CrowdStrike’s 2025 Global Threat Report sketches a threat landscape that should unsettle defense-focused networks and cyber-physical operators. The headlines are stark but precise: a sharp uptick in state-backed espionage from China, rapid weaponization of generative AI for social engineering, and a continuing march away from commodity malware toward identity-first intrusions that exploit legitimate access. Each of these trends shifts the operational calculus for defenders who protect hybrid infrastructures, including constrained platforms such as unmanned aerial systems and other kinetic nodes.
The numbers matter because they map directly to attacker tradecraft. CrowdStrike observed a 150 percent increase in China-nexus espionage activity in 2024, with some critical sectors experiencing threefold rises in targeting. For defenders in defense and aerospace, that means the adversary focus has broadened beyond IT into operational technology, supply chain partners, and third-party engineering firms that touch mission systems. Intelligence and network defenders must assume increased scrutiny and prioritize segmentation of mission-critical control planes.
Generative AI is not a hypothetical enabler anymore. CrowdStrike reports a 442 percent increase in voice phishing operations between the first and second halves of 2024 as bad actors used AI to scale convincing impersonations and orchestration of social attacks. The downstream effect is obvious: human-centric controls and static training are no longer sufficient. Operators should treat high-confidence human interactions in sensitive workflows as suspect by default, build resilient multi-step verification for critical actions, and instrument out-of-band confirmation channels into operational procedures.
Perhaps the most operationally disruptive finding is the prevalence of malware-free initial access. CrowdStrike’s data shows that 79 percent of observed initial access events were malware-free, relying instead on stolen credentials, identity compromise, or living-off-the-land techniques that blend into legitimate activity. When attackers log in as valid users, traditional signature and detection approaches fail. This reality elevates identity threat detection and response as the primary control plane for stopping adversaries early. Prioritize continuous identity telemetry, behavioral baselining, and rapid privileged session controls.
The speed of modern attacks compresses reaction windows to near-zero. The report highlights record-breaking breakout times down to 51 seconds in one observed incident. For mission assurance teams, that number is a warning: pre-authorization trust and delayed detection are liabilities. Automate containment playbooks, enforce least privilege by default, and adopt microsegmentation so that a compromised account or node cannot immediately traverse to high-value assets. These automated controls need to be tested under red-team scenarios that simulate rapid lateral movement.
Identity is the pivot here, and vendors and analysts are responding. Independent assessments are already elevating identity threat detection and response as a critical capability, pointing to platform approaches that unify endpoint, cloud, and identity telemetry for faster detection and automated response. Defense programs should evaluate solutions that integrate non-human identity posture, continuous authentication, and automated remediation into a single control plane so defenders can correlate cross-domain events quickly.
What this means for defense operators and those managing cyber-physical systems
1) Treat identities as mission assets. Move beyond episodic MFA and password hygiene. Implement continuous authentication, non-human identity lifecycle management for machine and agent accounts, and identity posture checks that gate access to flight control, avionics, and command-and-control services.
2) Eliminate blind spots across endpoint, cloud, and identity. Cross-domain attacks exploit gaps. Consolidated telemetry and an enterprise-wide mapping of trust relationships let SOC analysts and automated playbooks detect anomalous use of legitimate credentials before escalation.
3) Harden human processes that enable vishing and social engineering. For any operation that alters mission-critical state, require multi-party approvals with out-of-band verification and recordable audit trails. Train staff with realistic, AI-enhanced simulations and institutionalize procedures that assume voice and message spoofing are probable.
4) Emphasize speed through automation and tabletop validation. With breakout times at seconds, manual workflows are too slow. Implement automated isolation triggers tied to behavioral anomalies and test them frequently with live exercises that reflect real attacker timelines.
5) Protect non-human and machine identities. Autonomous agents, CI/CD systems, and maintenance tooling are new targets. Maintain strict credential hygiene, rotate machine keys, and require posture attestation before any agent can interact with critical systems.
6) Prioritize vulnerability research that maps to initial access vectors. CrowdStrike’s analysis tied a significant portion of exploited weaknesses to entry-stage vulnerabilities. Vulnerability management must be risk prioritized by exploitability and exposure to identity or external trust boundaries.
Operationalizing these steps requires cultural shifts. Defense organizations must accept that perimeter assumptions are obsolete and that adversaries now move across cyber and kinetic boundaries by abusing trust. Investments in telemetry fusion, identity-first detection, and validated automation pay dividends in reducing attacker dwell and preventing rapid escalation into the physical domain.
The CrowdStrike 2025 findings are a directional preview of what defenders will confront across the rest of the year. For teams responsible for protecting drones, sensors, and integrated mission systems the takeaways are practical and urgent: assume identity compromise, assume AI-augmented social engineering, and build detection and response that acts at machine speed. The work begins with mapping trust, closing visibility gaps, and automating containment so that when attackers try to convert a login into a kinetic outcome they are stopped early and cleanly.