Blog
/
/
November 3, 2024

AI and Cybersecurity: Predictions for 2025

Discover the role of AI in shaping cybersecurity predictions for 2025 and how organizations can prepare for emerging threats.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
The Darktrace Community
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
03
Nov 2024

Introduction: AI cybersecurity predictions for 2025

Each year, Darktrace's AI and cybersecurity experts reflect on the events of the past 12 months and predict the trends we expect to shape the cybersecurity landscape in the year ahead. In 2024, we predicted that the global elections, fast-moving AI innovations, and increasingly cloud-based IT environments would be key factors shaping the cyber threat landscape.

Looking ahead to 2025, we expect the total addressable market of cybercrime to expand as attackers add more tactics to their toolkits. Threat actors will continue to take advantage of the volatile geopolitical environment and cybersecurity challenges will increasingly move to new frontiers like space. When it comes to AI, we anticipate the innovation in AI agents in 2024 to pave the way for the rise of multi-agent systems in 2025, creating new challenges and opportunities for cybersecurity professionals and attackers alike.

Here are ten trends to watch for in 2025:

1. The overall Total Addressable Market (TAM) of cybercrime gets bigger

Cybercrime is a global business, and an increasingly lucrative one, scaling through the adoption of AI and cybercrime-as-a-service. Annual revenue from cybercrime is already estimated to be over $8 trillion, which we’ve found is almost 5x greater than the revenue of the Magnificent Seven stocks. There are a few key factors driving this growth.

The ongoing growth of devices and systems means that existing malware families will continue to be successful. As of October 2024, it’s estimated that more than 5.52 billion people (~67%) have access to the internet and sources estimate 18.8 billion connected devices will be online by the end of 2024. The increasing adoption of AI is poised to drive even more interconnected systems as well as new data centers and infrastructure globally.

At the same time, more sophisticated capabilities are available for low-level attackers – we’ve already seen the trickle-down economic benefits of living off the land, edge infrastructure exploitation, and identity-focused exploitation. The availability of Ransomware-as-a-Service (RaaS) and Malware-as-a-Service (MaaS) make more advanced tactics the norm. The subscription income that these groups can generate enables more adversarial innovation, so attacks are getting faster and more effective with even bigger financial ramifications.

While there has also been an increasing trend in the last year of improved cross-border law enforcement, the efficacy of these efforts remains to be seen as cybercriminal gangs are also getting more resilient and professionalized. They are building better back-up systems and infrastructure as well as more multi-national networks and supply chains.

2. Security teams need to prepare for the rise of AI agents and multi-agent systems

Throughout 2024, we’ve seen major announcements about advancements in AI agents from the likes of OpenAI, Microsoft, Salesforce, and more. In 2025, we’ll see increasing innovation in and adoption of AI agents as well as the emergence of multi-agent systems (or “agent swarms”), where groups of autonomous agents work together to tackle complex tasks.

The rise of AI agents and multi-agent systems will introduce new challenges in cybersecurity, including new attack vectors and vulnerabilities. Security teams need to think about how to protect these systems to prevent data poisoning, prompt injection, or social engineering attacks.

One benefit of multi-agent systems is that agents can autonomously communicate, collaborate, and interact. However without clear and distinct boundaries and explicit permissions, this can also pose a major data privacy risk and avenue for manipulation. These issues cannot be addressed by traditional application testing alone. We must ensure these systems are secure by design, where robust protective mechanisms and data guardrails are built into the foundations.

3. Threat actors will be the earliest adopters of AI agents and multi-agent systems

We’ve already seen how quickly threat actors have been able to adopt generative AI for tasks like email phishing and reconnaissance. The next frontier for threat actors will be AI agents and multi-agent systems that are specialized in autonomous tasks like surveillance, initial access brokering, privilege escalation, vulnerability exploitation, data summarization for smart exfiltration, and more. Because they have no concern for safe, secure, accurate, and responsible use, adversaries will adopt these systems faster than cyber defenders.

We could also start to see use cases emerge for multi-agent systems in cyber defense – with potential for early use cases in incident response, application testing, and vulnerability discovery. On the whole, security teams will be slower to adopt these systems than adversaries because of the need to put in place proper security guardrails and build trust over time.

4. There is heightened supply chain risk for Large Language Models (LLMs)

Training LLMs requires a lot of data, and many experts have warned that world is running out of quality data for that training. As a result, there will be an increasing reliance on synthetic data, which can introduce new issues of accuracy and efficacy. Moreover, data supply chain risks will be an Achilles heel for organizations, with the potential interjection of vulnerabilities through the data and machine learning providers that they rely on. Poisoning one data set could have huge trickle-down impacts across many different systems. Data security will be paramount in 2025.

5. The race to identify software vulnerabilities intensifies

The time it takes for threat actors to exploit newly published CVEs is getting shorter, giving defenders an even smaller window to apply patches and remediations. A 2024 report from Cloudflare found that threat actors quickly weaponized proof of concept exploits in attacks as quickly as 22 minutes after the exploits were made public.

At the same time, 2024 also saw the first reports from researchers across academia and the tech industry using AI for vulnerability discovery in real-world code. With threat actors getting faster at exploiting vulnerabilities, defenders will need to use AI to identify vulnerabilities in their software stack and to help identify and prioritize remediations and patches.

6. Insider threat risks will force organizations to evolve zero trust strategies

In 2025, an increasingly volatile geopolitical situation and the intensity of the AI race will make insider threats an even bigger risk for businesses, forcing organizations to expand zero-trust strategies. The traditional zero-trust model provides protection from external threats to an organization’s network by requiring continuous verification of the devices and users attempting to access critical business systems, services, and information from multiple sources. However, as we have seen in the more recent Jack Teixeira case, malicious insiders can still do significant damage to an organization within their approved and authenticated boundary.

To circumvent the remaining security gaps in a zero-trust architecture and mitigate increasing risk of insider threats, organizations will need to integrate a behavioral understanding dimension to their zero-trust approaches. The zero-trust best practice of “never trust, always verify” needs to evolve to become “never trust, always verify, and continuously monitor.”

7. Identity remains an expensive problem for businesses

2024 saw some of the biggest and costliest attacks – all because the attacker had access to compromised credentials. Essentially, they had the key to the front door. Businesses still struggle with identity and access management (IAM), and it’s getting more complex now that we’re in the middle of a massive Software-as-a-Service (SaaS) migration driven by increasing rates of AI and cloud use across businesses.

This challenge is going to be exacerbated in 2025 by a few global and business factors. First, there is an increasing push for digital identities, such as the rollout of the EU Digital Identity Framework that is underway, which could introduce additional attack vectors. As they scale, businesses are turning more and more to centralized identity and access solutions with decentralized infrastructure and relying on SaaS and application-native security.

8. Increasing vulnerabilities at the edge

During the COVID-19 pandemic, many organizations had to stand-up remote access solutions quickly – in a matter of days or weeks – without the high level of due diligence that they require to be fully secured. In 2025, we expect to see continued fall-out as these quickly spun-up solutions start to present genuine vulnerability to businesses. We’ve already seen this start to play out in 2024 with the mass-exploitation of internet-edge devices like firewalls and VPN gateway products.

By July 2024, Darktrace’s threat research team observed that the most widely exploited edge infrastructure devices were those related to Ivanti Connect Secure, JetBrains TeamCity, FortiClient Enterprise Management Server, and Palo Alto Networks PAN-OS. Across the industry, we’ve already seen many zero days and vulnerabilities exploiting these internet-connected devices, which provide inroads into the network and store/cache credentials and passwords of other users that are highly valuable for threat actors.

9. Hacking Operational Technology (OT) gets easier

Hacking OT is notoriously complex – causing damage requires an intimate knowledge of the specific systems being targeted and historically was the reserve of nation states. But as OT has become more reliant and integrated with IT systems, attackers have stumbled on ways to cause disruption without having to rely on the sophisticated attack-craft normally associated with nation-state groups. That’s why some of the most disruptive attacks of the last year have come from hacktivist and financially-motivated criminal gangs – such as the hijacking of internet-exposed Programmable Logic Controllers (PLCs) by anti-Israel hacking groups and ransomware attacks resulting in the cancellation of hospital operations.  

In 2025, we expect to see an increase in cyber-physical disruption caused by threat groups motivated by political ideology or financial gain, bringing the OT threat landscape closer in complexity and scale to that of the IT landscape. The sectors most at risk are those with a strong reliance on IoT sensors, including healthcare, transportation, and manufacturing sectors.

10. Securing space infrastructure and systems becomes a critical imperative

The global space industry is growing at an incredibly fast pace, and 2025 is on track to be another record-breaking year for spaceflight with major missions and test flights planned by NASA, ESA, CNSA as well as the expected launch of the first commercial space station from Vast and programs from Blue Origin, Amazon and more. Research from Analysis Mason suggests that 38,000 additional satellites will be built and launched by 2033 and the global space industry revenue will reach $1.7 trillion by 2032. Space has also been identified as a focus area for the incoming US administration.

In 2025, we expect to see new levels of tension emerge as private and public infrastructure increasingly intersect in space, shining a light on the lack of agreed upon cyber norms and the increasing challenge of protecting complex and remote space systems against modern cyber threats.  Historically focused on securing earth-bound networks and environments, the space industry will face challenges as post-orbit threats rise, with satellites moving up the target list.

The EU’s NIS2 Directive now recognizes the space sector as an essential entity that is subject to its most strict cybersecurity requirements. Will other jurisdictions follow suit? We expect global debates about cyber vulnerabilities in space to come to the forefront as we become more reliant on space-based technology.

Conclusion: Preparing for the future

Whatever 2025 brings, Darktrace is committed to providing robust cybersecurity leadership and solutions to enterprises around the world. Our team of subject matter experts will continue to monitor emerging threat trends, advising both our customers and our product development teams.

And for day-to-day security, our multi-layered AI cybersecurity platform can protect against all types of threats, whether they are known, unknown, entirely novel, or powered by AI. It accomplishes this by learning what is normal for your unique organization, therefore identifying unusual and suspicious behavior at machine speed, regardless of existing rules and signatures. In this way, organizations with Darktrace can be ready for any developments in the cybersecurity threat landscape that the new year may bring.

Discover more about Darktrace's predictions on the AI and cybersecurity landscape for 2025 by watching the full recorded webinar here.

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
The Darktrace Community

More in this series

No items found.

Blog

/

/

July 16, 2025

Introducing the AI Maturity Model for Cybersecurity

Default blog imageDefault blog image

AI adoption in cybersecurity: Beyond the hype

Security operations today face a paradox. On one hand, artificial intelligence (AI) promises sweeping transformation from automating routine tasks to augmenting threat detection and response. On the other hand, security leaders are under immense pressure to separate meaningful innovation from vendor hype.

To help CISOs and security teams navigate this landscape, we’ve developed the most in-depth and actionable AI Maturity Model in the industry. Built in collaboration with AI and cybersecurity experts, this framework provides a structured path to understanding, measuring, and advancing AI adoption across the security lifecycle.

Overview of AI maturity levels in cybersecurity

Why a maturity model? And why now?

In our conversations and research with security leaders, a recurring theme has emerged:

There’s no shortage of AI solutions, but there is a shortage of clarity and understanding of AI uses cases.

In fact, Gartner estimates that “by 2027, over 40% of Agentic AI projects will be canceled due to escalating costs, unclear business value, or inadequate risk controls. Teams are experimenting, but many aren’t seeing meaningful outcomes. The need for a standardized way to evaluate progress and make informed investments has never been greater.

That’s why we created the AI Security Maturity Model, a strategic framework that:

  • Defines five clear levels of AI maturity, from manual processes (L0) to full AI Delegation (L4)
  • Delineating the outcomes derived between Agentic GenAI and Specialized AI Agent Systems
  • Applies across core functions such as risk management, threat detection, alert triage, and incident response
  • Links AI maturity to real-world outcomes like reduced risk, improved efficiency, and scalable operations

[related-resource]

How is maturity assessed in this model?

The AI Maturity Model for Cybersecurity is grounded in operational insights from nearly 10,000 global deployments of Darktrace's Self-Learning AI and Cyber AI Analyst. Rather than relying on abstract theory or vendor benchmarks, the model reflects what security teams are actually doing, where AI is being adopted, how it's being used, and what outcomes it’s delivering.

This real-world foundation allows the model to offer a practical, experience-based view of AI maturity. It helps teams assess their current state and identify realistic next steps based on how organizations like theirs are evolving.

Why Darktrace?

AI has been central to Darktrace’s mission since its inception in 2013, not just as a feature, but the foundation. With over a decade of experience building and deploying AI in real-world security environments, we’ve learned where it works, where it doesn’t, and how to get the most value from it. This model reflects that insight, helping security leaders find the right path forward for their people, processes, and tools

Security teams today are asking big, important questions:

  • What should we actually use AI for?
  • How are other teams using it — and what’s working?
  • What are vendors offering, and what’s just hype?
  • Will AI ever replace people in the SOC?

These questions are valid, and they’re not always easy to answer. That’s why we created this model: to help security leaders move past buzzwords and build a clear, realistic plan for applying AI across the SOC.

The structure: From experimentation to autonomy

The model outlines five levels of maturity :

L0 – Manual Operations: Processes are mostly manual with limited automation of some tasks.

L1 – Automation Rules: Manually maintained or externally-sourced automation rules and logic are used wherever possible.

L2 – AI Assistance: AI assists research but is not trusted to make good decisions. This includes GenAI agents requiring manual oversight for errors.

L3 – AI Collaboration: Specialized cybersecurity AI agent systems  with business technology context are trusted with specific tasks and decisions. GenAI has limited uses where errors are acceptable.

L4 – AI Delegation: Specialized AI agent systems with far wider business operations and impact context perform most cybersecurity tasks and decisions independently, with only high-level oversight needed.

Each level reflects a shift, not only in technology, but in people and processes. As AI matures, analysts evolve from executors to strategic overseers.

Strategic benefits for security leaders

The maturity model isn’t just about technology adoption it’s about aligning AI investments with measurable operational outcomes. Here’s what it enables:

SOC fatigue is real, and AI can help

Most teams still struggle with alert volume, investigation delays, and reactive processes. AI adoption is inconsistent and often siloed. When integrated well, AI can make a meaningful difference in making security teams more effective

GenAI is error prone, requiring strong human oversight

While there is a lot of hype around GenAI agentic systems, teams will need to account for inaccuracy and hallucination in Agentic GenAI systems.

AI’s real value lies in progression

The biggest gains don’t come from isolated use cases, but from integrating AI across the lifecycle, from preparation through detection to containment and recovery.

Trust and oversight are key initially but evolves in later levels

Early-stage adoption keeps humans fully in control. By L3 and L4, AI systems act independently within defined bounds, freeing humans for strategic oversight.

People’s roles shift meaningfully

As AI matures, analyst roles consolidate and elevate from labor intensive task execution to high-value decision-making, focusing on critical, high business impact activities, improving processes and AI governance.

Outcome, not hype, defines maturity

AI maturity isn’t about tech presence, it’s about measurable impact on risk reduction, response time, and operational resilience.

[related-resource]

Outcomes across the AI Security Maturity Model

The Security Organization experiences an evolution of cybersecurity outcomes as teams progress from manual operations to AI delegation. Each level represents a step-change in efficiency, accuracy, and strategic value.

L0 – Manual Operations

At this stage, analysts manually handle triage, investigation, patching, and reporting manually using basic, non-automated tools. The result is reactive, labor-intensive operations where most alerts go uninvestigated and risk management remains inconsistent.

L1 – Automation Rules

At this stage, analysts manage rule-based automation tools like SOAR and XDR, which offer some efficiency gains but still require constant tuning. Operations remain constrained by human bandwidth and predefined workflows.

L2 – AI Assistance

At this stage, AI assists with research, summarization, and triage, reducing analyst workload but requiring close oversight due to potential errors. Detection improves, but trust in autonomous decision-making remains limited.

L3 – AI Collaboration

At this stage, AI performs full investigations and recommends actions, while analysts focus on high-risk decisions and refining detection strategies. Purpose-built agentic AI systems with business context are trusted with specific tasks, improving precision and prioritization.

L4 – AI Delegation

At this stage, Specialized AI Agent Systems performs most security tasks independently at machine speed, while human teams provide high-level strategic oversight. This means the highest time and effort commitment activities by the human security team is focused on proactive activities while AI handles routine cybersecurity tasks

Specialized AI Agent Systems operate with deep business context including impact context to drive fast, effective decisions.

Join the webinar

Get a look at the minds shaping this model by joining our upcoming webinar using this link. We’ll walk through real use cases, share lessons learned from the field, and show how security teams are navigating the path to operational AI safely, strategically, and successfully.

Continue reading
About the author

Blog

/

/

July 16, 2025

Forensics or Fauxrensics: Five Core Capabilities for Cloud Forensics and Incident Response

Default blog imageDefault blog image

The speed and scale at which new cloud resources can be spun up has resulted in uncontrolled deployments, misconfigurations, and security risks. It has had security teams racing to secure their business’ rapid migration from traditional on-premises environments to the cloud.

While many organizations have successfully extended their prevention and detection capabilities to the cloud, they are now experiencing another major gap: forensics and incident response.

Once something bad has been identified, understanding its true scope and impact is nearly impossible at times. The proliferation of cloud resources across a multitude of cloud providers, and the addition of container and serverless capabilities all add to the complexities. It’s clear that organizations need a better way to manage cloud incident response.

Security teams are looking to move past their homegrown solutions and open-source tools to incorporate real cloud forensics capabilities. However, with the increased buzz around cloud forensics, it can be challenging to decipher what is real cloud forensics, and what is “fauxrensics.”

This blog covers the five core capabilities that security teams should consider when evaluating a cloud forensics and incident response solution.

[related-resource]

1. Depth of data

There have been many conversations among the security community about whether cloud forensics is just log analysis. The reality, however, is that cloud forensics necessitates access to a robust dataset that extends far beyond traditional log data sources.

While logs provide valuable insights, a forensics investigation demands a deeper understanding derived from multiple data sources, including disk, network, and memory, within the cloud infrastructure. Full disk analysis complements log analysis, offering crucial context for identifying the root cause and scope of an incident.

For instance, when investigating an incident involving a Kubernetes cluster running on an EC2 instance, access to bash history can provide insights into the commands executed by attackers on the affected instance, which would not be available through cloud logs alone.

Having all of the evidence in one place is also a capability that can significantly streamline investigations, unifying your evidence be it disk images, memory captures or cloud logs, into a single timeline allowing security teams to reconstruct an attacks origin, path and impact far more easily. Multi–cloud environments also require platforms that can support aggregating data from many providers and services into one place. Doing this enables more holistic investigations and reduces security blind spots.

There is also the importance of collecting data from ephemeral resources in modern cloud and containerized environments. Critical evidence can be lost in seconds as resources are constantly spinning up and down, so having the ability to capture this data before its gone can be a huge advantage to security teams, rather than having to figure out what happened after the affected service is long gone.

darktrace / cloud, cado, cloud logs, ost, and memory information. value of cloud combined analysis

2. Chain of custody

Chain of custody is extremely critical in the context of legal proceedings and is an essential component of forensics and incident response. However, chain of custody in the cloud can be extremely complex with the number of people who have access and the rise of multi-cloud environments.

In the cloud, maintaining a reliable chain of custody becomes even more complex than it already is, due to having to account for multiple access points, service providers and third parties. Having automated evidence tracking is a must. It means that all actions are logged, from collection to storage to access. Automation also minimizes the chance of human error, reducing the risk of mistakes or gaps in evidence handling, especially in high pressure fast moving investigations.

The ability to preserve unaltered copies of forensic evidence in a secure manner is required to ensure integrity throughout an investigation. It is not just a technical concern, its a legal one, ensuring that your evidence handling is documented and time stamped allows it to stand up to court or regulatory review.

Real cloud forensics platforms should autonomously handle chain of custody in the background, recording and safeguarding evidence without human intervention.

3. Automated collection and isolation

When malicious activity is detected, the speed at which security teams can determine root cause and scope is essential to reducing Mean Time to Response (MTTR).

Automated forensic data collection and system isolation ensures that evidence is collected and compromised resources are isolated at the first sign of malicious activity. This can often be before an attacker has had the change to move latterly or cover their tracks. This enables security teams to prevent potential damage and spread while a deeper-dive forensics investigation takes place. This method also ensures critical incident evidence residing in ephemeral environments is preserved in the event it is needed for an investigation. This evidence may only exist for minutes, leaving no time for a human analyst to capture it.

Cloud forensics and incident response platforms should offer the ability to natively integrate with incident detection and alerting systems and/or built-in product automation rules to trigger evidence capture and resource isolation.

4. Ease of use

Security teams shouldn’t require deep cloud or incident response knowledge to perform forensic investigations of cloud resources. They already have enough on their plates.

While traditional forensics tools and approaches have made investigation and response extremely tedious and complex, modern forensics platforms prioritize usability at their core, and leverage automation to drastically simplify the end-to-end incident response process, even when an incident spans multiple Cloud Service Providers (CSPs).

Useability is a core requirement for any modern forensics platform. Security teams should not need to have indepth knowledge of every system and resource in a given estate. Workflows, automation and guidance should make it possible for an analyst to investigate whatever resource they need to.

Unifying the workflow across multiple clouds can also save security teams a huge amount of time and resources. Investigations can often span multiple CSP’s. A good security platform should provide a single place to search, correlate and analyze evidence across all environments.

Offering features such as cross cloud support, data enrichment, a single timeline view, saved search, and faceted search can help advanced analysts achieve greater efficiency, and novice analysts are able to participate in more complex investigations.

5. Incident preparedness

Incident response shouldn't just be reactive. Modern security teams need to regularly test their ability to acquire new evidence, triage assets and respond to threats across both new and existing resources, ensuring readiness even in the rapidly changing environments of the cloud.  Having the ability to continuously assess your incident response and forensics workflows enables you to rapidly improve your processes and identify and mitigate any gaps identified that could prevent the organization from being able to effectively respond to potential threats.

Real forensics platforms deliver features that enable security teams to prepare extensively and understand their shortcomings before they are in the heat of an incident. For example, cloud forensics platforms can provide the ability to:

  • Run readiness checks and see readiness trends over time
  • Identify and mitigate issues that could prevent rapid investigation and response
  • Ensure the correct logging, management agents, and other cloud-native tools are appropriately configured and operational
  • Ensure that data gathered during an investigation can be decrypted
  • Verify that permissions are aligned with best practices and are capable of supporting incident response efforts

Cloud forensics with Darktrace

Darktrace delivers a proactive approach to cyber resilience in a single cybersecurity platform, including cloud coverage. Darktrace / CLOUD is a real time Cloud Detection and Response (CDR) solution built with advanced AI to make cloud security accessible to all security teams and SOCs. By using multiple machine learning techniques, Darktrace brings unprecedented visibility, threat detection, investigation, and incident response to hybrid and multi-cloud environments.

Darktrace’s cloud offerings have been bolstered with the acquisition of Cado Security Ltd., which enables security teams to gain immediate access to forensic-level data in multi-cloud, container, serverless, SaaS, and on-premises environments.

[related-resource]

Continue reading
About the author
Your data. Our AI.
Elevate your network security with Darktrace AI