From the Field to the Report How Incident Responders Can Use the Year in Review
From the Field to the Report: How Incident Responders Can Use the Year in Review
Every year, Cisco Talos publishes the Year in Review, a comprehensive look at the previous year’s threat landscape. It’s drawn from an enormous volume of telemetry, such as endpoint detections, network traffic, email data, and boots-on-the-ground Cisco Talos Incident Response (Talos IR) engagements. As incident responders, we see threats mid-detonation in the wreckage of an Active Directory environment, or in the lateral movement artifacts left behind by an affiliate who got in using nothing more than a valid account. The Year in Review distills those raw observations into structured intelligence, but that intelligence loop works both ways. The same report that our IR casework feeds into is the report that defenders should be feeding back into their own preparation cycles.
When Talos IR closes out an engagement with customers, the tactics, techniques, and procedures (TTPs) we observe through forensic work and analysis are catalogued, aggregated, and analyzed alongside broader Cisco telemetry. When we track the emergence of a new exploit like React2Shell redefining attacker speed, or when we see Qilin rise to dominate the ransomware landscape while legacy groups maintain rare, sustained momentum, those shifts in the adversary ecosystem become the intelligence that informs what we are on the lookout for during the next investigation. For defenders, this means the Year in Review is not a theoretical document. It is a distillation of what actually happened to organizations we respond to, investigated by the people who were in the room when things broke down.
One of the most immediate and practical applications of the Year in Review is raw material for tabletop exercises. For example, the 2024 Year in Review highlighted that identity-based attacks accounted for 60% of all Talos IR cases, with Active Directory being the focal point in 44% of those incidents. Attackers were not breaking down doors with zero-days; rather, they were walking through the front door with stolen credentials, often bypassing multi-factor authentication (MFA) through push fatigue, misconfigured policies, or the simple fact that MFA was never fully enrolled in the first place for some accounts. The 2025 Year in Review reinforces and deepens this picture. Attacks against MFA evolved significantly, with MFA spray attacks doubling down on identity and access management (IAM) infrastructure while expanding efforts against high-value privileged accounts. Device compromise attacks saw a significant rise in activity, showing that actors increasingly value reliable, repeatable access methods over one-off exploitation. These are adversary preferences that should directly shape your exercise scenarios and cybersecurity preparedness.
The 2025 Year in Review found that actors tailor their MFA attack style depending on the sector, and that manufacturing was the most impacted sector for ransomware in 2025, underscoring persistent risk to repeatedly targeted industries. If you operate in manufacturing, health care, or another sector that has appeared consistently in ransomware targeting data, your tabletop should reflect the specific TTPs directed at your vertical—not a generic ransomware exercise. Beyond tabletops, the Year in Review provides a prioritized list of what to test your detections against. Talos IR engagements reveal a consistent core of adversary tradecraft that organizations are still struggling to detect. Tools like PowerShell and Mimikatz appear in a significant portion of engagements. Remote services such as RDP and SSH continue to be abused for lateral movement. Ransomware operators are increasingly disabling security solutions before deploying payloads, and in 2024, they succeeded in doing so at an alarming rate.