From the field to the report and back again: How incident responders can use the Year in Review

Cisco Talos Incident Response (IR) emphasizes utilizing their Year in Review report to enhance organizational readiness against evolving threats. The 2025 analysis highlights identity-based attacks as the primary intrusion vector, accounting for 60% of IR cases, with Active Directory compromise prevalent. The Qilin ransomware family continues to dominate the landscape, particularly targeting manufacturing and healthcare sectors. Attackers increasingly bypass multi-factor authentication via push fatigue and exploit valid credentials rather than zero-days. To mitigate these risks, defenders should operationalize intelligence by conducting targeted tabletop exercises simulating MFA bypass and lateral movement. Additionally, organizations must validate detections against common tradecraft like PowerShell and Mimikatz usage. Prioritizing detection of security solution disabling and focusing on privileged account protection are critical steps to counteract the observed shift towards reliable, repeatable access methods employed by modern ransomware affiliates.

The Year in Review distills Talos IR's observations into structured intelligence, but defenders should also be feeding this report back into their own preparation cycles. Here's how.

Cisco Talos Incident Response (IR) emphasizes utilizing their Year in Review report to enhance organizational readiness against evolving threats. The 2025 analysis highlights identity-based attacks as the primary intrusion vector, accounting for 60% of IR cases, with Active Directory compromise prevalent. The Qilin ransomware family continues to dominate the landscape, particularly targeting manufacturing and healthcare sectors. Attackers increasingly bypass multi-factor authentication via push fatigue and exploit valid credentials rather than zero-days. To mitigate these risks, defenders should operationalize intelligence by conducting targeted tabletop exercises simulating MFA bypass and lateral movement. Additionally, organizations must validate detections against common tradecraft like PowerShell and Mimikatz usage. Prioritizing detection of security solution disabling and focusing on privileged account protection are critical steps to counteract the observed shift towards reliable, repeatable access methods employed by modern ransomware affiliates. The Year in Review distills Talos IR's observations into structured intelligence, but defenders should also be feeding this report back into their own preparation cycles. Here's how. Every year, Cisco Talos publishes Year in Review , a comprehensive look at the previous year’s threat landscape. It’s drawn from an enormous volume of telemetry, such as endpoint detections, network traffic, email data, and boots-on-the-ground Cisco Talos Incident Response (Talos IR) engagements . As incident responders, we see threats mid-detonation in the wreckage of an Active Directory environment, or in the lateral movement artifacts left behind by an affiliate who got in using nothing more than a valid account. The Year in Review distills those raw observations into structured intelligence, but that intelligence loop works both ways. The same report that our IR casework feeds into is the report that defenders should be feeding back into their own preparation cycles. IR casework shapes the Year in Review, the Year in Review shapes your readiness When Talos IR closes out an engagement with customers, the tactics, techniques, and procedures (TTPs) we observe through forensic work and analysis are catalogued, aggregated, and analyzed alongside broader Cisco telemetry. When we track the emergence of a new exploit like React2Shell redefining attacker speed, or when we see Qilin rise to dominate the ransomware landscape while legacy groups like others maintain rare, sustained momentum, those shifts in the adversary ecosystem become the intelligence that informs what we are on the lookout for during the next investigation. When we observe patterns of behavior, they may form trend lines that span multiple years and reveal how the landscape is evolving. For defenders, this means the Year in Review is not a theoretical document. It is a distillation of what actually happened to organizations we respond to, investigated by the people who were in the room when things broke down. Here are some suggestions on how to operationalize these findings. Turning findings into tabletop scenarios One of the most immediate and practical applications of Year in Review is raw material for tabletop exercises. The report hands you the adversary playbook. For example, the 2024 Year in Review highlighted that identity-based attacks accounted for 60% of all Talos IR cases, with Active Directory being the focal point in 44% of those incidents. Attackers were not breaking down doors with zero-days; rather, they were walking through the front door with stolen credentials, often bypassing multi-factor authentication (MFA) through push fatigue, misconfigured policies, or the simple fact that MFA was never fully enrolled in the first place for some accounts. The 2025 Year in Review reinforces and deepens this picture. Attacks against MFA evolved significantly, with MFA spray attacks doubling down on identity and access management (IAM) infrastructure while expanding efforts against high-value privileged accounts. Device compromise attacks saw a significant rise in activity, showing that actors increasingly value reliable, repeatable access methods over one-off exploitation. These are adversary preferences that should directly shape your exercise scenariosand cybersecurity preparedness. That is a ready-made tabletop scenario. Work with your team on this exact entry scenario and walk through it just as adversary would. An adversary authenticates to your VPN. MFA fires, but the user approves the push because they were already expecting a login prompt. The attacker is now inside your perimeter with legitimate access. What does your detection look like? How quickly do your analysts identify the anomaly? Who makes the call to force a password reset and revoke sessions? These are some good questions to cover in this scenario. The 2025 Year in Review found that actors tailor their MFA attack style depending on the...