Ransomware and infostealer threats are evolving faster than most organizations can keep pace.
Security teams have invested heavily in backup and recovery systems, yet today’s most damaging attacks often bypass encryption altogether.
Picus Security’s Blue Report 2025 uncovered a shift: threat actors are targeting credential theft, data exfiltration, and lateral movement, founded on stealth and persistence rather than noise.
The numbers are a wake-up call. In nearly half the environments tested, at least one password hash was successfully cracked. Attempts at preventing data exfiltration fell to a low of 3%, a steep decline from 9% in 2024.
One stolen credential can now provide the entry point for lateral movement and bulk data theft with alarming efficacy. Infostealer malware has increased in frequency threefold, and threat actors are using legitimate logins to bypass defenses with near certainty.
The report highlights several critical trends:
- Passwords cracked in nearly half of environments: In almost half (46%) of tested systems, at least one password hash was compromised, up from only a quarter (25%) in 2024. Weak and outdated password policies continue to provide threat actors easy access.
- Stolen credentials are nearly unstoppable: Attacks using valid credentials succeeded a whopping 98% of the time. Techniques like Valid Accounts (MITRE ATT&CK T1078) are still among the most dependable ways to bypass defenses without alerting security teams.
- Data exfiltration prevention is almost zero: A mere 3% of data theft attempts were blocked. This is down threefold from last year, even as ransomware and infostealer operators turn more and more to double-extortion tactics.
- Ransomware remains a top concern: BlackByte is the hardest strain to prevent, with a success rate for attackers of 74%. BabLock and Maori followed at 66% and 59%, respectively.
- Early detection gaps persist: Discovery techniques such as System Network Configuration Discovery and Process Discovery scored below 12% in prevention effectiveness, leaving critical blind spots in security monitoring.
The report makes it clear that investing in backups and encryption is no longer enough.
Entities must confront threats that are quiet, persistent, and increasingly sophisticated. Credential hygiene, continuous monitoring, and proactive detection are no longer optional, they are essential.
Poor Credential Hygiene
Darren Guccione, CEO and Co-Founder at Keeper Security, says the research provides strong evidence that poor credential hygiene remains a persistent and deeply entrenched weakness in organizational cybersecurity. “The data suggests both attacker capability and organizational vulnerability are moving in the wrong direction. The corresponding drop in the success rate of stopping data exfiltration attempts points to gaps not just at the perimeter, but in lateral movement detection and response.”
According to him, recent research found that risky credential habits remain widespread, with 8% of non-privileged access management users still relying on shared spreadsheets, 5% continuing to hardcode credentials and another 5% still operating with no formal credential management at all.
“The tools and techniques used by attackers are becoming more sophisticated as they increasingly harness automation and AI to both accelerate password cracking and create more realistic phishing scams,” Guccione adds. “That there are still so many organizations today operating with outdated password policies, weak access controls and insufficient monitoring is concerning. Only 37% of organizations in our recent report stated they audit privileged accounts monthly or more, while 13% audit annually or less, leaving standing permissions unchecked for long periods.”
Predictable User Behavior
Legacy complexity rules, such as forcing periodic password changes or minor character substitutions, offer little resistance against modern brute-force and dictionary attacks, Guccione says. “Predictable user behaviors remain low-hanging fruit for adversaries. Credentials remain the most common initial access vector and treating them as anything other than a core pillar of security strategy is risking exposure.”
He believes defenses must evolve to include comprehensive credential lifecycle management, privileged access controls and real-time anomaly detection. “The adoption of phishing-resistant authentication methods, such as passkeys, can also significantly reduce the risk of compromised credentials being exploited and prevent lateral movement in the event of a breach.”
Protecting identity today requires an organizational shift towards a zero-trust mindset, continuous validation and proactive mitigation of credential-related risk. Failure to do so by organizations will put them at risk, Guccione explains.
The Race Is On
Jason Soroko, Senior Fellow at Sectigo, says the next frontier of identity security is about code that acts with human level autonomy. “Identity sprawl now pivots on configuration changes rather than deliberate policy, with Entra service principals and GitHub personal accounts turning into unexpected bridges for lateral movement. This shifts defenders from chasing users toward continuously mapping machine-to-machine handshakes that form without direct human intent.”
Soroko says agentic AI will soon generate infrastructure in seconds and every line of that automation will plant new secrets that age faster than governance can keep up. “A proactive inventory that quantifies dormant privilege gives security leaders a metric that boardrooms can understand and auditors can measure. Vendors that still treat secrets management as a developer convenience risk becoming irrelevant once privilege intelligence becomes the default telemetry for risk scoring.”
The race is on to fuse secrets discovery, graph analytics and remediation playbooks into a single feedback loop that can act as fast as AI builds, Soroko adds.
Identity Has Become the Focus
Amit Zimerman, Co-Founder and Chief Product Officer at Oasis Security, adds that identity has become a real focus today, and bad actors are turning their attention to weaker parts of the perimeter, such as Non-Human Identities (NHIs), which control machine-to-machine access and are increasingly critical in cloud environments. “In fact, NHIs now outnumber human identities in most organizations, and securing these non-human accounts is vital, particularly in AI-heavy architectures.”
The rise of AI agents introduces new security challenges for NHIs, Zimerman adds. “These agents often operate under machine accounts or service identities, acting on behalf of human users, which makes it difficult to track permissions, monitor usage, and enforce accountability. Without proper oversight, organizations risk losing visibility into which identities have access to critical resources and how they are being used.”
Zimerman says if AI agents are assigned persistent, unmanaged service accounts, these identities can quickly become overprivileged and unmonitored, increasing the organization’s attack surface. “To alleviate this risk, security teams need to implement automated monitoring, enforce least privilege, and establish clear policies for AI-driven NHIs. By putting these guardrails in place early, organizations can embrace AI automation without compromising security.”
Secrets, Non-Human Identities
Secrets and non-human identities have become the weak point of enterprise security, says Chad Cragle, Chief Information Security Officer at Deepwatch. “With Agentic AI systems now autonomously spinning up infrastructure, making decisions, and moving laterally across environments, the old model of managing service accounts with a spreadsheet and a prayer just doesn’t cut it anymore.”
Cragle says we’re seeing a perfect storm of dormant privileged accounts, overly permissive service principals, and cross-platform misconfigurations, creating hidden escalation paths that attackers love. It’s not just a hygiene problem; it’s a visibility crisis.
The way forward starts with identity-first thinking, Cragle adds. That means applying the same rigor to machine identities and secrets as we do to human users:
- Rotate secrets frequently and vault them properly.
- Continuously assess privilege sprawl and enforce the principle of least privilege.
- Monitor for behavioral anomalies in non-human accounts.
- And yes—treat your GitHub org like the crown jewels, because for many teams, it is.
Secrets are the new identity crisis. If you don’t know where they are, who has access, or how they’re used, then you’ve already lost the game.
Identity Is the New Perimeter
Identity is the new perimeter as both organizations and individuals move their entire lives into cloud applications and service, signifying that a compromised identity can provide access to large amounts of data and systems, says James Maude, Field CTO at BeyondTrust.
“Within the business world, we are seeing the lines between personal and professional accounts continue to blur, meaning that a user’s personal accounts, or devices, being compromised can impact their business identity as well.”
Maude says organizations need to look beyond siloed views of obviously privileged identities in individual systems and take a holistic view of the combinations of privileges, entitlements and roles that could be exploited by an attacker to elevation privilege, move laterally and inflict damage. “The identity security debt accumulated by many organizations represents a far greater risk than any other area as it only takes the attacker to login using the right identity and all is lost because of the paths to privilege that abound in their environment.”
Today, organizations, as well as individuals, are beginning to better understand and protect their identity attack surface, Maude ends. “At a basic level having robust multi-factor authentication (MFA) controls on all high value personal accounts is absolutely essential. At the organization level, being able to understand all the paths to privilege an identity has in your environment, and proactively reduce those risks, is key to success. Businesses should continue enforcing the principle of least privilege, identity infrastructure monitoring, and securing access to sensitive accounts. You limit what attackers can do—even with stolen credentials.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.