ExtraHop’s 2025 Threat Landscape Report: Key Insights

The threat landscape facing organizations has reached a critical inflection point. What were once isolated security incidents have evolved into systemic risks capable of paralyzing entire industries. The 2025 Global Threat Landscape Report from ExtraHop reveals a sobering reality: organizations are experiencing fewer ransomware attacks overall, yet those that do occur are significantly more damaging and costly than ever before.

This analysis examines the report’s findings through the lens of data security and compliance, identifying the specific challenges that CISOs, compliance officers, and risk managers must address. We’ll explore how the expanding attack surface, extended detection timelines, and operational response gaps create regulatory exposure—and how unified data governance platforms can help organizations meet these challenges head-on.

Key Takeaways

1. Ransomware attacks are fewer but far more damaging. Organizations now experience 25% fewer incidents, but average ransom payments have jumped to $3.6 million—$1 million more than 2024. Healthcare pays the highest at $7.5 million, while 70% of affected organizations ultimately pay ransoms.
2. Extended detection times create regulatory exposure. Ransomware actors maintain access for an average of two weeks before detection, with an additional two weeks needed for containment. This four-week window makes meeting GDPR’s 72-hour and HIPAA’s 60-day notification requirements extremely difficult.
3. Public cloud and third-party integrations are top attack surfaces. Cloud environments represent the highest cybersecurity concern at 53.8%, followed by third-party services at 43.7%. Major breaches like Snowflake (165 customers affected) and Salt Typhoon demonstrate how compromises cascade across entire customer bases.
4. Phishing remains the leading entry point for attackers. Social engineering and phishing account for 33.7% of initial access vectors, followed by software vulnerabilities at 19.4%. Compromised credentials enable attackers to move laterally, escalate privileges, and operate undetected for extended periods.
5. Fragmented security tools undermine SOC effectiveness. Limited environment visibility (40.98%), insufficient staffing (38.53%), and disparate poorly-integrated tools (34.04%) hinder threat response. Unified monitoring across all data exchange channels eliminates blind spots and enables faster incident correlation.

Expanding Attack Surface and Third-Party Risk

Organizations face an increasingly complex digital ecosystem where every connection point represents potential exposure. The ExtraHop report identifies three attack surfaces that security leaders view as posing the most significant cybersecurity risk.

• Public cloud environments top the list at 53.8%, with concern particularly acute in the United States (61.6%) and the technology sector (59.2%). The 2024 Snowflake breach demonstrated how cloud platform compromises can cascade across entire customer bases. At least 165 Snowflake customers, including major organizations like Pure Storage and AT&T, experienced data exposure that ultimately affected their own customers.
• Third-party services and integrations rank as the second-highest concern at 43.7%. The telecommunications sector views this as an equal top-tier risk alongside public cloud infrastructure. This perception stems from real-world incidents like the Salt Typhoon attacks, where threat actors compromised major providers including Verizon, AT&T, T-Mobile, and Lumen Technologies by infiltrating third-party vendors and contractors.
• Generative AI applications represent the third-largest concern at 41.9%, ranking higher than legacy systems (23.5%) and endpoint devices (30.6%). France shows the highest level of apprehension about AI-related risks at 59%, while the UAE exhibits the lowest at 36.8%.

Compliance Implications of Attack Surface Expansion

Each external connection introduces potential data sovereignty and audit trail risks. When organizations rely on multiple SaaS platforms, email gateways, and unmanaged file-sharing services, they create fragmented control environments that make demonstrating compliance extremely difficult.

Consider the requirements under NIST CSF 2.0, ISO 27001, or GDPR Article 28 regarding processor accountability. These frameworks expect organizations to maintain comprehensive visibility into how data moves across their infrastructure and through third-party relationships. Fragmented systems make it nearly impossible to produce the evidence auditors require.

The Kiteworks Private Content Network addresses this challenge by consolidating data exchange channels under a unified control point. Organizations gain consistent visibility and policy enforcement across file transfer, email, and web form workflows—essential capabilities for proving compliance and minimizing supply chain exposure.

By consolidating data-exchange channels under a unified control point, organizations gain visibility and policy consistency across file transfer, email, and form workflows—essential for proving compliance and minimizing supply-chain exposure.

CISA has published guidance for organizations looking to mitigate third-party risks. Their recommendations include monitoring all devices that accept external connections, tracking user and service account logins for anomalies, maintaining current device and firmware inventories, establishing behavioral baselines with alerting rules, and confirming TLS 1.3 implementation across all capable protocols.

Ransomware Economics: Fewer Attacks, Higher Stakes

The ransomware landscape has undergone a fundamental transformation. Organizations now experience fewer but significantly more intensive incidents, reflecting a strategic shift among cybercriminals from widespread opportunistic campaigns to carefully targeted operations designed to maximize financial impact.

According to the Global Threat Landscape Report, survey respondents reported an average of 5 to 6 ransomware incidents over the past 12 months, representing approximately a 25% decrease from the nearly 8 incidents recorded in 2024. However, this overall decline masks a concerning trend: the percentage of organizations experiencing 20 or more ransomware incidents annually has tripled, rising from 0% to 3% year-over-year.

This concentration of attacks is particularly evident in critical infrastructure sectors. Healthcare organizations report that 20% experienced 20 or more incidents, while government entities saw 10% in this category.

The Financial Impact

For organizations that paid ransoms, costs increased substantially. The average ransom payment reached $3.6 million—a million dollars more than the 2024 average of $2.5 million. However, this figure varies significantly by geography and sector.

• The UAE faced the highest burden globally, with organizations experiencing an average of 7 ransomware incidents and paying ransoms 26% above the global average at $5.4 million.
• Australia, by contrast, experienced the fewest incidents at just 4 per year and maintained the lowest average payment at $2.5 million.

Industry analysis reveals that healthcare organizations paid the highest ransoms at $7.5 million, followed closely by government at just below $7.5 million, and financial services at $3.8 million.

These figures pale in comparison to some of the year's highest-profile payments. An unnamed Fortune 50 company paid $75 million, CDK Global paid $50 million, and Change Healthcare paid $22 million.

Despite the increasing costs, 70% of affected organizations ultimately paid the ransom. Notably, however, the number of organizations that never pay has tripled, rising from 9% to 30% year-over-year.

Dwell Time and Detection Challenges

Organizations estimate that ransomware actors maintained access to their systems for an average of two weeks before detection. Government and education sectors report significantly longer dwell times of approximately 7 weeks and 5 weeks, respectively.

The report findings show that nearly a third of respondents (30.6%) only recognized they were being targeted by ransomware during or after data exfiltration had already begun. Only 17.59% detected threats during the reconnaissance phase, while 29.27% identified attacks during initial access. Detection during lateral movement and privilege escalation occurred in 22% of cases.

Compliance and Regulatory Exposure

Extended dwell times create serious notification compliance issues. Once detected, organizations require an additional two weeks on average to respond to and contain security alerts, from initial detection through resolution. The United States experiences an average of 2.8 weeks, while critical industries like government and transportation face response timelines exceeding 3 weeks.

This four-week compromise-to-containment window creates serious regulatory challenges. GDPR requires breach notification within 72 hours of becoming aware of an incident. HIPAA mandates notification within 60 days for breaches affecting 500 or more individuals. CMMC includes incident-reporting requirements that organizations must meet to maintain compliance.

Without comprehensive forensic audit trails, organizations struggle to determine data lineage and identify affected individuals—fundamental requirements for meeting regulatory obligations. The inability to quickly establish what data was accessed, when the breach occurred, and which individuals are affected puts organizations at risk of regulatory penalties on top of the operational and financial damage from the attack itself.

Kiteworks compresses the four-week compromise-to-containment window by combining prevention, anomaly detection, and immutable forensics, reducing both regulatory exposure and financial impact.

SOC Efficiency and Tool Fragmentation

Security operations centers face a complex web of challenges that collectively undermine their effectiveness. When asked about obstacles that most hinder timely threat response, the ExtraHop report found remarkably even distribution across multiple critical areas.

• Limited visibility into the entire environment topped the list at 40.98%, followed closely by insufficient staffing and skills gaps at 38.53%.
• Overwhelming alert volume affects 34.15% of organizations, while disparate and poorly integrated tools impact 34.04%.
• Inefficient or manual SOC workflows challenge 33.70% of respondents, and inadequate budget or executive support affects 29.09%.
• Organizational silos round out the list at 26.04%.

The visibility challenge proves particularly acute in specific sectors. Technology companies report visibility limitations at 44.96%, telecommunications at 43.90%, education at 51.02%, finance at 42.22%, and travel and leisure at 52.63%.

Governance Implications

Fragmented monitoring creates significant weaknesses in evidence completeness under audit. When security telemetry comes from multiple disconnected platforms, organizations face challenges in maintaining consistent data retention policies and producing comprehensive incident timelines during regulatory investigations.

Disparate logs raise the risk of inconsistent data retention and reporting gaps. Auditors examining an organization’s security posture expect to see complete, correlated evidence across all communication and data transfer channels. When file sharing happens through one system, email through another, and web forms through a third, creating a defensible audit trail becomes exponentially more difficult.

Through integration with leading SIEM systems and unified telemetry, organizations eliminate blind spots and maintain a defensible audit trail across every data channel. The Kiteworks platform provides centralized logging and monitoring that security teams can feed into existing security information and event management tools, creating comprehensive visibility without requiring organizations to replace their current investments.

Identity, Access, and Email Security

Phishing and social engineering emerged as the leading initial points of entry for attackers at 33.7% of all incidents, according to the threat landscape analysis. Software vulnerabilities represent the second-most common entry point at 19.4%, followed by third-party and supply chain compromise at 13.4%.

Compromised credentials accounted for 12.2% of initial access vectors and are increasingly becoming a primary gateway for attackers. Once obtained, stolen login details allow malicious actors to gain unauthorized access, move laterally within networks, escalate privileges to access more sensitive systems, and deploy further attacks like malware or ransomware—often operating undetected for extended periods.

Data Protection Relevance

Identity breaches frequently precede data exfiltration and supply chain compromise. Regulatory frameworks now emphasize identity proofing and least-privilege enforcement as fundamental security controls.

Attackers exploit weak multi-factor authentication implementations, misconfigured single sign-on systems, and lateral trust relationships. The Scattered Spider threat group exemplifies this approach, maintaining an aggressive operational tempo with detections reported by almost a quarter of survey respondents. The group routinely bypasses MFA and compromises help desks to secure initial network access, then sells this access to ransomware groups like ALPHV/BlackCat and RansomHub.

By isolating sensitive communications within a private email overlay, organizations shut down the most common ransomware and data-theft entry points. Kiteworks provides hardened identity and access controls including integration with enterprise identity providers, enforcement of MFA requirements, and granular permission models that implement least-privilege access across all data exchange channels.

File Transfer, Supply Chain Security, and Data Exchange Integrity

Third-party file transfer services remain high-value intrusion targets. Attackers leverage outdated managed file transfer systems or unsecured APIs for data exfiltration, creating significant compliance exposure.

Supply chain integrity is now core to CMMC 2.0 Level 2, NIS2, and DORA. Regulators expect encryption in transit, partner segmentation, and continuous monitoring across all data exchange touchpoints.

The Kiteworks platform addresses file transfer and supply chain security through several mechanisms. All data remains encrypted in transit and at rest using FIPS 140-2 validated cryptographic modules. Organizations can implement partner-specific security policies, creating segmented environments that prevent lateral movement between different external relationships. Continuous monitoring and automated alerting detect anomalous file transfer patterns that may indicate compromise or data theft attempts.

Organizations using the Kiteworks Private Content Network gain continuous monitoring capabilities and data residency assurance, meeting the stringent requirements of modern supply chain security frameworks while maintaining the operational flexibility necessary for business relationships.

Breach Readiness and Regulatory Accountability

The Global Threat Landscape Report found that mean time to containment exceeds two weeks. Many organizations lack automated forensic logging or verifiable data-access histories, creating serious legal defensibility challenges.

Operational Impact

Respondents reported an average of 37 hours of downtime per cybersecurity incident. More than half (55%) experienced 11 or more hours of downtime on average, and nearly a third reported downtime extended for two days or more.

When examining industry-specific impacts, the transportation sector reported the highest average downtime at 74 hours. This aligns with high-profile incidents like the August 2024 Rhysida ransomware attack on the Port of Seattle, which knocked systems offline for more than three weeks at Seattle-Tacoma International Airport.

Legal Defensibility Requirements

Non-tamperable audit logs are critical to demonstrate due diligence during regulatory investigations and potential litigation. Evidence automation supports cross-regulation reporting across frameworks including GDPR, HIPAA, PCI DSS, and CMMC.

Kiteworks’ immutable audit and lineage tracking turn post-incident investigations into verifiable, regulator-ready documentation. Every file access, email transmission, and form submission generates tamper-proof log entries that establish precisely what happened, when it occurred, and who was involved—the fundamental building blocks of compliance evidence.

Organizations can generate compliance reports automatically, demonstrating adherence to specific framework requirements without manual evidence gathering. This capability proves particularly valuable during breach response when organizations face compressed timelines for regulatory notification and limited internal resources due to incident management demands.

Web Forms and External Endpoints

CISA warns that forms and other inbound interfaces serve as key lateral-movement entry points. Weak form validation or over-collection of personally identifiable information can trigger reportable breaches under privacy regulations.

Privacy-by-design principles demand minimal collection and retention. Organizations must implement controls that collect only necessary information, retain data only as long as required for the stated purpose, and provide secure disposal mechanisms when retention periods expire.

Secure data collection through web forms complements email and file transfer protection for complete perimeter coverage, addressing all the primary channels through which sensitive content enters and exits organizational boundaries.

Immediate Action Plan for CISOs and Compliance Teams

The ExtraHop report recommends organizations take immediate action to address the identified vulnerabilities. Security and compliance leaders should prioritize three core initiatives.

1. Comprehensive Attack Surface Inventory
   • Creating a detailed inventory of all cloud services, third-party integrations, and external data exchange points
   • Mapping data flows across organizational boundaries to identify where sensitive information moves between internal systems and external parties
   • Assessing the security posture of each connection point, including authentication mechanisms, encryption implementation, and access controls
   • Identifying gaps in visibility where data exchange occurs outside centralized monitoring and governance
2. Unified Monitoring and Detection
   • Implement solutions that provide unified visibility across all data exchange channels, including file transfer, email, APIs, and web forms
   • Establish behavioral baselines that enable detection of anomalous activity indicating potential compromise
   • Deploy automated alerting mechanisms that notify security teams immediately when suspicious patterns emerge
   • Integrate data exchange telemetry with existing SIEM platforms to correlate sensitive content movement with other security events
3. Automated Compliance Evidence Generation
   • Deploy platforms that automatically generate immutable audit logs for all data access and transmission events
   • Implement retention policies that align with regulatory requirements while supporting operational needs
   • Create automated reporting capabilities that demonstrate compliance with specific framework controls
   • Establish processes for rapid evidence retrieval during incident response when notification deadlines compress available time

These actions transform the report's guidance into measurable operational outcomes, directly addressing the attack surface expansion, detection delays, and compliance challenges identified in the research.

What Security Leaders Need to Know

The 2025 Global Threat Landscape Report reveals three fundamental truths about modern cybersecurity. First, the attack surface continues expanding as organizations adopt cloud services, third-party integrations, and emerging technologies like generative AI—each connection point introducing additional risk. Second, detection and response timelines remain dangerously extended, giving attackers weeks to establish persistence and cause damage before organizations contain threats. Third, these operational security challenges create direct regulatory exposure as organizations struggle to meet notification requirements and produce evidence of due diligence.

The shift from high-volume opportunistic attacks to targeted campaigns means every organization faces the possibility of becoming a priority target. The increasing ransom demands, longer dwell times, and operational disruptions demonstrate that cybercriminals have refined their approach to maximize impact and financial return.

For CISOs and compliance officers, this environment demands a fundamental reassessment of security architecture. Fragmented systems that once provided adequate protection now create blind spots that sophisticated adversaries readily exploit. The evidence requirements imposed by modern regulatory frameworks cannot be satisfied through manual processes or disconnected logging systems.

Organizations need unified visibility and control across all data exchange channels. They require automated evidence generation that supports both proactive security monitoring and reactive incident response. They must compress the detection-to-containment timeline that currently gives attackers a month-long window to operate with relative impunity.

Kiteworks Private Data Network provides a measurable response to every priority area identified in the ExtraHop research. By consolidating file transfer, email, secure forms, and APIs under unified governance, organizations reduce their attack surface while simultaneously improving visibility. Automated logging and compliance reporting address the evidence generation challenges that create regulatory exposure. Integration with existing security infrastructure enables correlation and analysis without requiring wholesale technology replacement.

The threat landscape will continue evolving, but the fundamental requirements remain constant: know what you have, see what’s happening, and prove you acted with diligence. Organizations that establish these capabilities position themselves to meet both current threats and future challenges.

For a deeper assessment of how Kiteworks directly mitigates the attack vectors identified in the 2025 Global Threat Landscape Report, request a demonstration or contact the Kiteworks team for a tailored executive brief.