51% of companies use a cybersecurity exposure score or risk-based index.

70% of CIOs expect new AI audit or explainability requirements within the next 12 months.

The services industry recorded a 118% year-on-year increase in ransomware attack volume in 2025.

The healthcare sector accounted for 22% of all disclosed ransomware attacks in 2025.

Approximately 86% of ransomware attacks are never publicly reported.

The Qilin ransomware group claimed 1,115 victims in 2025, making it the most active ransomware group across disclosed and undisclosed attacks.

The Play ransomware group accounted for 5% of disclosed ransomware attacks in 2025.

N-day vulnerabilities represent over 80% of all Known Exploited Vulnerabilities (KEVs) tracked over the past four years.

In 2025, 37 N-day vulnerabilities and 52 zero-day vulnerabilities specifically targeted security and perimeter software.

87% of CIOs say AI agents are already embedded in critical operations.

The education sector saw ransomware attacks decrease by approximately 12% year-on-year in 2025.

The United States accounted for 58% of all recorded disclosed ransomware attacks in 2025.

85% of CIOs expect their compensation to be directly tied to measurable AI outcomes.

Security professionals are 5.5 times more likely to believe defenders will use AI as effectively as, or more effectively than, threat actors over the next 24 months.

Fifty-two new ransomware groups emerged in 2025, a 9% increase compared to 2024.

Average Time to Exploit (TTE) declines year-by-year: 745 days in 2020, 518 days in 2021, 405 days in 2022, 296 days in 2023, 115 days in 2024, and 44 days in 2025.

Virtualization/sandbox evasion is the 4th most prevalent attacker technique.

29% of CIOs say they have repeatedly been asked to justify AI outcomes they could not fully explain.

A total of 130 different ransomware groups carried out attacks in 2025.

57% of CIOs believe their company’s survival could be at stake if the AI market contracts or an AI bubble bursts.