IBM X-Force 2025 Threat Intelligence Index - IBM

HomeSecurity IBM X-Force 2025 Threat Intelligence Index In partnership with Red Hat, we share insights about the changing threat landscape and how organizations can transform cyber defense into cyber resilience. Download the insights (will open in a new tab) Subscribe for more insights from IBM IBV (will open in a new tab) In partnership with Red Hat, we share insights about the changing threat landscape and how organizations can transform cyber defense into cyber resilience. Key takeaways Manufacturing is the #1-targeted industry, four years in a row. Manufacturing organizations continued to experience significant impacts from attacks, including extortion (29%) and data theft (24%), targeting financial assets and intellectual property. Defying the declining trend in malware, manufacturing had the highest number of ransomware cases in 2024 as attackers continue to exploit outdated legacy technology in this industry. Asia-Pacific region sees a 13% increase in attacks. Asia-Pacific (APAC) experienced the largest share of incidents in 2024 (34%). This underscores APAC’s growing exposure to cyberthreats, likely due to its critical role in global supply chains and its position as a technology and manufacturing hub. Threat actors add AI to their toolboxes. Our analysts have documented that threat actors are using AI to build web sites and incorporate deepfakes in phishing attacks. We have also observed threat actors applying gen AI to create phishing emails and write malicious code. Number of infostealers delivered via phishing emails per week increases by 84%. Year-over-year, X-Force is seeing a rise in infostealers delivered via phishing emails and credential phishing. Both result in active credentials that may be used in follow-on, identity-based attacks. Phishing has emerged as a shadow infection vector for valid account compromises. By clicking on links that seem legitimate, users can unknowingly open the door to infostealer malware that siphons sensitive data from victims. Because adversaries hide and deliver malware payloads more cleverly, it can take longer to detect ransomware and data breaches. Identity-based attacks make up 30% of total intrusions. For the second year in a row attackers adopted more stealthy and persistent attack methods, with nearly one in three attacks that X-Force observed using valid accounts. A surge in phishing emails distributing infostealer malware and credential phishing fuels this trend, which may be attributed to attackers leveraging AI to scale attacks. Ransomware makes up 28% of malware cases. While ransomware made up the largest share of malware cases in 2024 at 28%, X-Force observed a decline in ransomware incidents overall. This is the third year that ransomware incidents have declined. This may be part of a larger decline in ransomware attacks due to businesses being more reluctant to pay ransoms and increased government actions against ransomware groups. 4 out of top 10 vulnerabilities most mentioned on the dark web are linked to sophisticated threat actors. All top 10 vulnerabilities had publicly available exploit code or had been found being actively exploited in the wild, with 60% of these being actively exploited or having a publicly available exploit from less than two weeks after disclosure to a zero day. This raises the risks for businesses as sophisticated threat actors, including nation-state actors, leverage dark web anonymity to acquire new tools and resources. 30% of attacks exploit public-facing applications.  One in four attacks exploited vulnerabilities in common public-facing or internet accessible applications. After gaining access, threat actors use active scanning techniques post-compromise to identify new vulnerabilities, gain additional access, and move laterally in compromised environments. Most importantly, attackers seek to escalate privileges to gain access to core services. The longer a threat remains undetected, the greater the magnitude of risk. Long dwell times allow adversaries to mask their activity by “living off the land”—stealing data weeks or even months after an initial breach.   Introduction This year, we’ve seen shape-shifting cyber adversaries gain more access, move across networks more easily, and create new outposts in relative obscurity. Equipped with advanced tools, threat actors are increasingly using compromised log-in credentials rather than brute-force hacking. The damage they inflict continues to grow as the global average cost of a data breach hit a record $4.88 million in 2024. What’s even more concerning is that data breaches are often only the start of larger and more coordinated campaigns. Threat actors openly trade exploits on the dark web to target critical infrastructure such as power grids, health networks, and industrial systems. Ransomware and infostealer operators exfiltrate millions of credentials from enterprises and extort victim organizations in multiple ways. And as businesses manage multiple cloud environments and accelerate AI adoption, attack surfaces expand and create new gaps in identity that attackers exploit to steal critical data.  Cybercriminals are increasingly adopting stealthy tactics and prioritizing data theft over encryption and exploiting identities at scale. A surge in phishing emails delivering infostealer malware and credential phishing are fueling this trend—and may be attributed to attackers leveraging AI to scale distribution.  Generative AI is emerging as a new and growing addition to the toolbox of nation-state-backed threat actors, cybercriminals, hacktivists, and others. These adversaries are avid adopters, especially as they launch social engineering campaigns and high-tempo information operations. AI and automated solutions can magnify the impact of infostealers, expedite the fabrication of credentials, and make it easier to amplify the speed and scale of intrusions at lower cost.  Ransomware comprises nearly one-third (28%) of malware incident response cases and 11% of security cases, representing a decline over the last several years. This likely reflects an evolution in defensive tactics, such as increased collaboration with law enforcement, to take down the infrastructure of prominent botnets linked to ransomware attacks. While the evolved defensive tactics are encouraging, ransomware attacks are still a notable threat. In fact, analysis of dark web data reveals a 25% increase in ransomware activity year-over-year—painting a different picture. Adoption of a cross-platform approach to ransomware, supporting both Windows and Linux, also appears to be the norm among ransomware threat groups—expanding attack surfaces. Although ransomware is being overshadowed by other tactics, it remains a major threat vector. The most dangerous trend in ransomware is the use of multiple extortion tactics. These attacks return dividends many times over. With the increased effectiveness of endpoint detection and response (EDR) solutions detecting backdoor intrusion efforts via phishing, threat actors have shifted to using phishing as a shadow vector to deliver infostealer malware. In 2024, we observed an 84% increase in infostealers delivered via phishing. There was also a 12% year-over-year increase of infostealer credentials for sale on the dark web, suggesting increased usage. Despite the magnitude of these challenges, we found that most organizations still don’t have a cyber crisis plan or playbooks for scenarios that require swift responses. Quick, decisive action is required to counteract the faster pace with which threat actors, increasingly aided by AI, can conduct attacks, exfiltrate data, and exploit vulnerabilities.   The intersection of AI and cyber risk 2023 was the “breakout year” for generative AI (or gen AI). And what we expected began to take shape—threat actors are using AI to build web sites and incorporate deepfakes in phishing attacks. X-Force found threat actors applying gen AI to create phishing emails and write malicious code. However, in terms of attackers building at-scale attacks targeting specific AI technologies, last year we predicted that once the technologies establish market dominance—when a single technology approaches 50% market share or when the market consolidates to three or fewer technologies—attackers will be incentivized to invest in attack toolkits targeting AI models and solutions. Are we there yet? Not quite, but adoption is growing. The percentage of companies integrating AI into at least one business function has dramatically increased to 72% in 2024, up 55% from in the previous year.  New technologies, such as gen AI, create new attack surfaces. Security researchers are sprinting to find and help fix vulnerabilities before attackers do. We expect vulnerabilities in AI frameworks to become more common over time, such as the remote code execution vulnerability X-Force found in a framework for building AI agents. Recently, an active attack campaign targeting a widely used open source AI framework was discovered, affecting education, cryptocurrency, biopharma, and other sectors. Weaknesses in AI technology translate into vulnerabilities for attackers to exploit. Another example of potential attack surfaces exposed in this new landscape is through machine learning operations (MLOps) platforms. These are used by enterprises of all sizes to develop, train, deploy, and monitor large language models (LLMs) and other foundation models (FMs), as well as the gen AI applications built on these models. As adoption grows, attacks on AI infrastructure and tools will gain traction. Organizations should prepare now for threats by securing the AI pipeline from the start, including underlying training data, models, and the broader infrastructure surrounding the models. Yet, this doesn’t appear to be the current practice across many organizations, with only 24% of generative AI projects secured.  However, despite the evolving tools and different technologies attackers leverage—whether new gen AI tools or new AI infrastructure—the security fundamentals to thwart these attacks remain the same. Our research shows threat actors are using valid credentials to log in; exploit unpatched vulnerabilities; and to a slightly lesser extent, phish their way in—with or without AI assistance. Organizations need to develop and run their own cybersecurity playbooks—seeking to identify exposures, assess risks, and mitigate incident impacts. But playbooks also need to account for who is responsible for specific actions, such as who secures a gen AI solution from a third-party provider.    Top initial access vectors The top initial access vector observed in 2024 was a tie between exploitation of public facing applications and use of valid account credentials, both representing 30% of X-Force incidence response engagements. The abuse of valid account credentials is an area we highlighted last year after observing a dramatic rise, continuing the theme of “hackers don’t break in, they log in.” This continues to be a problem and an initial access vector that adversaries are quick to exploit.  Threat actors obtain valid credentials to use during attacks via a range of methods. Data from our dark web analysis and incident response engagements continue to point to infostealer malware as being prevalent across industries. Additionally, credentials are still purchased and sold in large quantities on dark web marketplaces. While multifactor identification (MFA) adoption has grown, we observed attackers selling adversary-in-the-middle (AITM) phishing kits and custom AITM attack services on the dark web to help bypass typical defensive measures. In 2024, X-Force specifically responded to cases involving this technique, globally and cross-industry. Widescale availability of credentials on the dark web, along with increased access to MFA codes and services to circumvent MFA, suggests a thriving access-as-a-service criminal market. Phishing, whether through attachment or links, rounded out the top three compromises. The share of successful phishing compromises has declined steadily over the last several years from 46% in 2022 to 29% in 2023 to now just 25% of all incidents remediated by X-Force in 2024. Despite the development of some cybercriminals investing in AI to carry out phishing attacks, this method continues to be a less successful method for compromising environments than exploiting vulnerabilities or using valid credentials. This is likely because enterprises continue to thwart phishing attempts—regardless of whether the phish used AI or not—by adopting and revaluating phishing mitigation techniques and strategies.   Top methods used by threat actors to gain access to victim environments The figure describes access methods according to the MITRE ATT&CK framework for enterprise, a globally accessible knowledge base of adversary tactics drawn from real-world observations. Percentages are based on number of X-Force incident response engagements. Phishing as a shadow infection vector for valid account compromise Compared to previous years, the volume of phishing emails distributing persistent backdoor malware has declined significantly. High-volume distributors of malware leading to ransomware attacks including Emotet, TrickBot, IcedID, Qakbot, Gozi and Pikabot, have largely dropped off the radar. Deploying persistent malware on an endpoint through an email is much more likely to be detected by EDR solutions, forcing threat actors to adapt strategies and focus on identities. This manifested in an increase in the use of infostealers and a shift towards credential phishing. Infostealer bot frameworks enable attackers to design infostealer behaviors and create server-based management panels where infostealers send data. We observed a rise of 84% more infostealers delivered on average via phishing emails per week in 2024 versus 2023. Early data from 2025 suggests an even greater increase of 180% of weekly volume compared to 2023.  By using infostealers, threat actors can quickly exfiltrate credentials before detection without keeping a persistent backdoor as an initial foothold. The most common infostealer malware distributed directly via phishing was AgentTesla, followed by FormBook, SnakeKeylogger, and PureLogs Stealer. Throughout 2024, we recorded a significant increase in volume, especially in the second half of the year. As of July 2024, this threat actor began using a new technique—dubbed attachment hijacking—to weaponize legitimate invoice-related emails which were previously stolen to further spread Strela Stealer.   Top five infostealers seen on dark web forums Analysis of dark web data reveals listings of infostealer advertisements increased 12% in 2024 over the previous year. The number one infostealer listing by a wide margin was Lumma, followed by RisePro, Vidar, Stealc and RedLine. Each listing can contain hundreds of credentials. Sources: IBM X-Force and Cybersixgill.   Another change we observed in 2024 was an increase in credential phishing. Malicious URLs redirect victims to fake login sites for popular applications and harvest credentials. Both credential phishing and infostealer logs result in active credentials for use in follow-on attacks. For second-stage attacks, the vector is use of valid accounts, one of the most common initial access vectors during the last two years.  However, it is almost impossible to trace back to the origin of the compromised credentials. It is likely, that for many Valid Accounts incidents, the actual infection vector was a premeditated credential phishing or infostealer malware campaign, a fact that cannot be accurately reflected in the statistic of initial access vectors.  Although by the numbers it might seem like phishing risks are decreasing, it’s just become more challenging to determine where the risk originated. Valid credentials still must be sourced from somewhere. While it can be difficult to prove, most compromised credentials came from infostealers and credential harvesting campaigns, of which an increasing amount comes in through phishing.   Infostealers, a persistent and growing threat Infostealers are malicious software programs designed to steal valuable information. Attack vectors typically include phishing emails, malicious websites, or infected software downloads. Increasingly, infostealers are distributed through techniques such as SEO poisoning and Google Ads, drive-by attacks, and software supply chain compromises. Once installed, infostealers run in the background to take screenshots, capture keystrokes, access passwords, and compromise financial and personal information without user knowledge. They have also been frequently linked to more impactful attacks against enterprises by gaining access through stolen login credentials. Infostealers have long been a staple of the criminal marketplace, and many operate as a malware-as-a-service (MaaS) model.   Cloud-hosted phishing is on the rise In one of our most significant findings, our research reveals that over the past year, threat actors have shifted to using cloud hosting services to facilitate mass phishing campaigns. These campaigns have increased significantly in volume. The abuse of cloud hosting services often guarantees attackers a trusted URL, domain, and IP in their phishing campaigns—at least as long as the cloud hosting service fails to detect the abuse and act. For most providers, the sheer mass of abused accounts can be overwhelming. Adversaries require payloads to stay up only until victims click the link. Latin America (LATAM) is one of the most severely impacted regions for phishing campaigns. Throughout 2024 threat actors have significantly ramped up the volume of LATAM-targeted campaigns abusing cloud hosting services. These landscape changes make it much more difficult for defenders to prevent successful phishing attacks. Organizations cannot realistically block PDFs and URLs in emails because they are used everywhere across everyday operations. Furthermore, organizations cannot block legitimate cloud hosting services.  The only way to help avoid this is using time-sensitive threat intelligence to block URLs, used maliciously for a short time frame, and relying on layered defenses to reduce impact if users take the phishing email bait. This means using EDR to detect info-stealing malware and using passkeys and MFA to reduce the risk of credential harvesting campaigns. The LATAM region is especially targeted and should remain vigilant against phishing campaigns. The only effective way to counter the scale of these attacks will be through the use of AI tools and automation.   Incidence of spam and malware hosted on major public cloud environments Number of observed spam email messages with links to a given cloud hosting provider. Threat actors seek to mask malicious activity by using popular cloud hosting services. The cloud hosting services secureserver.net (purple), publiccloud.com.br belonging to Locaweb Serviços de Internet (blue) and Microsoft Azure Blob Storage (white) have been abused heavily as a means to distribute credential phishing sites and banking trojan malware such as Grandoreiro, Mekotio and Guildma. NOTE: The use of a specific cloud provider for hosting malicious content is not indicative of a security flaw in the platform but illustrates where attackers choose to stage malware. Often, attackers choose well-known and established providers as a way to fool victims by hiding nefarious activities amongst other legitimate workloads, making those activities harder to identify and isolate. Source: IBM X-Force.   What is cloud-hosted malware? Cloud-hosted malware refers to malicious software, including worms, trojan ransomware, or infostealers that use cloud services for hosting, distribution and/or command and control operations. Attackers use malware hosting services to house and distribute malware and support browser exploits and drive-by downloads to infiltrate vulnerable computers. Cloud-hosted malware attacks have proliferated because of increased reliance on cloud services, the inherent vulnerabilities of cloud estates, and the ease of distribution and persistence enabled by cloud infrastructure. Although cloud environments provide security features, they can be exploited when not properly configured, when vulnerabilities are not patched, or when policies are not updated.     PDFs and URLs are taking over malicious spam  In 2024, we observed a clear decrease in direct malware attachments such as ZIP archives or maldocs in phishing emails. Malicious ZIP and RAR attachments dropped by 70% and 45% respectively, with a similar drop observed for Excel and Word documents. Malware is increasingly distributed via malicious URLs, both directly in phishing emails and through PDF attachments. This may be a result of better malware scanners in email solutions, which have become more accurate at detecting malware, but often cannot classify URLs or URLs inside benign attachments as malicious.  Obfuscation is becoming an important tactic for threat actors, and PDF malware disguises malicious URLs by encrypting them, hiding them in compressed streams or using hexadecimal representations which can also hinder automated analysis of email security solutions. Of all PDFs, 42% used obfuscated URLs, 28% hid their URLs in PDF streams, and 7% were delivered in an encrypted form along with a password.  In 2024, PDF files were also commonly used in LATAM-targeted phishing campaigns to deliver links leading to banking trojan malware.   PDFs rank as the top malicious attachment file type PDFs are a common file format, with a complex structure that makes it easier for threat actors to hide malicious code. They are a popular choice for attackers to deliver malware via email and other means because many potential victims use PDFs frequently and aren’t suspicious of PDF attachments. Source: IBM X-Force.   Success of vulnerability exploitation 30% of the incidents X-Force responded to in 2024 involved the exploitation of public-facing applications. For many organizations, this is magnified by vulnerability patch management challenges. Furthermore, in 25% of these cases, we observed active scanning post-compromise—meaning attackers used vulnerability scanning tools to identify additional vulnerabilities, gain additional access, and move laterally in the compromised environment. Threat actors exploit known vulnerabilities in common applications and infrastructure services and the attack vector is simply a matter of acting on this knowledge. Bots and automation tools acquired on the dark web can target an organization’s key infrastructure applications and services. Unfortunately for cyber defenders, there is no shortage of vulnerabilities to exploit. Since 1993, we have categorized over 300,000 unique vulnerabilities. Included are nearly 65,000 vulnerabilities with a publicly available exploit, many of which attackers have used to compromise environments. In other words, nearly a quarter of all vulnerabilities have an associated weaponized exploit that can be leveraged by threat actors. Also, of note, the number of vulnerabilities has increased rapidly over the past eight years and grown threefold. This could be attributed to many factors. Perhaps the most likely is a growing reliance on shared cloud infrastructure and services. Attacking common cloud infrastructure is a prized opportunity for threat actors to deploy malware at scale and expand their potential for disruption. This is another compelling reason why zero trust principles, such as network segmentation, are essential for cyberdefenders. By isolating workloads, we limit the potential blast radius of attacks.   Growth of vulnerabilities, weaponized exploits, and zero days  Number of observed vulnerabilities in the wild. The IBM X-Force Vulnerability Database is one of the oldest and largest vulnerability databases in the world. Source: IBM X-Force.   What are common vulnerabilities and exposures (CVEs), weaponized exploits, and zero days? The CVE system provides a unique way to identify publicly known cybersecurity vulnerabilities and exposures occurring in software, hardware, and other digital systems. It allows organizations to track security issues effectively and share knowledge, enabling security teams to refer to the same vulnerability in a consistent manner, even across different systems. MITRE Corporation maintains a publicly listed catalog of CVEs, and the CVE list feeds the US National Vulnerability Database (NVD) which quickly enriches each CVE once it has been published. In addition to pooling intelligence about common vulnerabilities and threat vectors, organizations also benefit from sector and industry-specific resources such as information sharing and analysis centers (ISACs). Typically managed by non-profit organizations, ISACs help critical infrastructure operators protect facilities, employees, and customers from cyber and physical security threats. Weaponized exploits, often involving malicious payloads or malware, are attack tools used by threat actors to exploit vulnerabilities and target specific systems. A zero day vulnerability refers to a flaw in an operating system of software that leaves a system open to attack until the developer finds out and releases a fix.   Top impacts on victim organizations In 2024, the top impact experienced by victim organizations was credential harvesting, occurring in 28% of incidents. Credentials are valuable because they open the door to additional access vectors and offer attackers additional options such as extortion, data theft and data leak. Often, attackers leverage stolen credentials to burrow inside a victim environment, making detection and remediation more difficult.  Data theft was the second most observed impact and was seen in 18% of incidents. In fact, credentials or data were stolen in nearly half of all cyberattacks, highlighting a growing challenge in securing both data and identities.  The theft of data is often, but not always, accompanied by a subsequent ransom demand. Extortion following a ransom demand occurred in 12% of cases, taking the fourth spot. Threat actors extort victims in many ways. Traditionally, ransomware has been used to encrypt systems and urge victims to pay for decryption keys. More recently, however, threat actors have extorted victims without using ransomware. In these cases, stolen data is often used to pressure victims into paying for retrieval.   Top impacts observed in incident response engagements in 2024  Incidents can have more than one impact observed. Source: IBM X-Force.   The dark web and cybercrime-as-a-service marketplaces The dark web is a cloistered area of the internet that can only be reached by using specialized software that allows users to visit websites anonymously. Although it can be used legitimately by journalists, whistleblowers, and researchers to communicate without being tracked, the dark web is also commonly used by criminals involved with drugs and arms trafficking, stolen data, and other illegal activities. This is the marketplace where threat actors buy and sell cybercrime as a service (CaaS) software. Mimicking software-as-a-service business models, CaaS transforms hacking into a subscription service available to threat actors around the world. CaaS provides hacking tools for criminals to launch distributed denial of service (DDoS) phishing, malware, spyware, credential stuffing, and an ever-expanding range of other cybercrime attacks and activities.   Top actions on objectives Actions on objectives are steps or activities taken to achieve a defined objective or goal. In a cybersecurity context, these measurable and actionable steps are part of a larger plan directly linked to threat actor objectives. According to X-Force incident response data, the deployment of malware was the most observed action on objectives, making up 42% of cases, just slightly less than the prior year. Of all the malware cases, 28% involved ransomware, followed by backdoors and webshells, at 20% and 13% respectively.   Top actions on objectives observed in 2024 compared to 2023 Incidents can have more than one observed action on objective. Source: IBM X-Force.   Distributuion of types of malware cases as a percentage of total malware incidents  Source: IBM X-Force.   Proxy malware and obfuscation tactics We have observed an increase in proxy malware, which is malware with the ability to operate as a Socks5 proxy and forward requests between a C2 server and target systems. Threat actors may install proxy malware to act as a backdoor to a target network, disguise network traffic, or act as part of a proxy service botnet. Threat actors’ ability to obfuscate—or operate in the shadows—is the real danger. Increasing use of obfuscation tactics is a consequence of threat actors’ desire to leverage widely available cloud infrastructure and services, and complicate mitigation efforts by making workload inspection and validation activities more costly and expertise-intensive.   Malware payloads delivered via SEO poisoning and malvertising A common infection vector used by threat actors is to hide malware within fake or trojanized installers of legitimate applications. Users are then tricked into downloading and running malicious installers via techniques such as phishing, SEO poisoning, and malvertising. SEO poisoning uses search algorithms to promote malicious web pages, and malvertising directs users to bogus websites where their data can be stolen.  These tactics play a significant part in the chain of compromise by spoofing legitimate websites to obtaining valid credentials for logging in instead of hacking in. We have also observed similar techniques from Latin America-based threat actor groups. Throughout 2024, X-Force observed the Byakugan infostealer being distributed to users throughout Latin America, specifically Brazil, with Portuguese-language phishing emails. The phishing emails encouraged users to download a fake Adobe Reader installer which would then install the Byakugan malware.   Geographic trends Industry trends   Action guide Threat management is the core of every successful cybersecurity program. Cyber risk and resilience practices go a long way towards improving security postures. For threats that do materialize, we need to evolve from ad hoc risk remediation and threat management to proactive, community-based measures such as threat intelligence sharing. Working together increases awareness and accountability across supply chains and ecosystems and raises collective resilience across the operations lifecycle.   Limit your exposure across the threat environment. Know what the bad guys know about you. Monitor the dark web to gather threat intelligence about your organization, employees, networks, and data on the dark web, before threat actors do. Keep your employees current on the most effective security practices. Educate your employees about the risks associated with phishing attacks and poor password hygiene and regularly update your people about ways to protect themselves and your organization. Enhance ecosystem-wide incident response planning. Work with stakeholders in your organization and with partners across your ecosystem to develop and regularly update incident response plans that specifically address threats specific to your industry.   Embed and extend advanced security across all AI workloads and services. Secure your AI development and deployment pipeline. Secure each stage of the AI pipeline including the data used to train, test, and tune models; the AI models themselves; and the responsible use of AI models to support robust infrastructure security. Extend AI governance and ethics accountability. Robust governance is essential for trustworthy AI. Work with partners to set clear guidelines for AI usage; regularly audit AI systems for fairness, bias, and drift; and help ensure that AI outputs align with broader organizational values and ethics. Use security frameworks to instill trust in AI systems. Use standardized frameworks that offer structured approaches to securing AI systems. These cover essential aspects such as data privacy, model integrity, usage controls, and ongoing monitoring.   Protect credentials by reining in data and identity sprawl. Implement robust data protection. Protect sensitive data wherever it resides, whether on-premises, in the cloud, or in hybrid environments. To protect data in motion use encryption, implement strong access controls, and monitor data transfers. Consolidate identity solutions. Work toward eliminating disconnected data and identity silos. This involves weaving identity management systems together into a unified, holistic framework—often referred to as an "identity fabric" approach. Turn the tables on adversaries with AI-powered, proactive threat detection. As threat actors step up the use of AI to develop and scale credential-based attacks, step up the use AI and machine learning to detect threats faster and respond to attacks more effectively.   Patch authentication gaps before attackers can sneak in. Significantly expand MFA use. Prioritize MFA for all employees and partners accessing systems. This provides an extra layer of protection for applications and network services, even if passwords are compromised. Modernize identity strategy. Along with expanded MFA usage, develop and implement a comprehensive, adaptive, and scalable identity strategy. Align the strategy to changing operational and security requirements and improve it through regular audits. Reduce IT and IS complexity. Growing IT and IS complexity hinders the effective administration of secure identities and slows down response to legitimate threats. To counteract complexity, invest in tools and technologies, such as identity fabrics, for simpler and more cohesive identity platforms.     Download the insights (will open in a new tab) Subscribe for more insights from IBM IBV (will open in a new tab) How can IBM help you? Visit the Landing page for more TII content (will open in a new window) Visit the Landing page for more TII content Understanding attackers’ tactics is crucial to protecting your people, data and infrastructure. Register for the Global Webinar (will open in a new window) Register for the Global Webinar Delve into the cybersecurity shifts and trends that have emerged over the past year. Schedule a custom briefing with X-Force (will open in a new window) Schedule a custom briefing with X-Force The annual IBM X-Force Threat Intelligence Index sheds light on the biggest cyber risks that organizations face today. How can IBM help you? Visit the Landing page for more TII content (will open in a new window) Visit the Landing page for more TII content Understanding attackers’ tactics is crucial to protecting your people, data and infrastructure. Register for the Global Webinar (will open in a new window) Register for the Global Webinar Delve into the cybersecurity shifts and trends that have emerged over the past year. Schedule a custom briefing with X-Force (will open in a new window) Schedule a custom briefing with X-Force The annual IBM X-Force Threat Intelligence Index sheds light on the biggest cyber risks that organizations face today. You might also like Securing generative AI Translations available Securing generative AI Explore how to protect generative AI solutions from being more vulnerable than valuable using strong cybersecurity. Capturing the cybersecurity dividend Translations available Capturing the cybersecurity dividend Employing many disparate security solutions undercuts your overall security. Learn how platformization cuts detection/containment times and saves cost. The CEO’s guide to generative AI: Cybersecurity Translations available The CEO’s guide to generative AI: Cybersecurity Explore three things CEOs need to know and three things they need to do now to apply generative AI to cybersecurity. Go further, faster with AI Go further, faster with AI Discover how strong AI governance accelerates trust, compliance, and business results Quantum is coming Quantum is coming As quantum advantage nears, the 2025 Quantum Readiness Index exposes five critical realities driving quantum leadership today. Secure by design, smarter with AI Secure by design, smarter with AI Future-proof your security. Discover how to use secure-by-design principles and AI to redesign cyber resilience against modern threats.