Anatomy of a Cyber World Global Report 2026

Kaspersky's 2026 Global Report analyzes 2025 cyberattack trends based on Managed Detection and Response and Incident Response data. High-severity incidents, primarily APT attacks and red teaming, showed a decrease compared to previous years. Government and industrial sectors remain the most targeted, though IT sector incidents rose significantly. Attackers increasingly exploit Microsoft vulnerabilities for remote code execution and leverage trusted relationships, valid accounts, and public-facing applications for initial access, constituting over 80% of attacks. Living off the Land techniques utilizing standard Windows utilities like PowerShell and Mimikatz remain prevalent to evade detection. Mitigation strategies should focus on securing public-facing assets, monitoring valid account usage, and enhancing detection of legitimate tool abuse. Organizations are advised to strengthen defense systems against complex supply chain-style attacks involving compromised trusted relationships.

The Kaspersky Security Services report describes cyberattack trends and statistics revealed by the Managed Detection and Response service. The report also includes Incident Response findings based on real-world cases identified and mitigated in 2025.

Kaspersky's 2026 Global Report analyzes 2025 cyberattack trends based on Managed Detection and Response and Incident Response data. High-severity incidents, primarily APT attacks and red teaming, showed a decrease compared to previous years. Government and industrial sectors remain the most targeted, though IT sector incidents rose significantly. Attackers increasingly exploit Microsoft vulnerabilities for remote code execution and leverage trusted relationships, valid accounts, and public-facing applications for initial access, constituting over 80% of attacks. Living off the Land techniques utilizing standard Windows utilities like PowerShell and Mimikatz remain prevalent to evade detection. Mitigation strategies should focus on securing public-facing assets, monitoring valid account usage, and enhancing detection of legitimate tool abuse. Organizations are advised to strengthen defense systems against complex supply chain-style attacks involving compromised trusted relationships. The Kaspersky Security Services report describes cyberattack trends and statistics revealed by the Managed Detection and Response service. The report also includes Incident Response findings based on real-world cases identified and mitigated in 2025. Kaspersky Security Services provide a comprehensive cybersecurity ecosystem, taking enterprise threat protection to another level. Services like Kaspersky Managed Detection and Response and Compromise Assessment allow for timely detection of threats and cyberattacks. SOC Consulting provides a practical approach ensuring the corporate infrastructure stays secured, while Incident Response is suited for timely remediation with a maximized recovery rate. High-level overview of the MDR, IR and CA connection This new report brings together statistics across regions and industries from our Managed Detection and Response and Incident Response services, and for the first time, it also includes insights from our Compromise Assessment and SOC Consulting services — all to provide you with more comprehensive view of different aspects of corporate information security worldwide. The scope of MDR and IR services Provision of Kaspersky’s MDR and IR services follows a global approach. The majority of customers accounted for the CIS (34.7%), the Middle East (20.1%), and Europe (18.6%). Distribution of customers by geographical region, 2025 MDR telemetry Following the previous year’s numbers, in 2025, the MDR infrastructure received and processed an average of 15,000 telemetry events per host every day, generating security alerts as a result. These alerts are first processed by AI-powered detection logic, after which Kaspersky SOC analysts handle them as required. Overall, a total of approximately 400,000 alerts were generated in 2025. After counting out false positives, 39,000 alerts were further investigated. MDR telemetry statistics, 2025 Incident statistics The distribution of remediation requests by industry has slightly changed as compared to previous years’ pattern. Government (18.5%) and industrial (16.6%) organizations are still the most targeted industries in regards to cyberattacks that require incident response activities. However, this year, the IT sector saw a growth in the number of IR requests, eventually being placed third in the overall industry distribution rankings and thus replacing financial organizations, which were targeted less often than in 2024. This is equally true for smaller-scale attacks that can be contained and remediated through automated means — the only difference is that medium- and low-severity incidents are more often experienced by financial organizations. Distribution of all incidents by industry sector, 2025 Key trends and statistics This section presents key findings and trends in cyberattacks in 2025: The number of high-severity incidents decreased, following a downward trend that we’ve been observing since 2021. The majority of those incidents account for APT attacks and red teaming exercises, which indicates two landscape trends. On the one hand, skilled adversaries make efforts to increase impact, while on the other, organizations spend more resources on probing their defense systems. The most common vulnerabilities exploited in the wild were related to Microsoft products. Half of all identified CVEs led to remote code execution, notably without authentication in some cases. Exploitation of public-facing applications, valid accounts, and trusted relationships remain the most popular initial vectors, and their overall share has increased, accounting to over 80% of all attacks in 2025. In particular, attacks through trusted relationships are evolving: their share has increased to 15.5% from 12.8% in 2024. They are also becoming more complex: for instance, we witnessed a case where adversaries had compromised more than two organizations in sequence to ultimately gain access to a third target. Standard Windows utilities remain a popular LotL tool....