Analysis of suspected phishing emails revealed that only 16% were genuinely malicious.

Roughly 5 times as many identity-related detections were observed in the first half of this year compared to all of 2024.

Two new cloud-related techniques - Data from Cloud Storage and Disable or Modify Cloud Firewall - have entered Red Canary's top 10 techniques for the first time.

Malicious Copy Paste (T1204.004) did not make the top 10 technique list.

9% of threat actor updates in H1 2025 were attributed to hacktivists.

76% of breaches in H1 2025 stemmed from hacking or IT incidents.

There were 3,649 documented ransomware attacks in H1 2025.

Ransomware attacks grew in frequency to 608 per month, or roughly 20 per day.

Zero-day exploits increased 46% in H1 2025.

Modbus accounted for 57% of OT protocol traffic in Forescout honeypots in H1 2025.

The U.S. was the top ransomware target, accounting for 53% of all ransomware incidents, in H1 2025.

24% of breaches IN h1 2025 were on email systems.

47% of newly exploited vulnerabilities were originally published before 2025.

Zero-day exploitation increased 46% in H1 2025.

Published vulnerabilities rose 15% in H1 2025.

45% of published vulnerabilities in H1 2025 were rated high or critical.

CVEs added to CISA KEV jumped 80% in H1 2025.

Nearly 30 million individuals were affected by breaches in H1 2025.

40% of threat actor updates in H1 2025 were attributed to state-sponsored groups.

Ransomware attacks are averaging 20 incidents per day.