Earlier this year, our Security Account Director, Thomas Naylor, shared a set of bold cyber security predictions for 2025. Some broke new ground, others extended established trends, all grounded in his front-line experience supporting Australian organisations across sectors.
Now, as 2025 draws to a close, we’ve revisited each prediction to see what accelerated, what stalled, and what’s still emerging.
If you missed it, you can read the original forecast here.
-
1. AI-driven cyber security gains ground
Original forecast: AI would accelerate security operations, particularly via SOAR (Security Orchestration, Automation, and Response) and AI copilots.
What happened: AI didn’t just make headway – it redrew the map. Nearly all enterprises explored AI in some form, with 91% planning to implement AI-driven tools globally, and 86% in Australia. Agentic AI is now assisting SOC analysts with triaging alerts, enriching data, and enabling natural-language queries about threats.
The ACSC supported this shift, issuing updated SIEM and SOAR guidelines in May 2025. Adoption surged among large enterprises, but many SMBs faced barriers around budget, skills, and implementation complexity.
Industry insight: AI-enhanced detection and response times, but also raised governance questions, particularly around explainability and automation reliance.
Verdict: ✅ Confirmed - AI-assisted security became reality in 2025. Organisations with AI-augmented SOCs are seeing faster detection and response, though adoption remains uneven across the board.
-
2. Supply chain security takes the spotlight
Original forecast: Organisations would strengthen third-party risk controls using SBOMs and continuous assessments.
What happened: The ACSC identified third-party risk management as one of four "big moves" for 2025, flagging vendors and MSPs as key weak points in many breaches.
We saw increased scrutiny of MSPs and embedded vendors. Security questionnaires got tougher, contracts included new clauses, and access monitoring stepped up. But enforcement and real-time monitoring remain inconsistent, especially among mid-market organisations.
Industry insight: Whilst awareness surged and businesses were forced to implement controls/frameworks demanded by third parties, operational maturity lagged. Vendor risk remains one of the hardest areas to standardise.
Verdict: ⚠️ Emerging - Third-party risk is now widely acknowledged and on executive agendas. Policies and frameworks are in place (and regulators increasingly insist on them), but many businesses are still figuring out how to operationalise supply chain security at scale.
-
3. IoT, OT, and IoMT security gets real
Original forecast: IoT/OT/IoMT would shift from afterthought to security priority.
What happened: A global botnet campaign known as KV-botnet hijacked over 260,000 smart devices, including routers, video recorders, and IoT gadgets, with a significant number of compromised devices in Australia. The ACSC identified this operation as a major threat in 2025 and urged organisations to isolate OT systems and strengthen recovery planning.
Organisations in manufacturing, healthcare, and logistics turned to discovery and segmentation tools from vendors like Nozomi Networks, Dull, Dragos, and Armis. Yet legacy systems and visibility gaps remain widespread.
Industry insight: Momentum is growing, but visibility into IoT remains shallow. Many devices are still unpatched, unmanaged, or misclassified across business networks.
Verdict: ⚠️ Emerging - IoT/OT security is on the agenda, and major incidents (like huge IoT botnets) proved the risk is real. New tools are emerging to identify and address these devices, but in 2025, many connected devices remained unmonitored and unpatched on corporate networks.
-
4. Threat intelligence moves upstream
Original forecast: Organisations would proactively adopt Threat Intelligence (TI) feeds and dark web monitoring.
What happened: The ACSC reported that 37% of significant incidents were first detected via its proactive notifications. Threat intel usage increased, supported by ACSC alerts (up 83%) and a rise in CTIS platform membership.
We saw an uptake of clients investing in Threat Intelligence platforms, as more organisations are monitoring the dark web for leaked credentials. Still, without mature internal processes or analysts, many teams struggled to translate feeds into action.
Industry insight: External threat intel proved valuable, but effectiveness varied. Actionable use depended on team maturity and the ability to integrate intelligence into operations.
Verdict: ⚠️ Emerging - Threat intelligence is increasingly valued, and early adopters are integrating intel feeds and dark web monitoring into their SOC workflows. For example, government-industry info sharing led to dozens of attacks being foiled in Australia. But outside of large enterprises, many teams are still learning how to translate intel into action.
-
5. Identity-based attacks expose weak links
Original forecast: Identity would continue as the primary attack vector, fuelled by credential theft and MFA fatigue.
What happened: Identity-based attacks dominated the year. 42% of major incidents involved compromised credentials. Business Email Compromise (BEC) remained Australia’s most common attack type, with adversary-in-the-middle kits bypassing MFA in 75% of cases.
In response, organisations across sectors accelerated Zero Trust rollouts, PAM initiatives, and vendor identity governance projects.
Organisations this financial year have been investing heavily in IAM, such as Least Privilege, Privileged Access Management (PAM), Identity Security Posture Management (ISPM) and Identity Threat Detection & Response (ITDR).
Industry insight: Identity sprawl, session hijacking and credential reuse continued to offer attackers easy initial access. The shift toward identity-first defence gained ground but remains uneven across sectors.
Verdict: ✅ Confirmed - Identity proved to be the front door for most attacks. Attackers exploited passwords and session cookies at alarming rates, while forward-leaning organisations invested heavily in identity-centric security (from MFA and PAM to third-party identity governance).
-
6. Exploits are getting faster
Original forecast: Exploits would hit within days of public disclosure.
What happened: The average time-to-exploit fell to five days or less.
Citrix NetScaler and MOVEit flaws were attacked within hours of patch publication. APT40, a known state-sponsored actor, was actively exploiting newly published CVEs within 48 hours.
In 2025, even lower-skilled attackers (“script kiddies”) began leveraging publicly available AI tools to speed up exploitation, from generating basic malware variants to scripting proof-of-concept exploits faster than ever. This trend contributed to a surge in opportunistic attacks targeting unpatched systems.
Organisations with automated patching and strong asset visibility fared better. Others faced breaches, disruption, or emergency remediation as they scrambled to close gaps.
Industry insight: Time-to-patch must now match time-to-exploit. Detection is no longer enough; response must be near real-time. AI is now supercharging both sides of the equation.
Verdict: ✅ Confirmed - The exploitation timeline in 2025 was brutally short. On average, attackers now start exploiting a new flaw within ~5 days, and in some cases within 24 hours. Rapid patching and proactive threat hunting for known exploits are no longer best practice – they’re essential.
-
7. Passwordless authentication stalls
Original forecast: Passkeys and biometrics would go mainstream, replacing passwords.
What happened: Only 43% of users globally reported using passwordless as their default login by the end of 2025.
Technical debt, legacy system compatibility, and UX concerns all slowed rollout. While some early adopters in finance and tech piloted passkey rollouts, many organisations instead focused on strengthening MFA, especially phishing-resistant options like authenticator apps or physical tokens.
Industry insight: Passwordless remains a strong direction, but shifting large organisations away from passwords will take time, standards alignment, and cultural change.
Verdict: ❌ Missed - The vision of a passwordless 2025 didn’t fully materialise. Passkeys and biometrics made headlines and got piloted in certain ecosystems, but in practice, the vast majority of organisations – in Australia and globally – still rely on passwords (often paired with MFA) as of 2025. The transition to passwordless is proving slower and more challenging than hoped.
2025 prediction outcomes at a glance
|
Prediction |
Verdict |
What we saw in 2025 |
|
AI-Driven Cyber security |
✅ Confirmed |
AI copilots reshaped SOCs; uneven adoption |
|
Supply Chain Security |
⚠️ Emerging |
Vendor risk frameworks expanded, but aren’t yet mature |
|
IoT/OT/IoMT Security |
⚠️ Emerging |
Botnets, OT pivots, and segmentation gains |
|
Threat Intelligence |
⚠️ Emerging |
Threat intel sharing improved; actionability is still maturing |
|
Identity-Based Attacks |
✅ Confirmed |
Credential theft surged; MFA bypass tactics evolved |
|
Exploit Speed |
✅ Confirmed |
Exploits often hit within 5 days; automation is now essential |
|
Passwordless Authentication |
❌ Missed |
Passkeys are underused; culture and legacy hurdles slowed adoption |
Mostly right, always learning
Thomas’ 2025 scorecard? Six out of seven predictions held up.
But the real value in reviewing predictions isn’t about being right, it’s about sharpening how we interpret change and adapt our strategy. Reflecting on what accelerated, what stalled, and why helps us build more resilient responses for the future. Cyber threats move fast. So must strategy.
Keep an eye out for Thomas’s 2025 Cyber Security Year in Review, where he’ll also share his predictions for 2026.
Need help navigating what’s next? Contact us to see how we can support your business in 2026 and beyond. Our goal remains the same: to help you anticipate change, act with clarity, and stay secure in an unpredictable world.
