The latest analysis of the global threat landscape from Forescout shows attacks using OT protocols surged by 84 percent last year, while exploits against IoT devices increased from 16 percent to 19 percent, with IP cameras and network video recorders the most frequent targets.
Overall it shows that cyberattacks became more globally distributed and increasingly cloud-enabled in 2025. Threat actors focused more on exploiting rapidly shifting infrastructure, OT protocols, vulnerable web apps, and emerging AI platforms while increasingly targeting critical industries including healthcare, manufacturing, government, energy, and financial services.
“The 2025 Threat Roundup shows how quickly threat actors are adapting to new technology trends — abusing cloud services and fast-cycling Autonomous Systems, and even components in popular AI development stacks like Langflow,” says Barry Mainz, Forescout CEO. “To combat these threats in 2026, organizations must monitor East-West traffic and prioritize threat containment to stop attackers from moving laterally across environments. Deeper visibility, enhanced risk assessment, and proactive controls are non-negotiables for today’s defenders.”
Cybersecurity continues to be a global issue, last year attacks originated from 214 different countries and territories, with most threat actors originating from China, Russia, and Iran. Attackers are using IP addresses registered in a wider array of countries and the top 10 countries accounted for 61 percent of malicious traffic observed, down 22 percent compared to 2024.
The United States was the most targeted country, followed by India and Germany. Compared to 2024, India and Germany swapped places on the list, but remained in the top three most targeted countries.
The abuse of Amazon and Google infrastructure was responsible for more than 15 percent of attacks observed in 2025, up from 11 percent in 2024. Network infrastructure used for malicious activity, including Autonomous Systems, shifted rapidly, partly due to intense law enforcement disruption. Two of the top 10 most exploited Autonomous Systems from 2024 dropped off the list entirely in 2025, while three new entries had not previously ranked in the top 500.
Web applications remain the most attacked service type at 61 percent, up from 41 percent in 2024, followed by remote management protocols at 15 percent.
“Threat actors are devoting far more effort to reconnaissance, with discovery activity now accounting for 91 percent of post-exploitation actions,” says Daniel dos Santos, vice president of Research at Forescout. “That’s up from just 25 percent in 2023 — a dramatic increase that shows attackers are spending more time interacting with breached systems to understand what’s inside or to identify other targets within the network. This shift gives defenders a larger window to detect compromise before more damaging actions — such as exfiltration, deletion or encryption — can occur. Holistic visibility, early detection of discovery behaviors, and network segmentation across IT, IoT, and OT environments are critical to prevent lateral movements and stop modern attacks.”
You can read more and get the full report on the Forescout blog.
Image credit: Gorodenkoff/depositphotos.com
