CRD

CRD #22

On diverging enthusiasm for AI in security, attack cost trends, workforce gaps, APT activity, and the latest in cybercrime ops.

Henry Rõigas

Henry Rõigas

7 min read
CRD #22
Photo by Aron Visuals / Unsplash
The Cybersecurity Research Digest cuts through the marketing fluff and bias to bring you relevant and objective insights on cybersecurity stats and trends, all backed by empirical data.

This post features highlights from trustworthy research sources released between April 30 and May 19, 2025, followed by a list of all monitored reports.

TL;DR

  • Executives see AI as a productivity boost, but analysts remain skeptical due to false positives and added complexity.
  • BEC and funds transfer fraud dominate insurance claims, while ransomware remains the most costly.
  • The workforce gap is driven by missing skills, not open roles, with salary the top retention factor.
  • APT activity rose 45%, with Chinese groups heavily targeting telcos and evasion tactics evolving.
  • Cybercrime is scaling fast via automation and AI, with massive growth in credential theft and exploit attempts.

Using AI for security: strategic enthusiasm, operational caution

A survey of over 1,000 cybersecurity professionals reveals a stark divide in how AI is perceived across organizational levels. While 71% of executives believe AI has significantly improved productivity, only 22% of frontline analysts agree. Analysts tend to see AI as reshaping, rather than reducing, their workload.  Concerns cited include hallucinations, false positives, and increased complexity.

Cyber execs versus cyber analysts: AI’s perceived impact on productivity and willingness to let AI act independently (Exabeam)

This divergence also appears in the willingness to let AI act autonomously. 38% of executives said they were open to this, compared to just 10% of analysts. While 38% is surprisingly high, it's important to note that the survey did not define what constitutes "AI", meaning the responses may not necessarily reflect willingness to adopt novel and still-maturing technologies based on LLMs. Regardless, the gap underscores the need for alignment between strategic vision and operational reality before depending on AI for critical capabilities.

A divided perspective on AI in cybersecurity (Exabeam)

Insurance data: BEC and funds transfer fraud dominate, ransomware most damaging

Data from cyber insurance claims filed with a global insurer in 2024 shows that both the frequency and severity of incidents have remained relatively stable compared to 2023. While the dataset is skewed towards insured organizations (which may thus be better prepared than the "average" organization) the trend points to year-over-year stability.

Global claims frequency and severity (Coalition)

The data from 2024 shows that email-based threats remain dominant, with business email compromise (BEC) and funds transfer fraud (FTF) accounting for 60% of all claims.

Global cyber insurance claims by event type (Coalition)

Ransomware, though representing one-fifth of cases, carried significantly higher impact: average losses per incident reached $292,000, with 44% of victims opting to pay the ransom.

It’s a skills gap, not a headcount crisis

A global survey of 3,400 cybersecurity managers and HR professionals suggests the cyber workforce shortage is less about unfilled positions and more about the lack of necessary skills. The popular narrative - often amplified by certification companies - that "cyber offers endless career opportunities" is shifting: the focus is not on increasing headcount, but on finding people with the right competencies.

Top cybersecurity hiring challenges (SANS | GIAC)

For employee retention as well as attraction, salary naturally remains the dominant factor by a wide margin. Other important elements include benefits, opportunities for upskilling, and a positive workplace culture.

Top challenges in retaining cybersecurity staff (SANS | GIAC)

Telcos in the crosshairs as Chinese APTs dominate detections

Threat detection data from Trellix covering October 2024 to April 2025 shows that APT-related activity increased 45% globally over the last two quarters. The telecommunications sector received the bulk of this activity - representing 47% of all detections - followed by transportation and shipping. 

ADS
Q4 2024 and Q1 2025 top APT targeted sectors (Trellix)

Telco targeting may relate to the fact that the Chinese groups APT40 and Mustang Panda were responsible for nearly half of all detected APT activity (think Salt Typhoon). As for Russian activity, Sandworm, the APT group known for targeting Ukrainian critical infrastructure, was also showing increased activity.

The same reporting projects between 41,000 and 50,000 new CVEs in 2025. Despite the volume, phishing remains the top initial access vector, followed by exploitation of known vulnerabilities.

Once access is gained, threat actors heavily rely on legitimate system tools and living-off-the-land binaries (LOLBins). These are used to blend into normal operations, evade detection, and ensure redundancy. The research also points out that the use of memory-resident techniques, fileless malware, and signed binaries has overtaken custom malware.

Top 5 tools used in threat actor TTPs (Trellix)

Crime-as-a-service expands rapidly, powered by AI and automation

Fortinet’s 2024 threat landscape report highlights explosive growth in the underground economy for stolen credentials and corporate access. Credential theft rose 42% year-over-year, with the use of infostealers like Redline and Vidar showing most growth. Over 1.7 billion stolen credential records were shared on darknet forums, and Initial Access Broker (IAB) activity saw a notable rise in listings for VPN, RDP, and admin panel access.

Automation and operational scale continue to accelerate, with automated scanning reaching record highs in 2024, rising 16.7% globally. Exploitation activity also surged, with Fortinet tracking more than 97 billion attempts across the year. Despite the volume, the average time to exploit newly disclosed vulnerabilities held steady at 5.4 days, underscoring a sustained tempo rather than an accelerating one and offering a degree of reassurance to teams that have invested in automation for vulnerability management.

This accelerating automation trend is and will be further supercharged by the growing role of AI in cybercriminal operations. Fortinet’s report underscores how tools such as FraudGPT, BlackmailerV3, and ElevenLabs are being used to generate malware, automate phishing websites, create deepfake content, and synthesize convincing audio. These capabilities amplify both the scale and sophistication of malicious campaigns, making them faster to launch, more believable, and harder to defend against.

Reports monitored: April 30 - May 19

To take a deeper dive in the topics most relevant for you, find below a list of all the monitored research reports (41) that were published during the observed period.

Title Organisation(s) Topic(s)
Featured reports
From Hype to Help: How AI Is (Really) Transforming Cybersecurity in 2025 Exabeam AI / security
Coalition 2025 Cyber Claims Report Coalition cost / insurance data
2025 Cybersecurity Workforce Research Report SANS / GIAC workfroce / HR
Trellix April 2025 Threat Report Trellix CTI / telemetry
Fortinet Threat Landscape Report Fortinet CTI / telemetry
Other reports monitored
Logicalis 2025 CIO Report Logicalis CIO perspectives
LevelBlue 2025 Futures Report LevelBlue C-suite perspectives
Comparitech Ransomware Roundup April 2025 Comparitech CTI / ransomware
Barracuda 2025 Email Threats Report Barracuda email
VIPRE Q1 2025 Email Threat Report VIPRE email
KnowBe4 Q1 2025 Phishing Report Infographic KnowBe4 pishing stats
Hive Systems Password Strength Analysis Hive Systems passwords
CyberNews Password Leak Study 2025 CyberNews passwords
World Passkey Day 2025 Consumer Password & Passkey Trends FIDO Alliance passwords
Trend 2025 Cyber Risk Report Trend Micro risk index / risk exposure
Kela Cyber Infostealer Epidemic Report Kela Cyber infostealer
Zimperium 2025 Global Mobile Threat Report Zimperium mobile
Seemplicity 2025 Remediation Operations Report Seemplicity vuln management
OpenVPN ESG State of VPN Report OpenVPN VPNs
Forescout Rise of State-Sponsored Hacktivism Report Forescout hacktivism
ArmorCode Rise of the AppSec Leader Report ArmorCode appsec
CyberArk 2025 Identity Security Landscape Report CyberArk identity security / machine identities
Check Point AI Security Report Check Point AI security
Utimaco PQC Readiness Survey Utimaco post-quantum cryptography.
2025 EY Global Third-Party Risk Management Survey EY third party risk
2025 Cisco Cybersecurity Readiness Index Cisco general / global cyber readiness
Honeywell AI in Energy Security Survey Honeywell energy / AI / security
Optiv Cybersecurity Incidents and Budget Shifts Report Optiv / Ponemon Institute budgets
MixMode 2025 State of AI in Cybersecurity Report MixMode / Ponemon Institute AI / security
BitSight Research Report: 2025 State of the Underground BitSight dark web data / credentials / leaks
State of Pentesting survey report Pentera pentesting
State of the UAE Cybersecurity Report 2025 UAE UAE / threat lanscape
CrowdStrike 2025 State of SMB Cybersecurity Report Crowdstrike SMBs
Marsh UK Cyber Insurance Claims Trend Report 2024 Marsh insurance data
Feedzai 2025 AI Trends in Fraud and Financial Crime Prevention Feedzai AI / fraud / crime
Corero 2025 Threat Intelligence Report Corero DDoS
Cyber security behavioural research CERT NZ New Zealand / end-user
1 Kinetic Small and Medium-Sized Business Technology Report Kinetic SMBs
2025 OpenText Cybersecurity Threat Report OpenText malware / CTI
Industrial networks: can AI do the heavy lifting? Arelion Research OT / AI
Notifiable Data Breaches Report: July to December 2024 Office of the Australian Information Commissioner (OAIC) Australia / incident reporting

About

evisec's Cybersecurity Research Digest provides security leaders verified strategic insights via a carefully curated weekly summary of evidence-led, unbiased and objective cybersecurity research publications. Read more about our service here.

✉️ Suggestions or want to collaborate? Get in touch via LinkedIn or email (henry@evisec.xyz)

Read more