Insight

CERT-W Report 2025: Analysis of a year of incident response and the evolving threats

Published October 7, 2025

  • Cybersecurity

Key lessons from 2025

  • Financial gain remains the primary motivation, with ransomware being the most common, but espionage is on the rise.
  • Phishing regains the top spot as the main entry point for cybercriminels.
  • Exploitation of vulnerable web services and remote access also remains a major entry vector.
  • AI, SaaS, and open-source packages expand the attack surface.

Cyber crises in 2025: Insights, trends, and action levers

In 2025, Wavestone’s Incident Response team was once again engaged in over twenty major crises, affecting organizations of various sizes and sectors. This report aims to highlight the key trends observed, illustrate the most striking scenarios, and shed light on the challenges organizations will face in the coming months.

Indeed, organizations must now be able to monitor an increasingly heterogeneous perimeter (SaaS, partners, open source) against ever-faster attackers. The fastest attack observed by our team lasted less than a day and a half from initial access to data exfiltration. 

The report therefore has a dual objective: to provide a realistic overview of attacks observed in the field and to analyze cyber threat trends to offer concrete action levers to strengthen information system resilience.

  • Cybersecurity

Discover the CERT-Wavestone 2025 Report

pdf · 1039KO

Download the report

Motivations: financial gain dominates, espionage on the rise

Analysis of the incidents we managed reveals a variety of motivations, but two dominant dynamics:

  • Financial gain (65%): through ransomware (half of these attacks), business email compromise fraud, and resale of stolen data. Profit remains the primary driver for cybercriminals.
  • Strategic data exploitation through espionage campaigns (17%, +7pts vs. 2024): several cases illustrate a growing interest in business-critical data itself (e.g. dark web publication following SQL injection, full JIRA database leak, or suspected intellectual property theft via a partner).

Other cases involve unclear or secondary motivations, but these two trends remain the most structurally significant.

Phishing: back as the leading entry point into information systems

The attacks analyzed highlight the main entry vectors used by cybercriminals:

  • Phishing: with 38% of incidents originated from phishing campaigns, phishing is the most common entry point. It enabled the compromise of both standard users and privileged accounts (administrators, VIPs, service providers). Its resurgence (20% in 2024) is also due to attackers’ creativity in reinventing this technique. Notably, we observed cases of vishing, where phishing is conducted via phone channels, making identity verification much more complex.
  • Exposed remote access: around five incidents were linked to vulnerable RDP or VPN services, compromised via brute force or opportunistic intrusions.
  • Technical vulnerabilities: present in one out of five incidents, vulnerability exploitation remains a major entry point. Two significant cases in 2025 – CVE exploitation and SQL injection – led to data exfiltration from the targeted systems.

These findings align with global trends: phishing is the top intrusion vector in 2025, ahead of vulnerability exploitation and remote access (VPN, RDP).

Key takeaways from our incident response engagements

Incident analysis also confirms four underlying trends already identified in 2024 and still relevant in 2025:

  • Backups are systematically targeted: in 90% of ransomware cases, backups were deleted or encrypted to prevent recovery and increase pressure to pay the ransom.
  • Business data compromise remains a central objective: observed in 71% of attacks, whether for espionage or extortion purposes.
  • Organizations’ vigilance and responsiveness are under pressure: the average time between intrusion and impact is just 1.5 days, reinforcing the need to reduce detection and response times through automation and AI.
  • Partners and subsidiaries remain prime targets: 56% of attacks on large enterprises occurred via their subsidiaries or partners.

Conclusion

The year 2025 confirms that cyberattacks are primarily opportunistic, fast-moving, and in some cases amplified by AI. Financial motivations dominate, backups and business data are systematically targeted, and SaaS environments or third-party providers are becoming critical entry points.

In response, organizations must not only strengthen traditional defenses – relying on automation and AI to accelerate detection and response – but also broaden their vigilance to include SaaS platforms and external partners.

  • Cybersecurity

Discover the CERT-Wavestone 2025 Report

pdf · 1039KO

Download the report

Facing a cyber-incident?

Get in touch with the CERT-Wavestone:

Authors

  • Gérôme Billois

    Partner – France, Paris

    Wavestone

    LinkedIn
  • Quentin Perceval

    Senior Manager – France, Paris

    Wavestone

    LinkedIn
  • Alexis Coupechoux

    Manager

    Wavestone

    LinkedIn
  • Hadrien Plassard

    Consultant

    Wavestone