Every year, CrowdStrike’s Global Threat Report (GTR) distills where adversaries are winning and how defenders need to adapt. The 2025 edition is blunt: identity-driven, malware-free intrusions are faster, cloud-savvy, and increasingly fueled by access brokers and social engineering. Manufacturers, software producers, and supply-chain stakeholders should treat this as a clear mandate to harden both identity paths and the software supply chain embedded in connected products.
Below, our perspective on the most consequential trends and what to do next.
Hands-on-keyboard beats malware — CrowdStrike reports 79% of detections were malware-free in 2024, with average eCrime breakout time down to 48 minutes (fastest: 51 seconds)—a detection and response sprint, not a marathon.
Identity is the front door (and back door) — Valid account abuse drove 35% of cloud incidents; access-broker ads jumped ~50% YoY; and 52% of observed vulns tied to initial access, showing how creds and exposed services combine into reliable footholds.
Vishing & help-desk social engineering exploded — Telephone-oriented social engineering surged (+442% H2 vs H1 2024), with adversaries walking users into remote-access tooling and persistence.
Cloud control plane is target-rich — CrowdStrike observed +26% new/unattributed cloud intrusions, widespread CLI/IAM abuse, and persistence via alternate auth—now common across multiple actor sets.
Perimeter devices remain prime real estate — Threat actors repeatedly target network-periphery devices and reuse established vectors; exploit chaining and abusing legitimate features enable unauthenticated RCE and durable persistence.
Social engineering hits enterprises; CVEs pop edge devices — The GTR underscores the surge in phone-based social engineering (vishing, help-desk scams) as an enterprise initial-access method, and—separately—continued targeting of network-perimeter devices via disclosed CVEs and PoCs. This bifurcation matters: educate people and harden identity for the enterprise core, while aggressively managing vulnerabilities on the edge.
Exploit chains are the new norm — CrowdStrike documents multiple 2024 intrusions where individually “moderate” vulns were chained to reach pre-auth RCE, including Palo Alto Networks PAN-OS and Cisco IOS cases. Chaining also breaks severity-only patching, since post-auth bugs get deprioritized and later reused in chains.
Living off legitimate features for RCE — Beyond classic exploits, actors “finish the job” by abusing built-in features (e.g., integrated command shells / xp_cmdshell) to achieve RCE. Your device’s “helpful” features can be an attacker’s runtime.
Compromised devices fuel ORB infrastructure — CrowdStrike highlights operational relay box (ORB) networks—built from hundreds or thousands of compromised devices—used to proxy attacker traffic.
The GTR makes it clear that risk isn’t just at the identity provider or the endpoint EDR sees; it’s baked into device firmware, third-party components, exposed services, and cloud/API integrations that products rely on.
If you build, ship, or operate connected products, your defensive posture must align to
all of which intersect your product’s software supply chain and device fleet.
1) Initial-Access Vulns & Perimeter Device Exposure → SBOM-anchored visibility + binary analysis
2) “Prioritize what’s exploitable” vs. “patch everything” → Risk-based triage aligned to adversary tradecraft
3) Cloud-Conscious Attack Paths from Device to Control Plane → Assess and harden product-to-cloud trust
4) Regulatory Pressure Meets Real-World Threats → Prove due diligence across the product lifecycle
CrowdStrike’s data underscores an uncomfortable truth: modern intrusions stitch together identity abuse, exploitable device/software components, and cloud control-plane gaps fast. If you secure your SBOMs, binaries, APIs, and cloud ties with the same rigor you apply to identity, you’ll cut off the most reliable attack paths.