Obrela has released its Digital Universe Report 2025, revealing a significant shift in the global cyber threat landscape as attackers move away from high-volume attacks toward more targeted, stealth-driven techniques focused on identity, access and persistence.
Drawing on 17.1 petabytes of telemetry from over 523,000 endpoints, the report highlights a more mature threat environment where fewer alerts are generated, but more attacks are confirmed. Alert volumes decreased by 24% year on year, while confirmed cyberattacks increased by 21%, pointing to a significant improvement in detection accuracy and a higher concentration of actionable threats.
The findings show that attackers are changing how they operate. Rather than relying on widespread malware campaigns or overt disruption, adversaries are increasingly using credential abuse, privilege escalation and reconnaissance-led intrusion to gain and keep access. This means there is a shift from breaking into environments to blending into them and operating undetected.
“The data shows a clear change in how attacks are being executed,” said Dr George Papamargaritis, VP MSS of Obrela. “We are seeing fewer, but far more focused threats. Attackers are becoming more selective, using identity and access as their primary entry points and then moving quietly within environments. That makes detection more complex and puts greater emphasis on context and behavioural insight.”
The report also highlights a shift in sector targeting. Retail and eCommerce emerged as the most targeted industries in 2025, accounting for approximately 24% of attacks, driven by fraud, credential abuse and transaction-layer exploitation. Financial services is still a major target but no longer hold the top position.
Across many of the sectors, high-volume attack categories such as malware and broad reconnaissance have declined, replaced by more context-specific risks and access-based activity. This demonstrates that attackers are adapting to stronger baseline controls by focusing on business processes, identity systems and trusted access pathways.
Regionally, the data shows a global trend toward external probing and credential-focused attacks. Mature digital economies, including the United States, Northern Europe and parts of Asia, are seeing increased reconnaissance and authentication-layer targeting, while other regions continue to experience a broader mix of threats, including malware and internal governance risks.
At the same time, APT groups and financially motivated cybercriminals continue to evolve their tactics across regions. Rather than relying on high-volume campaigns, attackers are increasingly focused on maintaining low-profile access through credential harvesting, defence evasion and lateral movement within compromised environments.
The report concludes that cybersecurity is becoming more context-driven, requiring organisations to move beyond volume-based detection and adopt a more intelligence-led, risk-focused approach.
“The challenge is no longer just stopping attacks at the perimeter,” added Dr George Papamargaritis, VP MSS of Obrela “It is understanding what is happening inside the environment and being able to detect subtle changes in behaviour. That is where modern detection and response need to focus.”
The Obrela Digital Universe Report 2025 is available now: Digital Universe Report 2025