Ontinue recently released their latest Threat Intelligence Report, and the findings paint a troubling picture:
- Ransomware attacks continue to surge.
- Threat actors are beginning to leverage generative AI to accelerate malware development.
- Growing risks from supply chain compromises.
- Identity-based attacks, including password spraying and AiTM phishing, are now the leading entry points for cloud environment intrusions.
- Underground marketplace listings for stolen credentials surged 72%.
- Researchers have identified the first clear coding patterns—such as verbose explanatory comments and iterative prompting markers—indicating that threat actors are leveraging Generative AI to develop malicious tools.
- Infrastructure-scale threats reached new heights as DDoS campaigns peaked at a staggering 31.4 Tbps.
The defining lesson of the report is that attackers exploit trust - trust in identities, integrations, automation and development ecosystems. They move quickly, leverage legitimate authentication flows, and monetize access at scale. Traditional perimeter defenses and reactive incident response models are no longer sufficient in isolation.
These issues continue to escalate the importance of threat detection and response, with key industry stakeholders offering the following guidance.
Mark McClain, CEO at SailPoint: "Identity is no longer about perimeter-based defense. The rise in AI-based agents and the massively accelerating threat landscape has rendered that approach inadequate, and prompted a shift towards identity as the critical element to enterprise security.
"There is now a clear need for real-time, intelligent, and dynamic identity security, built to govern and secure not just 'who, or in the case of AI agents, 'what,' has access to the enterprise, but what data they can access and what they are able to do once inside.
"To combat today’s new era of threats, driven by the force multiplier of AI, we need to embrace a new approach of adaptive identity. Modern identity tools need to be able to discern between regular user activity and abnormal activity, and grant— or deny— access accordingly.
"Every access decision is driven by who or what the identity is, the context of the data they touch, and the security signals surrounding them. By unifying identity, security, and data contexts, businesses can make real-time decisions to mitigate risk without disrupting operations."
Morey Haber, Chief Security Advisor at BeyondTrust: "Cybersecurity has always been a forward-looking discipline. The future of cybersecurity isn’t just about defending data, it’s about anticipating how digital and physical worlds will continue to collide. The organizations that will thrive are those that treat identity as the new perimeter and innovation as their strongest defense."
Shane Barney, CISO at Keeper Security: "As the Ontinue report notes, identity has become the attacker’s skeleton key. Instead of forcing their way through a firewall, adversaries are logging in with stolen credentials, hijacked tokens and abused permissions, then moving laterally under the cover of legitimacy.
"When identity controls are fragmented or overly permissive, attackers don’t need novel exploits. They just need access that looks routine. Identity now defines the enterprise perimeter. When every identity is governed with least privilege and continuously validated, a stolen credential becomes a contained event instead of an enterprise-wide incident."
Nathaniel Jones, VP of Security & AI Strategy, Field CISO at Darktrace: "Ransomware groups are evolving their tactics beyond phishing to include interactions with IT teams to elicit information to improve access, SaaS-based attacks, and even studying file-transfer technology for rapid exploitation and double extortion methods. For IT administrators and practitioners, it is vital to prioritize your vulnerability management program and establish possible attack paths across your estate to prevent unauthorize access.
"This includes applying best practices across the business and wider IT teams.
"The growth of RaaS marketplaces places greater opportunity on the side of threat actors who no longer must extract ransom payments to see profit, as they are able to use subscription models to return revenue for their ransomware development and deployment.
"We have also seen ransomware tactics move away from traditional encryption-centric ransomware tactics towards more sophisticated and advanced extortion methods. Rather than relying solely on encrypting a target’s data for ransom, threat actors will increasingly employ double or even triple extortion strategies, encrypting sensitive data but also threatening to leak or sell stolen data unless their ransom demands are met.
"These trends make it clear that attackers now have a more widely accessible toolbox that reduces their barriers, leaving more organizations vulnerable to attack."
Trey Ford, Chief Strategy and Trust Officer at Bugcrowd: "Criminals have established a scalable business model, and we expect to see ransomware attack volume to continue growing. We also need to keep in mind that there will be a gap in reported incidents versus total ransomware incidents.
"To me, the retraction of average ransom payouts speaks to increasing control effectiveness (smaller scopes of impact), improvements in incident response (disruption), and better negotiation.
"Sadly, we humans often need to feel pain to prioritize corrective investments. I think we’d all like to see more data back from the cyber insurance market on which control investments have the greatest impact - and discounts for effective control milestones."
