Ransomware hit 623 incidents in a single month in 2025. IBM recorded a 49% surge in active threat groups year over year. AI is now operating on both sides of the security equation — and most enterprise defences were built for a threat that no longer exists.
For most of the last decade, enterprise cybersecurity operated on a reasonably predictable model. Attackers would develop a technique. Defenders would detect it, build a signature, deploy a patch, and update the playbook. The cycle was painful and expensive, but it had a rhythm. Security teams knew what they were defending against, roughly how attacks would arrive, and what good detection looked like. That model is broken — not because the techniques have evolved, but because the speed of attack has crossed a threshold that human-scale defence cannot match.
The data from 2025 is not ambiguous. CrowdStrike's State of Ransomware Survey found that 76% of global organisations struggle to match the speed and sophistication of AI-powered attacks. IBM's X-Force Threat Intelligence Index recorded a 49% increase in active ransomware groups compared to the prior year. Ransomware incidents climbed to 623 in a single month — October 2025 — the second highest monthly total ever recorded, following six consecutive months of escalation. And the World Economic Forum's Global Cybersecurity Outlook found that 72% of respondents reported an increase in organisational cyber risk, with nearly half citing adversarial AI as their primary concern.
These are not statistics about a worsening problem. They are statistics about a problem that has changed in kind, not just in scale. Understanding what has actually changed — and what it requires of enterprise security teams — is the most important thing a technology leader can do right now.
AI-powered threat detection is no longer optional — when attackers are using AI to accelerate every stage of the attack chain, human-speed detection creates windows of exposure that are measured in minutes, not days.
What AI Has Actually Changed About How Attacks Work
The most important thing to understand about AI-powered cyberattacks is not that they are more sophisticated in the technical sense. It is that they are faster, more convincing, and far more scalable than anything that came before. These three properties together create a threat environment that fundamentally differs from what most enterprise security architectures were designed to address.
Speed is the most consequential change. IBM's X-Force data showed a 44% increase in attacks that began with exploitation of public-facing applications in 2025, driven in significant part by AI-enabled vulnerability discovery. Attackers are now using AI systems to scan organisational perimeters, identify exploitable weaknesses, and execute initial access faster than most security operations centres can complete their morning briefings. The window between vulnerability disclosure and active exploitation — which used to be measured in weeks — has compressed to days or hours for high-value targets.
Convincingness is the second change, and it is the one creating the most operational damage right now. Generative AI has made social engineering attacks dramatically more effective. Phishing emails that previously betrayed themselves through grammatical errors, awkward phrasing, or generic content are now indistinguishable from legitimate communications. The FBI issued a specific alert in 2025 about AI-crafted voice messages impersonating government officials. CrowdStrike found that 87% of security professionals believe AI makes phishing lures more convincing — not as a future risk, but as a present reality. Microsoft's Digital Defense Report found that identity-based attacks surged 32% in the first half of 2025 alone, with more than 97% of identity attacks involving password compromise rather than technical exploitation.
Scale is the third change. Earlier generations of sophisticated attacks required human expertise at every stage — a skilled attacker to write the code, craft the message, select the target, manage the negotiation. AI has automated significant portions of all of these tasks. The result is that small, technically limited groups can now execute high-volume, high-quality attack campaigns that previously required the resources of well-funded criminal organisations. IBM observed this trend directly: smaller, transient operator groups are proliferating, running low-volume campaigns that complicate attribution and evade the detection rules built to catch established threat actors.
The Identity Problem Nobody Has Solved
One of the clearest patterns in 2025's threat data is the concentration of attacks on identity infrastructure. More than 97% of identity attacks in Microsoft's dataset were password attacks — brute force, credential stuffing, and password spray. This is not a new technique. It is a technique that works because most organisations have still not achieved comprehensive multi-factor authentication deployment across their environments, despite years of security guidance and the availability of MFA solutions that Microsoft's own data shows block more than 99% of identity-based attacks when deployed.
The gap between knowing what needs to be done and actually doing it across a large, complex organisation is where most of the real security risk lives in 2025. It is not in zero-day exploits or advanced persistent threats. It is in the basic controls that are well understood, proven to work, and still not universally deployed. Attackers are not sophisticated because they have found techniques defenders do not know about. They are effective because they are systematically exploiting the gap between what organisations know they should do and what they have actually implemented.
Modern security operations require AI-assisted threat detection running continuously — the dwell time between initial compromise and detection remains far too long in most enterprise environments.
Ransomware in 2025: From Disruption to Strategic Threat
Ransomware has evolved from a criminal nuisance into what CrowdStrike and others are now describing as a strategic threat to organisational continuity and, in some sectors, national security. The evolution has several dimensions that enterprise leaders need to understand clearly.
The Ransomware-as-a-Service model has industrialised the criminal ecosystem. Sophisticated criminal groups now operate as software developers, building and maintaining ransomware platforms that less technically capable affiliates can lease and deploy. This has dramatically lowered the barrier to entry while simultaneously raising the quality of the tooling available to less experienced attackers. The result is the proliferation of active groups that IBM documented — more operators, more campaigns, more targets, with tools that are more capable than anything most of them could have built independently.
The energy sector saw a 500% year-over-year spike in ransomware attacks, according to Zscaler's ThreatLabz data. Manufacturing, healthcare, and education remain in the top five most targeted industries. The selection logic is straightforward: these are sectors where operational disruption creates immediate economic pressure, where the cost of downtime significantly exceeds the cost of a ransom payment, and where security investment has historically lagged behind the IT and financial services sectors that have faced sustained regulatory pressure to improve their postures.
The extortion model has also shifted. Earlier ransomware focused on encrypting data and demanding payment for the decryption key. Current campaigns almost universally include data exfiltration before encryption — meaning the threat is not just operational disruption but public disclosure of sensitive data, regulatory penalties, and reputational damage even if the organisation restores operations from backups. This double and triple extortion model has made the decision not to pay significantly more complicated, and has driven the increase in ransomware disclosure that the SEC's new mandatory reporting requirements are beginning to make visible.
Why AI-Powered Defence Is No Longer Optional
The logical response to AI-powered attacks is AI-powered defence — but the WEF's data reveals a troubling gap in how organisations are thinking about this. While 66% of organisations expect AI to have the most significant impact on cybersecurity, only 37% report having processes in place to assess the security of AI tools before deployment. This creates a compounding risk: organisations are deploying AI broadly across their operations, creating new attack surfaces and new credential risks, without the security governance to manage them.
The credential risk from AI platforms specifically is emerging as a significant and underappreciated problem. IBM X-Force observed the exposure of over 300,000 ChatGPT credentials through infostealer malware in 2025. This matters because compromised AI platform credentials are not just account access risks — they create opportunities for attackers to manipulate AI outputs, exfiltrate data processed through those platforms, and inject malicious prompts that propagate through AI-assisted workflows. The attack surface created by enterprise AI adoption is genuinely new, and most security programmes have not yet built the visibility and controls to manage it.
Agentic AI in security operations — systems that can detect anomalies, investigate alerts, and execute initial response actions autonomously — is moving from experimental to production deployment in the most advanced security organisations. The case is straightforward: when attackers are using AI to compress the time from initial access to lateral movement to data exfiltration, the only viable response is detection and containment that operates at a comparable speed. Human analysts working with traditional SIEM tools cannot achieve the response times that AI-accelerated attacks require. Automated detection and response is not a future aspiration — it is a present operational necessity for any organisation facing a sophisticated threat actor.
The Controls That Matter Most Right Now
For security leaders trying to prioritise investment in an environment of escalating threat and constrained budget, the evidence from 2025 points clearly to a small number of foundational controls that deliver disproportionate risk reduction relative to their cost.
Phishing-resistant multi-factor authentication is the single highest-ROI investment available to most organisations. Microsoft's data shows it blocks more than 99% of identity-based attacks — the category that accounts for the vast majority of successful initial compromises. The implementation challenge is coverage: partial MFA deployment creates the attacker's preferred path, which is simply finding the accounts and systems where it is not yet deployed. Achieving comprehensive coverage, including for privileged accounts and service accounts that are frequently overlooked, is the priority.
Vulnerability management has become an AI-speed problem. Organisations that are running monthly or quarterly patching cycles for internet-facing systems are operating on a timeline that no longer matches the threat. AI-enabled vulnerability scanning by attackers is identifying and exploiting newly disclosed vulnerabilities faster than traditional patching programmes can respond. Moving to continuous vulnerability management — with automated identification and accelerated patching for critical internet-facing systems — is a baseline requirement, not a mature practice.
Backup integrity and incident response rehearsal round out the foundational controls. Ransomware's double extortion model has not made backups irrelevant — it has made backup integrity testing and practised restoration procedures more important, not less, because restoring operations quickly reduces the leverage attackers have to demand payment. Organisations that have actually rehearsed a ransomware recovery scenario, tested their backup restoration procedures, and practised their communications playbook respond faster and with less operational disruption than those that have only planned for the scenario on paper.
The Leadership Conversation That Needs to Happen
The most significant gap in enterprise cybersecurity in 2025 is not technical. It is the gap between the risk that security leaders understand and the understanding that boards and executive teams have of that risk. Security leaders who can translate the 2025 threat landscape into business terms — revenue at risk, regulatory exposure, operational continuity implications — and connect those terms to specific investment decisions are the ones successfully driving the security improvements their organisations need.
Boards are increasingly required to understand cybersecurity risk. The SEC's disclosure requirements in the US are pushing cyber risk into earnings calls and proxy statements. The EU's NIS2 Directive is imposing personal liability on executives in member state organisations. The regulatory environment is creating board-level attention to cybersecurity that security leaders have been requesting for years. The question is whether security teams are ready to have the strategic conversation that this attention makes possible — or whether they will respond to board interest with technical briefings that leave directors informed but unable to act.
The organisations building genuine cyber resilience in 2025 are the ones where security is understood as a business function, not an IT function — where the CISO has a direct line to the board, where risk tolerance is explicitly defined and regularly revisited, and where security investment decisions are made with the same rigour applied to other material business risks. That conversation starts with leadership, and it starts with the security team being willing and able to speak the language of business outcomes rather than technical controls.
