According to Infosecurity Magazine, 2025 was dominated by cybersecurity incidents and shifts, starting with Microsoft, SentinelOne, and Palo Alto Networks all pulling out of MITRE’s ATT&CK Evaluations by mid-year, citing concerns the tests had become too complex and promotional. In May, NIST introduced a new Likely Exploited Vulnerabilities (LEV) metric to help prioritize patching. A criminal proxy network, based largely in Turkey, infected thousands of IoT devices to enable anonymous attacks, while a group called Belsen Group leaked data from about 15,000 FortiGate firewalls via a dark web dump, data traced back to a 2022 zero-day. Researchers also confirmed that “quishing,” or QR code phishing, is on the rise to bypass email filters, and a potential npm supply chain disaster involving a crypto-clipper was averted in just hours after a developer account takeover. In AI security, Grok-4 was jailbroken just two days after launch using a combined “Echo Chamber” and “Crescendo” attack, and experts warned of a new “slopsquatting” risk where AI-hallucinated packages could be poisoned.
The Testing Trust Crisis
Here’s the thing: when the biggest names in enterprise security bail on a major, public evaluation, it’s a huge red flag. Microsoft, SentinelOne, and Palo Alto leaving the MITRE ATT&CK Evaluations isn’t just about a “tough test.” It signals a fundamental breakdown in what these benchmarks are for. Are they genuine, warts-and-all security assessments, or are they just another marketing channel? The vendors clearly think it’s the latter now. MITRE’s CTO admitting the 2025 test was “overly demanding” and promising to bring back a vendor forum is a step, but the damage to credibility is done. This creates a vacuum. If not MITRE, then who? Enterprises are left with less transparent data to make billion-dollar security spending decisions. That’s not a good trend for anyone, except maybe the vendors’ marketing departments.
The Persistence of “Dumb” Threats
Look, for all the talk of AI and hyper-advanced attacks, 2025 proved that the oldest problems are the hardest to solve. A massive proxy botnet built on unpatched, end-of-life IoT devices? That’s not a sophisticated hack. That’s just taking advantage of our collective neglect. The same goes for the FortiGate firewall leaks from a 2022 vulnerability and the surge in QR code phishing. These aren’t cutting-edge exploits. They’re attacks that work because patching is hard, device lifecycles are long, and users will scan a random code. It’s a brutal reminder that foundational security hygiene—asset management, patch management, user training—is still the ballgame. The fancy AI attacks make headlines, but the baseline vulnerabilities pay the bills for criminals.
AI’s Double-Edged Sword
Wow, did the AI security risks crystallize this year. We saw the offensive and defensive sides collide. The Grok-4 jailbreak in 48 hours using a combo of existing techniques shows these models are fragile. Attackers are methodically stress-testing safety guardrails, and they’re finding cracks. On the other side, the warning about “slopsquatting” is terrifying for developers. Your AI coding assistant hallucinates a package name, you trust it, and boom—you’ve just imported malware because a threat actor was squatting on that made-up name. It automates the supply chain attack. The fact that OWASP had to release a guide for securing agentic AI applications tells you how fast this is moving. We’re building autonomous, tool-using systems that can be manipulated to automate attacks, and the security playbook is being written in real time. It’s a wild west phase, and it’s moving at LLM speed.
Response Speed and New Metrics
It wasn’t all doom and gloom, though. The npm community’s rapid response to the crypto-clipper attack was a masterclass in crisis management. Taking down all malicious packages in hours? That’s the open-source ecosystem working at its best. It shows that while the attack surface is growing, our ability to coordinate and respond can be incredibly agile. Similarly, NIST’s new LEV metric is a quiet but important evolution. Moving from “this vulnerability *could* be exploited” (CVSS) to “this vulnerability *is likely being* exploited” (EPSS) to “this vulnerability *was probably* exploited” (LEV) gives SOC teams a much sharper triage tool. In an era of alert fatigue, better prioritization isn’t just nice—it’s the only way to survive. The lesson from 2025 seems to be that the threats are evolving in complexity and scale, but our tools and communities are scrambling to keep up, with some notable wins and some serious institutional stumbles along the way.
