The old picture of a cyberattack was loud and fairly easy to imagine. A suspicious attachment lands in an inbox. Malware runs. Antivirus fires. A login fails five times in a row from the wrong country. A website slows under a flood of traffic. Security teams still see those things, but the attacks that do the most damage now often arrive dressed as ordinary activity. They look like valid sessions, legitimate API calls, approved remote tools, trusted cloud workflows, help desk interactions, or routine admin behavior. That shift is a big reason web and infrastructure attacks feel more sophisticated today. It is also why they are harder to catch.
Table of Contents
The evidence from 2025 and early 2026 points in the same direction. Microsoft describes initial access as a mix of technical exploits, social engineering, legitimate platform abuse, and stealthy evasion. CrowdStrike says 79% of attacks used to gain initial access were malware-free in its 2025 global report, while Mandiant reports that stolen credentials rose to the second most common initial infection vector in 2024. Google’s cloud research shows weak or absent credentials, misconfigurations, and API or UI compromise are still the main ways attackers get in. Verizon’s 2025 DBIR adds another uncomfortable detail: vulnerability exploitation kept rising, especially on edge devices and VPNs, while third-party involvement in breaches doubled.
That combination changes the job of defense. The question is no longer only “Can we block malicious code?” It is also “Can we tell the difference between a real admin and a stolen admin session, a real developer action and a poisoned pipeline, a real customer request and a scripted API abuse pattern, a real outage and a deliberate infrastructure attack?” The organizations that still anchor detection to old signals alone are the ones most likely to miss the intrusion until a partner, a vendor, or the attacker tells them it happened. Mandiant says 57% of organizations first learned of a 2024 compromise from an external source. That is the clearest sign of all that stealth, not brute force, now defines the real contest.
The old signs are disappearing
Attackers have not become magical. They have become disciplined. They now get better results by blending into normal systems than by smashing through them. Microsoft’s 2025 report puts it plainly: campaigns are no longer dominated by simple phishing. They are built as multi-stage chains that combine exploits, social engineering, infrastructure abuse, and evasion through legitimate platforms. The point is not just access. The point is access that looks routine long enough to survive.
That is why living-off-the-land techniques matter so much. A living-off-the-land intrusion uses tools already present in the target environment or tools that defenders normally trust. NSA and its partners warn that these attacks are hard to detect because they rely on existing system tools instead of dropping obviously malicious code, and they appear across on-prem, cloud, and hybrid environments. Microsoft’s reporting describes the same logic from another angle: attackers are increasingly “logging in” rather than breaking in, using stolen credentials, trusted apps, rogue virtual machines, infostealers, and service identities to operate quietly.
That shift breaks a lot of older security assumptions. Antivirus remains necessary, but it sees only part of the fight. A firewall still matters, but it cannot tell whether a valid cloud session token was stolen from a browser. Endpoint tools matter, but they lose visibility when the attacker spends most of the operation inside SaaS, identity, or control-plane layers. CrowdStrike’s 2025 reporting captures the effect with brutal clarity: most detections in 2024 were malware-free, the average eCrime breakout time fell to 48 minutes, and the fastest recorded breakout took just 51 seconds. A security team built around slow triage and isolated tools is already behind before the incident is formally “confirmed.”
That does not mean the noisy attack disappeared. DDoS campaigns still explode across internet infrastructure, and exploitation of exposed services is still common. Cloudflare saw DDoS attacks more than double in 2025, with 47.1 million mitigated over the year and attack sizes rising sharply. IBM’s 2026 index reports a 44% year-over-year increase in the exploitation of public-facing software or system applications. What changed is the relationship between the loud part and the quiet part. The attack you notice may be only the distraction, the pressure campaign, or the final act. The real breach may have begun days earlier through a stolen identity, a misconfigured service, or a third-party secret exposed in code.
Old assumptions that no longer hold
| Old assumption | Current reality |
|---|---|
| Malware is the main signal of compromise | Many high-impact intrusions are malware-free and rely on valid credentials, admin tools, or cloud-native actions |
| Network perimeter controls are enough | Identity, APIs, SaaS, cloud workloads, and third parties sit outside the old perimeter model |
| Strange traffic always looks strange | Attackers now mimic normal user, developer, and service behavior |
| Response teams will spot a breach internally | External notification still reveals a large share of compromises |
| Patching servers solves most of the problem | Edge devices, VPNs, SaaS identities, secrets, and pipelines remain exposed in different ways |
The table is simple on purpose. Most security gaps today come from teams defending yesterday’s architecture with yesterday’s mental model. NIST’s zero trust guidance, recent incident-response guidance, Microsoft’s identity findings, and Mandiant’s detection data all point in the same direction: resource-centric security, stronger telemetry, and identity-focused control are no longer optional upgrades. They are the baseline for seeing what is actually happening.
Identity has replaced the noisy front door
If one layer best explains why attacks are harder to detect, it is identity. A stolen identity lets an attacker skip many of the signals defenders used to rely on. There may be no malware. There may be no exploit chain visible on the endpoint. There may be no obvious brute-force burst. A valid account signs in, touches email, queries cloud services, opens shared folders, and requests access tokens. That can look exactly like work.
Microsoft’s 2025 report shows how central identity has become. It says more than 97% of observed identity attacks were password spray or brute force, and it argues that modern MFA reduces the risk of identity compromise by more than 99%. Yet the same report also shows why identity remains difficult ground for defenders: attackers are moving toward workload identities, app permissions, session abuse, application consent, and even theft of signing keys that would let them impersonate authentication systems themselves. That is not just account compromise. That is trust-layer compromise.
Mandiant’s data tells a similar story from incident response. Exploits were still the top initial infection vector in 2024, but stolen credentials rose to second place. In cloud compromises, email phishing led at 39%, stolen credentials sat at 35%, and both SIM swapping and voice phishing appeared as meaningful access paths. That mix matters because it shows identity theft is not one technique. It is an ecosystem. Help desk deception, infostealers, reuse of leaked passwords, session cookie theft, access broker markets, OAuth abuse, and cloud login hijacking all feed the same result: the attacker operates through identity instead of around it.
CrowdStrike reinforces the point from a different angle. Its 2025 report highlights a 50% rise in access broker advertisements and a 442% jump in voice phishing between the first and second half of 2024. Microsoft also notes growing use of email bombing, vishing, and Teams impersonation to pose as internal support and gain remote access. These are not old-school “Nigerian prince” scams with better grammar. They are operationally mature intrusion methods built to harvest trust, not just credentials. Once the attacker is treated as IT support, a contractor, a real employee, or an authorized cloud application, detection gets much harder.
This is where older security language starts to fail. People still talk about “the perimeter,” but NIST has been saying for years that the perimeter is no longer the right anchor. Zero trust shifts security away from static network location and toward users, assets, and resources. That change was not academic. It described the environment attackers were already exploiting: remote users, BYOD, SaaS, cloud resources, and hybrid identity. An attacker with a valid sign-in no longer has to cross a wall. They walk through a door the business opened for itself.
Web applications, APIs, and edge devices create quiet entry points
Web attacks used to bring to mind obvious SQL injection, defaced homepages, or brute-force login pages. Those still exist. The bigger story is that modern web exposure is fragmented across applications, APIs, SaaS integrations, reverse proxies, VPN gateways, identity brokers, browser sessions, and third-party components. That sprawl gives attackers more places to probe and more ways to stay quiet.
Verizon’s 2025 DBIR shows why exposed internet-facing systems remain such a stubborn problem. Exploitation of vulnerabilities reached 20% as an initial access vector, moving closer to credential abuse. Zero-day exploitation on edge devices and VPNs helped drive that increase. The share of edge devices and VPNs among exploited targets jumped from 3% in the previous report to 22%, and Verizon found that only about 54% of those issues were fully remediated through the year, with a median of 32 days to finish. IBM’s 2026 threat index adds another piece: exploitation of public-facing software and system applications rose 44% year over year, while 56% of disclosed vulnerabilities it tracked did not require authentication to exploit. That is an ugly pairing: more exposed targets, more reachable flaws, and slower complete remediation.
APIs deepen the problem because they often fail in ways that do not look dramatic in logs. Broken object-level authorization, broken authentication, weak asset inventory, excessive access, and business-logic flaws do not always trigger the same alarms as exploit kits or malware beacons. OWASP’s API Security Top 10 keeps returning to the same root cause: organizations expose endpoints and data relationships they do not fully govern. Google’s cloud telemetry found API or UI compromise behind 11.8% of initial access in the first half of 2025. A quiet API misuse can sit inside allowed traffic for a long time before anyone recognizes it as an attack.
Edge infrastructure is even worse because it often lives in the blind spot between networking and security ownership. It is critical, internet-facing, patch-sensitive, and sometimes lightly monitored. CISA’s 2025 advisory on Ivanti Cloud Service Appliances warned that threat actors had chained vulnerabilities to gain initial access. CrowdStrike’s reporting says internet-exposed network appliances were frequently targeted because endpoint visibility is limited there. Verizon’s edge-device data shows the operational side of the same problem: teams are patching, but not fast enough, and not fully enough, to close the gap before exploitation lands.
DDoS also deserves a place in this discussion because it still pressures web and infrastructure teams in ways that traditional security writeups sometimes understate. Cloudflare saw 20.5 million DDoS attacks in Q1 2025 alone and 47.1 million across 2025, with hyper-volumetric attacks climbing sharply. Those numbers matter not only because of uptime risk, but because short, automated, high-volume attacks leave little room for human reaction. Cloudflare notes that many attacks are over in minutes or seconds, well before manual response can meaningfully help. On the public internet, “hard to detect” does not always mean invisible. Sometimes it means detectable, but too fast and too distributed to triage by hand.
Cloud infrastructure gives attackers cover
Cloud made many organizations faster, but it also changed where power sits. The most dangerous permissions now often belong not to a human sitting at a keyboard, but to service accounts, workload identities, CI or CD pipelines, OAuth grants, secrets managers, storage buckets, browser tokens, and federation links. Those are efficient for the business. They are also perfect places for an attacker who wants reach without noise.
Microsoft says adversaries are pivoting toward workload identities because those identities often hold elevated privileges with weaker controls than human accounts. Its report also notes an 87% increase in destructive campaigns aimed at Azure customer environments and warns that more than 40% of ransomware attacks now involve hybrid components. Google’s Threat Horizons H2 2025 report frames the same environment from the cloud side: credential compromise and misconfiguration remain the primary entry points, recovery mechanisms are being targeted, developer ecosystems are under pressure, and actors are improving both evasion and persistence techniques. When the cloud control plane is the target, the intrusion may not involve obvious “malware execution” at all. It may look like resource creation, permission changes, token use, file synchronization, or administrative automation.
Google’s H2 2025 cloud data is especially useful because it breaks down initial access. Weak or absent credentials accounted for 47.1% of incidents in the first half of 2025, misconfigurations 29.4%, and API or UI compromise 11.8%. Remote code execution persisted as well. Those numbers cut through a lot of marketing noise. Cloud compromise is still driven by ordinary control failures at scale: weak identities, excessive permissions, exposed interfaces, stale secrets, and bad configuration hygiene. Sophisticated attackers do not avoid simple weaknesses. They chain them.
Mandiant’s casework shows what that looks like on the ground. In 2024 cloud compromises, email phishing and stolen credentials dominated, but the objectives quickly moved beyond access. Data theft showed up in nearly two-thirds of cloud compromises, while financially motivated activity also remained strong. Mandiant also documented actors using stolen credentials and cookies to hijack cloud environments for illicit cryptocurrency mining. That kind of abuse matters because it proves a broader point: the cloud is not only a hosting destination for attackers; it is an operating environment for them. They can live there, monetize there, and pivot from there.
Supply chain risk sharpens the danger. Google’s H2 2025 report highlights browser extension supply chain threats, compromised OAuth tokens, and malicious code injection through automated CI or CD pipelines. Microsoft’s report warns that both physical and digital supply chains amplify attack surface and let one compromise ripple outward. Verizon’s DBIR says third-party involvement in breaches doubled to 30%. In plain English, your environment no longer ends where your own infrastructure diagram ends. It includes the identities, libraries, extensions, vendors, and hosted services that already sit inside your workflows.
Detection breaks down where telemetry is weakest
Security teams often say they need “more visibility.” The harder truth is that they need the right visibility in the right places with the ability to connect it fast enough to matter. Logs alone do not solve this. Plenty of organizations collect huge amounts of telemetry and still fail to see the intrusion until someone else points it out.
Mandiant’s 2025 report gives the clearest data point. It could not determine the initial infection vector for 34% of 2024 intrusions, and it explicitly says that level suggests deficiencies in enterprise logging and detection capabilities. The same report found that 57% of organizations first learned of a compromise from an external source, with 14% of detections coming from adversary notifications such as ransom notes. That is not a tooling failure alone. It is a systems problem. Telemetry is incomplete, ownership is fragmented, and critical logs often sit in identity platforms, cloud consoles, SaaS services, network appliances, developer systems, or third-party infrastructure that are not analyzed together.
Look closely at where current attacks operate and the reason becomes obvious. A browser session token is stolen from a user machine. The attacker signs into a SaaS tenant from a residential proxy. They grant a malicious app broad permissions through a consent screen that looks normal. They use that app to read mail, reset access, or reach cloud resources. They stage exfiltration through approved synchronization tools or legitimate cloud storage. At no point do they need a noisy binary on disk. Microsoft says attackers are conducting end-to-end attacks in cloud environments as legitimate users or resources. Google notes that threat actors are misusing trusted cloud services to deliver decoy files and exploiting compromised OAuth tokens in build processes. Each step is visible somewhere. Very few teams see all of it as one story.
Detection also fails because the defender’s mental model is still too endpoint-centric. That was sensible when Windows hosts and internal networks were the main battleground. NIST’s zero trust model moved away from that years ago, insisting that security follow users, devices, and resources rather than trust a network location. NIST’s 2025 incident response revision makes a similar point in governance language: incident response must be integrated across risk management, not isolated as a late-stage technical exercise. You do not detect a cloud identity attack by waiting for the endpoint to scream. You detect it by correlating identity changes, session anomalies, privilege shifts, API behavior, developer actions, and data movement.
Another reason attacks feel “harder to detect” is that many of them are genuinely faster. CrowdStrike’s 48-minute average breakout time already compresses the response window. Some operations are even faster or more automated. Cloudflare’s DDoS reports show that many network and HTTP attacks end within minutes, and even record-breaking floods can last around 35 seconds. By the time a human analyst opens the alert, the offensive action may already be over, the attacker may have switched infrastructure, or the meaningful trace may have moved elsewhere in the stack. The defender still sees something. They just see it too late and too locally.
Speed, scale, and third-party pressure stretch defenders thin
Sophistication is not only about stealthy code or clever tradecraft. It is also about economics. Attackers are operating with better supply chains, cleaner division of labor, and faster reuse of successful methods. Stolen credentials are sold. Access brokers specialize. Social engineering crews feed infrastructure abuse crews. Cloud abuse tools are packaged and reused. Adversaries do not need to invent everything from scratch if they can buy or borrow the piece they need.
That economy makes attacks both more professional and harder to predict. Microsoft warns about the growth of commercial intrusion markets and the demand for low-detection exploits. CrowdStrike points to access broker growth and broader use of generative AI in phishing, impersonation, and malicious network activity. IBM’s 2026 index reports 300,000 AI chatbot credentials observed for sale on the dark web. Even where AI does not create a brand-new class of attack, it clearly helps with scale, speed, translation, imitation, and message quality. The human scam and the technical intrusion are increasingly part of the same assembly line.
Europe’s threat picture shows a similar convergence. ENISA’s 2025 landscape reviewed 4,875 incidents across the period from July 1, 2024 to June 30, 2025 and says threat groups are reusing tools and techniques, introducing new attack models, exploiting vulnerabilities, and collaborating against the EU’s digital infrastructure. That language matters because it captures a shift defenders feel every day: campaigns are mixed. A single case can contain credential theft, web exploitation, DDoS pressure, data theft, third-party exposure, and extortion logic. Security teams like neat incident categories. Attackers do not work that way anymore.
Third-party dependence makes the problem even more severe. Verizon says third-party involvement in breaches doubled from 15% to 30%. Secrets leaked in code repositories took a median of 94 days to remediate in one area of its research. Google highlights supply-chain compromise in developer ecosystems. Microsoft warns that a single successful compromise can ripple through physical and digital supply chains. Once your business depends on external identity providers, CI services, browser extensions, API partners, cloud hosts, and managed platforms, an attack can be “your incident” long before it touches your own server fleet directly.
This is also why the distinction between web attack and infrastructure attack is fading. A web application now sits on APIs, edge services, identity layers, storage, message queues, SaaS dependencies, cloud networking, and developer pipelines. Hit the right identity or supply-chain node, and the attacker reaches the application without attacking the application in the old sense. Hit the right edge device, and they bypass traditional endpoint visibility. Hit the right admin workflow, and they become the operator. The path to the target is wider than the target itself.
The defensive model has to change
None of this means defense is impossible. It means the model has to match the attack surface that actually exists. If attackers blend in, defenders need controls that make normal-looking abuse stand out anyway. That starts with identity, not because identity is trendy, but because it now governs access to almost everything else. Microsoft’s numbers on MFA are stark: modern MFA reduces the risk of identity compromise by more than 99%. CISA’s hybrid identity guidance pushes agencies toward cloud-based passwordless approaches. That is the right direction because password spraying, brute force, token theft, and help desk impersonation lose value when phishing-resistant authentication becomes the default rather than the exception.
Next comes privilege discipline. Service accounts, workload identities, browser extensions, OAuth applications, and automation pipelines need the same scrutiny security teams once reserved for domain admins. Microsoft warns that workload identities often carry elevated privileges with weak controls. Google’s H2 2025 report stresses the need to protect non-human identities in build processes and to separate developer account access from signing authority. That is not glamorous work. It is the kind of work that keeps a stolen token or misused consent grant from turning into a tenant-wide disaster.
Patch management also needs a more realistic priority model. Verizon’s edge-device findings and IBM’s public-facing software numbers make it clear that “patch everything eventually” is too slow for internet exposure. Teams should track active exploitation, not only CVSS scores, and that is why CISA’s Known Exploited Vulnerabilities Catalog matters. The catalog is not perfect and it is not exhaustive, but it is one of the cleanest public signals of what is already being used in the wild. For web and infrastructure teams, edge devices, VPNs, reverse proxies, internet-facing appliances, and identity-related systems should sit near the very top of remediation queues.
Detection engineering also has to move away from isolated products and toward correlation across identity, cloud, network, endpoint, SaaS, and developer activity. NIST’s 2025 incident-response guidance says incident response belongs inside broader cyber risk management. That sounds bureaucratic until you translate it into operations: log what matters, keep it long enough to investigate, normalize the data, and make sure the identity team, cloud team, application team, and SOC are not all staring at different fragments of the same attack. Mandiant’s “unknown vector” and “externally detected” numbers are what happens when that integration does not exist.
Then there is architecture. NIST’s zero trust publication remains one of the most useful framing documents because it shifts security toward resources instead of locations. That aligns perfectly with the way current intrusions work. A user on the corporate LAN is not inherently trustworthy. A workload inside the cloud account is not inherently trustworthy. A session from an approved device is not inherently trustworthy forever. Access should be continuously evaluated using identity, device state, policy, behavior, and least privilege. Zero trust is not a product name. It is a refusal to grant silent trust just because something looks internal.
Finally, the software and platform side needs more responsibility at the design layer. CISA’s Secure by Design guidance argues that security needs to be built into products and default configurations rather than pushed onto customers after deployment. That matters because defenders cannot keep carrying all the weight while vendors ship weak defaults, excessive permissions, bad logging, or brittle update paths. Better telemetry, safer defaults, stronger identity design, and easier patching are not just nice features. They directly affect whether a real attack looks detectable at all.
A harder internet still does not mean a hopeless one
The phrase “attacks are more sophisticated” is often used lazily. In this case, it is accurate, but not for the reason people usually mean. The real sophistication is not just in malware design or zero-day research. It is in how well attackers exploit the shape of modern computing itself. They know work is remote, identity is federated, infrastructure is hybrid, applications are API-driven, cloud permissions are messy, and third parties sit everywhere. So they stop looking obviously malicious and start looking useful, authorized, or routine.
That is why these attacks are harder to detect. Defenders are not simply missing more alerts. They are trying to recognize abuse inside the same systems the business depends on to function. A password spray can look like failed sign-ins until it becomes a real session. A malicious OAuth grant can look like user consent. A compromised service account can look like automation. A short DDoS flood can end before a human even opens the case. An edge-device exploit can hand the attacker a foothold in a place with poor telemetry. The line between normal and malicious is now thin, technical, and constantly shifting.
The response is not panic. It is clarity. Build around identity. Watch the cloud control plane. Treat APIs as first-class assets. Patch internet-facing infrastructure by exploitation reality, not by spreadsheet comfort. Correlate telemetry across silos. Remove silent trust from users, workloads, and third parties. And push vendors toward safer defaults. Teams that do that will still face serious attacks. They will at least be defending the internet they actually have, not the one they used to have.
FAQ
Modern attacks often use valid credentials, trusted apps, approved cloud workflows, and built-in administrative tools instead of obvious malware. That lets them blend into normal activity and avoid many traditional alerts.
Yes. CrowdStrike reported that 79% of attacks used to gain initial access in its 2025 global report were malware-free, and Microsoft described a broader shift toward “logging in” through stolen credentials and legitimate platform abuse.
Identity controls access to email, SaaS, cloud services, VPNs, and internal resources. A stolen account, session token, app consent, or workload identity can give attackers broad reach without the noise of traditional malware.
APIs often expose authorization and authentication weaknesses that sit inside normal traffic, while edge devices and VPN gateways are internet-facing, high-value, and frequently under-monitored. Verizon, IBM, CrowdStrike, and CISA all point to those areas as recurring entry points.
They often look like credential reuse, token theft, malicious app consent, privilege changes, pipeline abuse, resource creation, or quiet data movement between trusted services. Google and Microsoft both describe cloud attacks in terms of identity compromise, misconfiguration, and control-plane abuse.
Because visibility is still fragmented. Mandiant found that 57% of organizations first learned of a 2024 compromise from an external source, and it could not determine the initial infection vector in 34% of cases. That points to gaps in logging, correlation, and detection coverage.
Move security away from old perimeter assumptions and toward identity-centric, resource-centric control. That includes phishing-resistant MFA, tighter control of workload identities, better telemetry across cloud and SaaS, aggressive remediation of exploited internet-facing assets, and a zero-trust mindset.
Author:
Jan Bielik
CEO & Founder of Webiano Digital & Marketing Agency
This article is an original analysis supported by the sources cited below
Microsoft Digital Defense Report 2025 – Safeguarding Trust in the AI Era
Microsoft’s flagship 2025 threat report, used here for current evidence on identity abuse, initial access trends, workload identities, cloud attacks, and MFA impact.
M-Trends 2025 Data, insights, and recommendations from the frontlines
Google Cloud’s summary of Mandiant incident-response findings, used for dwell time, initial infection vectors, and cloud compromise patterns.
M-Trends 2025 Report
The full Mandiant report, used for detailed figures on unknown intrusion vectors, external detection, stolen credentials, and cloud intrusion methods.
Cloud threat horizons report H2 2025
Google Cloud’s cloud-threat report, used for cloud initial access data, persistence and evasion trends, and supply-chain risk in developer ecosystems.
2025 Data Breach Investigations Report
Verizon’s annual breach report, used for patterns in web attacks, third-party compromise, vulnerability exploitation, and ransomware prevalence.
2025 DBIR Executive Summary
The executive summary version of the DBIR, used for the exact figures on edge-device exploitation, remediation lag, and third-party involvement.
CrowdStrike 2025 Global Threat Report: Beware the Enterprising Adversary
CrowdStrike’s editorial summary of its 2025 threat report, used for malware-free intrusion, breakout time, vishing growth, and cloud intrusion trends.
CrowdStrike Releases 2025 Global Threat Report: Cyber Threats Reach New Highs
CrowdStrike’s official release with concise statistics on malware-free attacks, valid-account abuse, initial-access vulnerabilities, and adversary speed.
CrowdStrike 2025 Threat Hunting Report Executive Summary
Used for the 2025 view on hands-on-keyboard intrusions, cloud intrusion growth, and the tempo of current adversary operations.
X-Force Threat Intelligence Index 2026
IBM’s latest official threat index, used for current figures on public-facing software exploitation and the exploitability of disclosed vulnerabilities.
Targeted by 20.5 million DDoS attacks, up 358% year-over-year: Cloudflare’s 2025 Q1 DDoS Threat Report
Cloudflare’s Q1 2025 report, used for current DDoS volume, attack duration, automation, and pressure on internet infrastructure.
2025 Q4 DDoS threat report: A record-setting 31.4 Tbps attack caps a year of massive DDoS assaults
Cloudflare’s year-end DDoS report, used for 2025 attack totals, hyper-volumetric growth, and the scale of infrastructure-level assault traffic.
OWASP Top 10 API Security Risks – 2023
OWASP’s API security guidance, used to ground the article’s discussion of API authorization and authentication weaknesses.
OWASP API Security Project
The main OWASP API project page, used for the broader framing of API risk categories and governance issues.
SP 800-61 Rev. 3, Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile
NIST’s current incident-response guidance, used for the article’s argument that detection and response must be integrated into wider cyber risk management.
SP 800-207, Zero Trust Architecture
NIST’s zero trust publication, used for the architectural shift away from perimeter-based trust toward users, assets, and resources.
ENISA Threat Landscape 2025
ENISA’s official 2025 threat landscape, used for the European view of converging threat activity, reuse of techniques, and incident scale.
Combatting Cyber Threat Actors Perpetrating Living Off the Land Intrusions
NSA’s public statement on living-off-the-land activity, used for the explanation of why trusted-tool abuse remains so hard to detect.
Known Exploited Vulnerabilities Catalog
CISA’s actively exploited vulnerability catalog, used as a practical reference point for remediation priority.
Hybrid Identity Solutions Guidance
CISA guidance used for the article’s discussion of cloud-based and passwordless identity direction.
Securing Core Cloud Identity Infrastructure: Addressing Advanced Threats through Public-Private Collaboration
CISA’s cloud identity note, used to support the article’s focus on identity infrastructure as a strategic target.
Secure by Design
CISA’s secure-by-design guidance, used for the closing argument that product vendors must reduce customer exposure through safer defaults and better product security.
Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Appliances for Initial Access
CISA’s advisory on real-world appliance exploitation, used as a concrete example of edge-device compromise as an initial access path.
