2025 Year In Review: 5 Stand-Out Themes

12–29–2025 (Monday)

Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.

I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.

Today is Monday, December 29, 2025, and as we close out the year 2025, it’s time to look back with 5 reflections on the past year’s worth of Intentional Briefs.

1. Third-Party Risk Became Existential
   
   The year opened with BeyondTrust giving Chinese attackers access to Treasury systems, and closed with Mixpanel exposing data from SoundCloud, OpenAI, and PornHub. In between, the hits kept coming: PowerSchool's breach of 62 million student records returned in May when attackers began extorting individual school districts despite the ransom being paid. Oracle suffered back-to-back breaches while actively denying the first one. Insight Partners confirmed that LP and portfolio company data had been stolen. SalesLoft's OAuth tokens were compromised via their GitHub, giving attackers legitimate-looking access to downstream customer data. The question posed in week two of the year - "When does this become our breach?" - proved to be the defining frame for the year. OWASP validated the trend by adding Software Supply Chain Failures to their 2025 Top 10, and Verizon's DBIR reported that third parties now account for 30% of all breaches. The lesson that emerged: you can outsource capability, but you can't outsource responsibility. That means knowing which vendors hold your most sensitive data, building response playbooks for their incidents, enforcing contractual security obligations, and maintaining your own logs and key rotation capabilities - because your vendors won't do it for you.
   

2. You're On Your Own
   
   Federal cyber support didn't just erode in 2025 - it retreated. CISA faced cuts of half its staff and 40% of contractors. CVE funding nearly died, saved by an 11-month extension on the day it was set to expire. The MS-ISAC and Election ISAC lost their funding. Regional CISA leaders departed. Chris Krebs was targeted by executive order and left SentinelOne to fight back. Cyber Command was ordered to stand down from Russia planning, and State Department officials stopped naming Russia as a threat. The information-sharing law known as CISA 2015 faced expiration. An executive order pushed resilience responsibility to states already struggling with budget cuts. As one industry voice put it: "Without the federal government's ecosystem of infrastructure protection, we're essentially on our own." The message to defenders evolved through the year from "plan accordingly" to "the window is closing" to, finally, "it's up to us." What this means practically: the cavalry isn't coming. Build your own threat intelligence subscriptions, your own patching velocity, your own incident response capability. The basics matter more now precisely because the institutional support behind them has withdrawn.
   

3. They're Logging In, Not Breaking In
   
   The attack surface shifted decisively toward humans and identity in 2025. Scattered Spider became the threat actor of the year - not through technical sophistication, but through relentless social engineering. They hit UK retailers in May (M&S staff sleeping on floors, communicating via WhatsApp as systems stayed down), pivoted to US insurance in June, then airlines in July. Four members were arrested in the UK, all aged 17-20, validating the profile of young, Western attackers. But Scattered Spider was just the most visible example of a broader pattern. The Clorox lawsuit revealed full transcripts of help desk calls where attackers reset credentials and MFA without any identity verification - a $380 million lesson in procedure failures. Coinbase discovered their outsourced support staff in Southeast Asia had been bribed for access. North Korean operatives landed remote jobs at US tech companies, routing connections through domestic laptop farms. A Trenchant executive sold zero-day exploits to Russian brokers while leading the internal investigation and firing an innocent colleague. Twin brothers previously convicted of hacking were rehired as government contractors and wiped 96 databases. The Verizon DBIR confirmed that 60% of breaches still involve human interaction, and that 84% of SaaS incidents bypassed MFA entirely. The defenders' response: harden help desk verification procedures, test them through social engineering exercises, deploy phishing-resistant MFA for privileged accounts, and recognize that your people are now the primary attack surface.
   

4. AI: Signal vs. Noise
   
   The AI conversation in cybersecurity was loud in 2025, but the signal was often buried in noise. The year opened with DeepSeek's release forcing an urgent rebaselining - not because of AI-powered attacks, but because employees were already experimenting with tools that security teams couldn't see or control. That Shadow AI risk proved to be the real story. Bugcrowd reported that 93% of organizations using AI tools had introduced new attack vectors. zScaler faced scrutiny for using "three trillion customer logs per week" to train their models. Researchers discovered phishing emails containing prompt injections targeting AI-based email filters - attackers now exploiting both humans and defensive tools with the same message. Browser-based AI agents from ChatGPT and Perplexity launched and were immediately found vulnerable to prompt injection, spoofed sidebars, and OAuth token theft. The hype peaked in November when Anthropic disclosed a Chinese espionage campaign using Claude - but the details revealed that the operation still required significant human expertise, kept humans in the loop, suffered from hallucinations, and had a low success rate against its 30+ targets. An Ars Technica analysis of "AI-generated malware" found samples that were easy to detect, used known methods, and required no new defenses. The real takeaway: AI is accelerating attacker workflows and lowering barriers to entry, but it's not yet producing novel capabilities. Meanwhile, the bigger risk remains your own people using AI without guardrails, building security debt you can't see. Build paved paths, get visibility through enterprise AI tools or CASB solutions, and treat AI agents like the insider threats they functionally are.
   

5. Resilience Through Fundamentals
   
   Every theme this year pointed back to the same conclusion: the basics matter more, not less, as complexity increases and institutions retreat. Asset inventory remained the foundational control - you can't patch what you don't know about, and CISA's emergency directive on Cisco vulnerabilities in September became a real-time tutorial in why that matters. Patching velocity became critical as researchers reported that over half of CISA KEV vulnerabilities were being weaponized within 48 hours. MFA remained essential but insufficient - the 84% bypass rate in SaaS breaches meant layered defenses couldn't be optional. The BBC ran a story claiming a "weak password" sank a 158-year-old company; the real lesson was that if one credential compromise can destroy your business, you haven't built enough resilience. Defense in depth and diversity of defense emerged as the strategic frame: deter where possible, detect early, disrupt before too much damage. The goal isn't eliminating all threats - that's impossible. The goal is making your organization a hard target when attackers are optimizing for efficiency. This means validated backups, tested playbooks, practiced tabletop exercises, help desk procedures that actually get followed, and logging sufficient to threat hunt when a vendor discloses a breach. None of it is glamorous. All of it is necessary. And as federal support withdrew and third-party breaches mounted and attackers logged in instead of breaking in, fundamentals stopped being checklist items and became strategic positioning. Control your controllables - because increasingly, that's all you've got.

We’ll cover some predictions next week as we enter 2026.

Fundraising

From a fundraising perspective in 2025, I’d flag the theme as “The Money Kept Moving.” Despite a year defined by uncertainty (federal retreat, geopolitical tension, tariff wars, government shutdowns, a cold IPO market, etc.), private equity fundraising defied the gloom. The numbers tell the story: roughly $200 billion committed in Q1, another $196 billion in Q2, a dip to $161 billion in Q3, then a roaring $242 billion in Q4 to close the year just shy of $600 billion in total commitments.

Secondaries dominated the landscape, with Ardian, EQT, ICG, and Apollo all raising multi-billion dollar funds to buy stakes from LPs seeking liquidity. The IPO window stayed mostly closed - Klarna delayed, Figma's 250% first-day pop collapsed within weeks - pushing more activity into continuation vehicles and GP-led transactions. By year end, the industry was sitting on an estimated $2.1 trillion in dry powder.

The commentary turned darker even as the capital flowed. Brookfield's CEO suggested there should be "4,000 less" PE firms. Apollo's president warned that "many PE funds that are out there have raised their most recent fund and don't realize it's their last fund." The Wall Street Journal declared a fundraising slump even as Q4 posted the biggest quarter of the year. Fortune reported that US GDP growth in the first half of 2025 was almost entirely driven by AI - without it, growth would have been 0.1%. Both things were true: massive capital deployment and existential questions about sustainability.

For cybersecurity, the implications cut both ways. That dry powder means continued M&A activity, which means integration risk, inherited vulnerabilities, and the kind of tech stack chaos that let Akira ransomware exploit SonicWall devices that acquiring companies didn't even know existed. It also means continued investment in security companies and, perhaps, growing recognition that cyber risk is portfolio risk. The wheel doesn't stop, and neither do the threats that come with it.

A reminder as we come to the close of the year that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.

We’ll see you next week for another edition of the Intentional Brief.