became the default.
Salt Typhoon (Nation-linked Telco Espionage)
This incident stuck with me, not because of how access was gained, but because of how little noise it made afterward.
The attackers didn't drop custom tooling. They didn't burn zero-days once inside.
They used netsh, certutil, and other tools every enterprise admin uses daily.
And that's the problem.
Most detection tooling still assumes "bad things look bad." Salt Typhoon showed us that bad things now look normal.
ToolShell
ToolShell reinforced another pattern we saw repeatedly this year:
- Initial exploit
- Immediate pivot
- In-memory execution inside trusted binaries like rundll32.exe
No patience required. No persistence mechanisms you could point to cleanly.
If your detections weren't tuned to how admins usually behave, not just what they run, this activity slid right through.
OWASP 2025: Supply Chain Failures Earned Their Spot
OWASP didn't move Software Supply Chain Failures up the list to be trendy. They did it because 2025 made the risk impossible to ignore.
The Salesforce / Drift incident in August is the one I now use as a reference example.
Salesforce wasn't breached. Infrastructure wasn't popped.
Instead, OAuth tokens tied to a third-party integration were abused, and suddenly the blast radius wasn't one company, it was hundreds.
That's when it really sank in for a lot of teams:
We are no longer just defending our environment. We're defending every trust relationship attached to it.
2025 Incidents & What Would Have Actually Helped
By mid-2025, one pattern became impossible to ignore: most organizations didn't fail because they ignored security, they failed because they were defending yesterday's problems.
What follows isn't a list of breaches meant to shock. It's a practical look at what controls would have reduced damage or broken attacker persistence, based on how these incidents actually unfolded.
I've deliberately avoided generic advice like "patch faster" or "add more tooling." In many of these cases, teams did patch, did monitor, and did respond. The issue was deeper, assumptions that no longer hold.
2025 Incident
The table below focuses on root failure patterns and the specific defensive controls that could have meaningfully changed outcomes, not theoretical best practices.
Across telecoms, SaaS, retail, and critical infrastructure, the same failure patterns kept repeating.
What This Table Really Shows
Despite covering different industries, attackers, and tooling, the same failure modes appear repeatedly:
- Identity abuse mattered more than exploits
- Edge systems failed faster than internal controls
- Supply-chain trust expanded blast radius
- Persistence, not access, did the real damage
The uncomfortable takeaway is this: most of these incidents wouldn't have been prevented by "one more tool."
They required different mental models, treating identity as hostile, assuming compromise, and designing systems where persistence is expensive and visibility is unavoidable.
What 2025 Forced Us to Admit
- "Patch Faster" Is Not a Strategy
Patching still matters, but zero-days are being exploited within hours now.
If compromise assumes persistence, you lose.
The teams that fared better assumed:
- Breach is inevitable
- Persistence is optional
- Rebuilds are cheaper than cleanup
That mindset shift matters more than any specific tool.
2. Identity Is Where Most Attacks Actually Finish
In the Drift and JLR cases, no one "broke in."
They authenticated.
Once that clicked for many teams, priorities shifted fast:
- FIDO2 stopped being "nice to have"
- Identity telemetry became as important as endpoint logs
3. SBOMs Are About Visibility, Not Compliance
An SBOM won't save you by itself.
But not having one guarantees you'll be guessing when something upstream fails, and guessing is not where you want to be during an incident.
Three Things I'd Push Hard in Q1 2026
If you're overwhelmed (and most teams are), I'd focus here:
- Inventory integrations properly OAuth tokens, SaaS permissions, service accounts, most environments still don't really know what they've trusted.
- Actively hunt for LotL behavior Stop waiting for alerts. Look for misuse of certutil, PowerShell, wmic, and admin tooling.
- Treat edge management planes as internal-only assets If it can reconfigure your security controls, it shouldn't be reachable from the internet. Full stop.
Final Thought
2025 didn't reward clever attackers. It rewarded patient ones.
And it punished defenders who still relied on old mental models.
What incident this year forced your team to rethink a core assumption? I'd genuinely like to hear, because shared lessons are one of the few advantages we still have.