Forescout’s 2025 Threat Roundup Report Finds 84% More Cyberattacks Using Operational Technology Protocols

Forescout Technologies Inc., a global leader in cybersecurity, released its “2025 Threat Roundup” report, an analysis of the global threat landscape and notable trends cyber defenders need to know in 2026. Forescout Research – Vedere Labs reviewed more than 900 million attacks globally between January and December 2025.

Also Read: CIO Influence Interview with Gera Dorfman, Chief Product Officer at Orca

The 2025 Threat Roundup shows how quickly threat actors are adapting to new technology trends – abusing cloud services and fast-cycling Autonomous Systems, and even components in popular AI development stacks like Langflow.

Cyberattacks became more globally distributed and increasingly cloud-enabled in 2025. Threat actors focused more on exploiting rapidly shifting infrastructure, OT protocols, vulnerable web apps, and emerging AI platforms while increasingly targeting critical industries including healthcare, manufacturing, government, energy, and financial services.

Download the full report and read the accompanying blog.

“The 2025 Threat Roundup shows how quickly threat actors are adapting to new technology trends – abusing cloud services and fast-cycling Autonomous Systems, and even components in popular AI development stacks like Langflow,” said Barry Mainz, Forescout CEO. “To combat these threats in 2026, organizations must monitor East-West traffic and prioritize threat containment to stop attackers from moving laterally across environments. Deeper visibility, enhanced risk assessment, and proactive controls are non-negotiables for defenders.”

Forescout Research – Vedere Labs “2025 Threat Roundup” Key Findings

Cyberattacks were more globally distributed

• Attacks originated from 214 different countries and territories, with most threat actors originating from China, Russia, and Iran.
• Attackers are using IP addresses registered in a wider array of countries. The top 10 countries accounted for 61% of malicious traffic observed, down 22% compared to 2024.
• The United States was the most targeted country, followed by India and Germany. Compared to 2024, India and Germany swapped places on the list, but remained in the top three most targeted countries.
• Although the number of cyber criminals and state-sponsored actors were similar, cyber criminals were responsible for nearly six times more cyber incidents than state-sponsored actors.

Attack infrastructure and tactics evolved quickly

• The abuse of Amazon and Google infrastructure alone were responsible for more than 15% of attacks observed in 2025, up from 11% in 2024.
• Network infrastructure used for malicious activity, including Autonomous Systems, shifted rapidly, partly due to intense law enforcement disruption. Two of the top 10 most exploited Autonomous Systems from 2024 dropped off the list entirely in 2025, while three new entries had not previously ranked in the top 500.
• Web applications remained the most attacked service type at 61%, up from 41% in 2024, followed by remote management protocols at 15%.

Exploitation grew across IT, IoT, and OT

• Attacks using OT protocols surged by 84%, led by Modbus (57%), Ethernet/IP (22%), and BACnet (8%).
• Exploits against IoT devices increased from 16% to 19%, with IP cameras and NVRs the most frequent targets.
• Exploits targeting network infrastructure devices remained the second most common attack category, representing 19% of all observed exploits.

Vulnerabilities increased — and exploitation patterns shifted

• 242 vulnerabilities were added to CISA KEV, a 30% increase YoY, and 285 were added to the Vedere Labs KEV, a 213% increase YoY.
• Attackers continue to exploit issues not prioritized by major advisories; 71% of exploited vulnerabilities were not in the CISA KEV catalog.
• Langflow, an open-source, low-code AI development platform, was one of the most exploited new vulnerabilities, showing that as AI adoption accelerates, its underlying tools are becoming attractive targets.

“Threat actors are devoting far more effort to reconnaissance, with discovery activity now accounting for 91% of post-exploitation actions,” said Daniel dos Santos, Vice President of Research at Forescout. “That’s up from just 25% in 2023 – a dramatic increase that shows attackers are spending more time interacting with breached systems to understand what’s inside or to identify other targets within the network. This shift gives defenders a larger window to detect compromise before more damaging actions – such as exfiltration, deletion or encryption – can occur. Holistic visibility, early detection of discovery behaviors, and network segmentation across IT, IoT, and OT environments are critical to prevent lateral movements and stop modern attacks.”

Catch more CIO Insights: Identity is the New Perimeter: The Rise of ITDR

[To share your insights with us, please write to psen@itechseries.com ]