CrowdStrike 2025 Threat Hunting Report

The CrowdStrike Annual Threat Hunting Report is one of the most critical intelligence documents for security experts, detailing adversary behavior, sector targeting, and intrusion tactics.

This year’s findings leave no doubt: attackers are accelerating, adapting, and expanding into every possible attack surface — from endpoints and identity to cloud workloads and supply chain partners.

Adversaries are weaponizing speed to overwhelm defenders. The median breakout time—the time from initial compromise to lateral movement—is now 62 minutes, down from 79 minutes in 2024.

Findings:

71% of all interactive intrusions involved valid account abuse.

34% leveraged command & scripting interpreters for control.

51% involved defense evasion—disabling security tools or tampering with logs.

36% targeted cloud environments.

21% involved supply chain compromise.

68% of identity-based intrusions bypassed MFA, often via session token theft.

Intrusion Trends by Adversary

#eCrime groups – 73% of intrusions; pursue rapid monetization via ransomware, data theft, and financial fraud.

Nation-state actors – 26% of tracked intrusions; favor long-term, surgical campaigns aimed at intelligence collection and strategic disruption.

The 2025 data paints a clear picture: speed and identity are the two biggest force multipliers for adversaries today. Defenders must detect and act faster than ever before. Cloud environments have become a primary battleground, with threat actors rapidly developing skills in exploiting workloads, control planes, and identity systems. We are also seeing AI leveraged across multiple domains—from reconnaissance and phishing content generation to automated vulnerability scanning, #lateralmovement scripting, and payload obfuscation. Attack complexity is increasing, combining endpoint exploitation, identity compromise, and cloud intrusion in the same campaign. hasztag#Vishing is a prime example of this evolution, merging human manipulation with credential abuse to bypass traditional defenses. While eCrime remains the dominant motivator, the strategic intent of state-sponsored actors is becoming more visible and impactful. Across the board, adversaries are adapting their tactics in real time to counter our defenses—demanding that defenders become as agile and innovative as the attackers they face.

This post is an introduction to the Report. In the next posts, I will break down individual sections of the report in detail, including adversary naming logic, front-line statistics, sector-by-sector analysis, and top MITRE ATT&CK techniques observed this year."

🔗 Full Report

Author: Sebastian Burgemejster