You don’t have to squint too hard to see the shift. Cybercrime today looks like a business.

According to CrowdStrike’s 2025 Global Threat Report, adversaries now operate with a level of coordination that mirrors enterprise behavior.

They have goals. They iterate. They optimize.

And they’re doing it faster than many of the organizations they target.

For technology leaders, this means the traditional framing of attackers as chaotic or opportunistic no longer holds. Today’s adversaries behave more like startups, agile and focused, and they’re targeting the very foundations of enterprise IT: identity, cloud access, and trust-based infrastructure.

Speed and Focus Are the New Weapons

In 2024, the average breakout time, the gap between initial compromise and lateral movement, dropped to 48 minutes.

In some cases, it was as fast as 51 seconds.

Take CURLY SPIDER, for example. This group runs orchestrated campaigns that can begin with a phone call and end with long-term access, all in a matter of minutes. The speed at which these attacks unfold means that detection and response need to shift from forensic to real-time.

The Business of Social Engineering

Social engineering has matured into a well-defined access strategy.

The second half of 2024 saw a 442% increase in voice phishing (vishing). These campaigns combine spam, impersonation, insider recruitment, and support-desk exploitation.

Their goal is to bypass controls through the weakest link: people.

Adversaries now impersonate internal staff during help desk interactions to bypass MFA, reset credentials, and quietly register their own devices for persistent access. Many of these calls happen outside business hours, when oversight is lower and urgency is harder to question.

These scripted operations run with consistency, targeting enterprise workflows that haven’t yet adapted.

AI, Deepfakes, and the New Normal

Generative AI has made it easier for attackers to scale deception.

In 2024, deepfake-enabled fraud resulted in multi-million-dollar losses. North Korean operators used fake LinkedIn profiles to secure jobs at Western tech firms, jobs that came with credentialed access and remote infrastructure control.

Meanwhile, phishing emails crafted by large language models had a 54% click-through rate, outperforming human-written versions.

The bottom line is that AI gives attackers scale.

And that means highly personalized, convincing attacks are no longer niche.

Identity and Cloud: The Enterprise’s Weakest Strongholds

Valid credentials were used in 35% of cloud intrusions last year.

Attackers target SaaS apps, cloud control planes, and identity systems with precision, often using credentials harvested via info-stealers or phishing kits. Groups like SCATTERED SPIDER routinely exploit access to Microsoft 365 and other platforms to search for configuration files, credential stores, and escalation paths.

The growing use of trust relationships and federated identity across enterprise environments is creating blind spots, ones adversaries are actively seeking out.

For technology leaders, identity has become the most reliable access vector attackers can exploit. It now requires the same level of investment and oversight as infrastructure or network security.

Key priorities include:

• Access segmentation

• Continuous credential hygiene

• Real-time auditing of user behavior and device trust

A Shift Toward Operational Resilience

Many enterprises are still playing defense using yesterday’s game plan.

Here’s what needs to shift:

• Identity-first security: MFA is table stakes. Think beyond it and focus on credential integrity, lateral movement detection, and trusted device policies.

• Cloud as core infrastructure: SaaS platforms and cloud control planes deserve the same security posture as data centers.

• Speed to detect and respond: If your tools can’t respond in real time, your risk exposure is growing.

• Business alignment: Map security risk to operational impact. Attackers already have a business model, your defense needs one, too.

The Wrap

Enterprising adversaries have moved past experimentation and into execution. They’re patient when they need to be, fast when it matters, and increasingly aligned to the structure and scale of the organizations they target.

They know what they’re after.

They know how enterprise systems work.

And they know where visibility drops off.

This is where tech leaders have to respond with equal clarity. Not by adding more alerts or doubling down on legacy controls, but by reshaping the environment those attackers count on: fragmented access, delayed detection, over-trusted systems, and under-resourced human oversight.

Resilience begins by accepting that attackers already understand your environment, and then building the capability to stay operational when they show up.

The threat has scaled. So must the response.