Rapid7’s top three cyber security predictions for 2025

Prediction 1 is – Greater visibility will act as a life preserver for security teams treading water across an increasingly complex attack surface.

According to Gartner, more than 80% of organisations do not understand their attack surface. And that is an issue, says Raj: “You can’t protect what you don’t know and protecting a corporate network environment has become incredibly difficult – and that goes for on prem as well as off prem.

“We talk about commanding your attack surface which is more than just getting visibility. Knowing what you own is one thing and the potential vulnerabilities that come with that. We use the term life preserver. But within our industry the foundation of everything we do should be around transparency and transparency of your asset.”

Sabeen adds: “The idea at the core of it is not the consumer, not just the individual, but as a company, as an enterprise, you should also know what does my footprint actually look like? But I really can't know what I'm going to be dealing with in terms of my risk profile if I don't know everything that potentially I could know about my footprint that's out there in the world today.”

Raj said says an organisation knows it has four or five or six different products and solutions which provides visibility of your attack surface. “But you go to those five or six different products, and every single one of them will have different asset counts. And all of a sudden, you're like, okay, how many assets do I actually have? And that becomes the challenge. How do I normalise my understanding of my asset or my attack surface when I've got so much conflicting information. I think that's where we move away from this arcane concept of shadow IT towards commanding your attack surface, which is understanding the number of assets I have in my environment.”

What organisations should put in place

Sabeen says: “You have to really prioritise. Understand your risk and how are you mapping those things. What are the business critical things that you have in terms of both your applications, your data, your architecture? Do you understand where you are in terms of the threats that are both offline, online, but more importantly, how much of the data and the assets that you think are important to you, your enterprise and frankly, the world?”

Raj said: “We've seen the growth and rising of CASAM. I think part of the reason we've seen this is the ability to be able to incorporate continuous monitoring into an environment. Long gone are the days where you just kind of go, oh, well, I'm going to do a monthly scan and then we'll see what pops up.

“It's the same with auditing and regulatory compliance. If you do it once a year or once a month you are going to miss a lot. For me, yes, we can talk about mapping your attack surface strong and governance or prioritisation. But for me the most important thing is broadening out your ingestion pipeline to be able to gather data from a multitude of sources and being able to normalise that and being able to prove and have a demonstrable methodology around why selecting this as an asset over this is not an asset. And I think that, for me is that the foundation of where we kind of move forward.”

Your action plan

• Understand and map your entire attack surface including cloud and on-premise assets, identities, third party supply chain and external scanning for shadow IT use
• Prioritise risk by mapping exposed assets to business-critical applications and sensitive data
• Establish continuous monitoring and reporting across the different attack surfaces and include security control assessment and validation

Prediction 2 is – To thrive in a world where regulatory change is an ongoing concern, SecOps should prepare for both the predictable and the unpredictable.

According to Gartner, by 2029, 60% of enterprises that do not deploy a unified CNAPP solution within their cloud architecture will lack extensive visibility into the cloud attack surface and consequently fail to achieve their desired zero-trust goals.

Adaptability is going to be key in 2025 for Security Operations (SecOps) teams as regulatory demands react to ransomware, nefariously deployed AI and other widespread threats. These SecOps teams will need to adapt quickly to handle shifting compliance standards, emerging attack methods.

Sabeen says that SecOps teams will need to be more nimble than ever before. “These teams are our canary in the coal mine – always there, always at the forefront when we are dealing with a crisis response.

“In terms of the regulatory part, more effort is going to have to be put towards thinking about how are teams are designed as they will need to be responsive both in their incident response times as well as the way they deal with day-to-day operations.

“We will keep coming back to the fact the unifying thread is extensive visibility, that’s continuous and in real time. SecOps teams are going to want information in real time and be more nimble and not just have check box exercises. This means more frequent updates to vulnerability plans and investment in real-time monitoring.”

Raj said he was feeling a little positive, having read a lot of the requirements coming through. “I’ve gone, well, if security drives compliance then almost every organisation shouldn’t be concerned. But if compliance is driving security, then you’re literally going to be reacting every single time. The opportunity is there for organisations to start to implement a formalised SMS and considering intelligence-led prioritisation.”

Raj said one of the biggest concerns looming is around mandates from governments in the banning of ransomware payments. “I think this could dramatically impact the industry.”

Sabeen adds: “The idea that there could be multiple different types of scenarios where, in certain regions, you may not be able to institute a payment without then informing. Having a plan in place where you're going to need to be making some calls besides just getting that payment out the door, is something that you're going to have to scenario plan, because we see a future where there might be at least three or four different types of scenarios based on region, even based on country, where it might not be uniform.”

Action plan

• Staying resilient will require frequent updates to incident response and vulnerability plans, investment in real-time monitoring, and aligning processes with evolving regulatory requirements such as DORA, CCPA, NIS2 and he SEC
• Create a Zero Trust Roadmap – conduct risk assessments and identify gaps, leverage exposure and attack surface data together with threat intelligence to deliver threat-informed defense
• Regularly assess and update SecOps practices to handle new threats and ensure that the team is prepared for rapid regulatory or technological shifts

Prediction 3 – Cyber criminals will increasingly exploit zero-day vulnerabilities, expanding potential entry points and bypassing traditional security measures to deliver more ransomware attacks.

Raj says the reason we are seeing such a growth in ransomware and the demand and exponential increase in payments is because there are individuals that develop the code and individuals that go out and break into companies and deploy that code.

“The cybercrime ecosystem is effectively just flourishing enormously. What we have seen over the past year is ransomware groups have now got access to novel, new initial entry vectors.

“What’s happening now is, is that I suspect and again, we don’t know for sure, but if a ransomware group has access to these old days that can be used for an initial entry vector, can be used as a vehicle to attract more affiliates. And perhaps the bigger concern is, does that then mean that the operational and technical proficiency of the affiliate can be lower? In other words, are they lowering the technical barriers to enter this particular market space? And all of which kind of reveals that 2025 could be very bumpy.”

Sabeen added: “Individual businesses are at the short end of the stick where they are asked to make a ransomware payment. When you corroborate the how and why with the amount of money that is being asked every year is going up. It is a critical issue to the point where the counter ransomware initiative – the largest globally to try to combat the issue – is at its largest membership it has ever had.

“This ecosystem that has developed is becoming very professional and because of that we need to ask ourselves what are the pain points they are going to be experiencing and what stage are we going to say what other things can we do to take the air out of them to be able to professionalise.”

Action plan

• Continuously monitor both on-premise and cloud assets for vulnerabilities and exposures, looking to automate remediation for zero-day threats
• Enforce multi-factor authentication, adopt least privilege access policies and monitor for credential misuse to prevent lateral movement

Use automation to improve threat detection and response, conduct regular tabletop exercises and partner with managed Detection and Response/MSSPs for 24/7 monitoring