Cyberattacks reached victims faster and came from a wider range of threat groups than ever last year, CrowdStrike said in its annual global threat report released Tuesday, adding that cybercriminals and nation-states increasingly relied on predictable tactics to evade detection by exploiting trusted systems.
The average breakout time — how long it took financially-motivated attackers to move from initial intrusion to other network systems — dropped to 29 minutes in 2025, a 65% increase in speed from the year prior. “The fastest breakout time a year ago was 51 seconds. This year it’s 27 seconds,” Adam Meyers, head of counter adversary operations at CrowdStrike, told CyberScoop.
Defenders are falling behind because attackers are refining their techniques, using social engineering to access high-privilege systems faster and move through victims’ cloud infrastructure undetected.
“Threat actors are exploiting those cross-domain gaps to gain access to environments, so they’re wriggling in between the seams in cloud, identity, enterprise and unmanaged network devices,” Meyers said.
Starting from an already disadvantaged position — made worse by faster attacks and living-off-the-land techniques — defenders face burnout, stress and other factors that can lead to mistakes, he added.
The myriad sources of these problems are spreading, too.
CrowdStrike tracked 281 threat groups at the end of 2025, including 24 new threats it named throughout the year. Researchers at the cybersecurity firm are also tracking 150 active malicious activity clusters and emerging threat groups.
Cybercriminals seeking a payout and nation states committing espionage or implanting footholds into critical infrastructure for prolonged access are increasingly seizing on security weaknesses in cloud-based environments to break into victim networks.
These cloud-focused attacks have seen a reported 37% year-over-year increase, with a 266% surge in this activity from nation-state threat groups.
The vast majority of attacks detected last year, 82%, were free of malware — highlighting attackers’ enduring shift toward hands-on-keyboard operations and the abuse of legitimate tools and credentials, CrowdStrike said in the report. More than 1 in 3 incident response cases involving cloud intrusions last year were linked back to a valid or abused credential that granted attackers access, according to CrowdStrike.
Attacks originating from or sponsored by North Korea increased 130% last year, while incidents linked to China jumped 38% during the same period.
Chinese threat groups achieved immediate system access with two-thirds of the vulnerabilities they exploited last year, and 40% of those exploits targeted edge devices.
Zero-day exploits — especially defects in edge devices such as firewalls, routers and virtual private networks — allowed nation-state and cybercrime threat groups to break into systems, execute code and escalate privileges undetected.
CrowdStrike said it observed a 42% year-over-year increase in the number of zero-day vulnerabilities exploited prior to public disclosure last year.
Meyers said he expects that number to grow further, predicting an explosion of activity from attackers using artificial intelligence to find and exploit zero-day vulnerabilities in various products during the next three to nine months.
CrowdStrike’s annual global threat report is full of figures moving in the wrong direction, yet the most worrying finding for Meyers comes down to attacker speed.
“The speed at which we’re seeing these breakout times accelerate is one of the markers,” he said, adding that it’s only a matter of time before the fastest attacks drop down to seconds, if not milliseconds.
