What security leaders need to know from the Critical Start H1 2025 CTI Report 

The first half of 2025 brought major changes in how, when, and where attackers operate. If your threat models haven’t been updated yet, well, there’s no time like the present. 

In this webinar, Critical Start Field CISO Tommy King gives a fast overview of the most urgent findings from the H1 2025 Cyber Threat Intelligence (CTI) Report, based on thousands of real-world threats investigated by our Cyber Research Unit (CRU). From the rise of credential abuse to ransomware consolidation, King connects the dots between shifting adversary behaviors and what your team can do to stay ahead. 

Don’t have time to watch the full webinar? Here’s what you need to know. 

1. The Old Playbooks Are Out. Threat Actors Are Playing a New Game 

Adversaries are getting smarter, faster, and bolder. Instead of breaching your defenses, they’re walking right through the front door using stolen credentials and doing it when you least expect. 

• Valid Accounts now dominate as the top initial access technique, surpassing phishing for the first time.
• Credential-based attacks increased 31% over the previous 6 months, thanks to MFA fatigue exploits and breached credentials from dark web marketplaces.
• Attacks peak midweek, with Tuesday and Wednesday mornings (around 1500 UTC) showing the highest volume. Threat actors are timing their moves for maximum disruption, and they’re blending in better than ever. 

2. Ransomware Is Evolving and Consolidating 

Ransomware hasn’t slowed down; it’s just getting more efficient. 

• Five ransomware groups account for 43% of all incidents, showing clear signs of consolidation.
• Many of these operators are pivoting to data theft and extortion without deploying encryption, making detection harder and containment trickier.
• Advanced tooling and AI-assisted automation are helping them move faster — mean time to lateral movement is shrinking. 

3. The Financial Sector Is Now the Top Target 

For the first time, Banking and Finance has overtaken Manufacturing as the most frequently targeted industry in our dataset. But this shift doesn’t mean other industries are safe. 

• Threats are diversifying across sectors, with attackers adapting their TTPs (Tactics, Techniques, and Procedures) based on what works.
• Operational resilience matters more than ever. If your SOC doesn’t have visibility into how attackers gain access, move laterally, and exfiltrate data, you’re already behind. 

4. Emerging Techniques Are Exploiting the Gaps 

It’s not just about stealing credentials anymore. Threat actors are expanding their toolkits. 

• We’re seeing increased use of open-source package abuse, malicious macros, and communication platform exploits (e.g., Slack, Teams, Discord).
• Encrypted data stockpiling is also on the rise, suggesting attackers are planning for a future where quantum computing cracks today’s encryption. 

King notes: “The combination of stealthy access, operational timing, and creative delivery mechanisms is making it harder for traditional detection approaches to keep up.” 

What You Can Do Now 

King emphasized that security teams need to move faster and work smarter. Here’s what he recommends: 

• Reevaluate your coverage with MITRE ATT&CK as your guide. Understand where detection gaps exist and close them.
• Prioritize asset visibility. You can’t defend what you can’t see.
• Invest in MDR that goes beyond alerting. Your MDR provider should help you understand root causes, mitigate exposures, and adapt response actions based on threat evolution. 

Get the Full Report and Stay Ahead 

If you want the full data, trends, and recommendations, all backed by CRU threat analysis, download the H1 2025 Cyber Threat Intelligence Report now. 

 H1 2025 Cyber Threat Intelligence Report   

[Watch the On-Demand Webinar]