In 2024, cybersecurity saw several significant developments—from new regulations such as NIS2, DORA and the Cyber Resilience Act to the global CrowdStrike incident during the summer. Now that we have entered 2025, the obvious question is: What’s next?
Of course, nobody can answer that question with certainty. Nevertheless, our Practice Heads have taken a look into the crystal ball to share their perspectives on what may shape the cybersecurity landscape in 2025.
Today we’re speaking with Fabian Mittermair, COO & Head of Offensive Security.
Although 2024 is behind us, let’s start with a quick look back. From your perspective, what were the biggest cybersecurity challenges for organizations?
Fabian Mittermair: From my perspective, 2024 was largely shaped by new regulations such as NIS2, DORA and the EU Cyber Resilience Act. Their goal is to strengthen the cyber resilience of European organizations, but they also require significant changes to IT environments and business processes. Many organizations therefore had to fundamentally rethink both their technical infrastructure and their internal workflows—a challenge that also created opportunities for more modern and effective security strategies.
At the same time, cyberattacks became significantly more sophisticated and targeted throughout 2024. Technological advances and geopolitical tensions accelerated the professionalization of cybercrime. Critical infrastructure and supply chains were particularly affected, once again highlighting the importance of holistic and proactive security strategies.
Another major trend was the growing use of Artificial Intelligence, both by cybercriminals and by defenders. This development demonstrates just how dynamic and demanding today’s threat landscape has become.
Ultimately, 2024 made one thing very clear: cybersecurity has become a business-critical discipline. Organizations that actively address these challenges can not only reduce risk, but also gain a competitive advantage.
We are now at the beginning of 2025. Which cyber threats do you expect to be particularly relevant this year?
Fabian Mittermair: AI will continue to evolve rapidly throughout 2025. Lower costs and increasingly capable models will create new opportunities—for both defenders and attackers.
Cybercriminals will increasingly leverage AI to discover vulnerabilities, generate convincing deepfakes and develop AI-enhanced malware. At the same time, defenders are also embracing AI. It enables earlier detection of attack patterns, helps identify vulnerabilities and automates defensive actions—often much faster than humans could.
The key is ensuring that we use this technology to our advantage instead of leaving the playing field to attackers.
Geopolitical tensions will also remain with us. Even when conflicts on the ground subside, the battlefield increasingly shifts into cyberspace—where there are no ceasefire agreements.
We should expect highly sophisticated attacks resembling intelligence operations, often with state sponsorship. And realistically, we will probably never hear about many of them.
Critical infrastructure will remain a primary target, while distinguishing between financially motivated cybercriminals and state-sponsored actors will become increasingly difficult.
2025 will be a year of both challenges and opportunities. Organizations that take a proactive approach—for example through penetration testing and realistic attack simulations—can identify vulnerabilities early and significantly strengthen their defenses.
Those willing to invest in cybersecurity today will not simply stay one step ahead of attackers—they will turn cybersecurity into a genuine competitive advantage built on stability, trust and long-term resilience.
How do you expect the regulatory landscape for cybersecurity to evolve during 2025?
Fabian Mittermair: For Austria, 2025 will be a pivotal year. A new national NIS law will translate European regulations such as NIS2, DORA and the Cyber Resilience Act into concrete legal requirements.
Organizations will therefore face the challenge of moving beyond planning and actually implementing their cybersecurity strategies. That requires investment—not only in technology, but also in processes and trusted partnerships.
One particularly important aspect is the obligation to proactively identify vulnerabilities—for example through penetration testing or attack simulations. These activities will become increasingly important under the new regulations because they not only uncover weaknesses but also provide evidence that organizations are meeting their security obligations.
For companies that have never conducted penetration tests before, 2025 will be a significant learning experience. Realistic attack scenarios provide an entirely new perspective on an organization’s security posture and reveal opportunities for targeted improvement.
Organizations that already perform traditional penetration tests can further expand their security maturity through approaches such as Red Team Assessments, uncovering weaknesses in processes and organizational structures that conventional testing often misses.
The message from the new regulations is clear: cybersecurity must become proactive.
Organizations that embrace this opportunity will strengthen both their defenses and the trust of customers, partners and regulators.
What role will Artificial Intelligence play in cybersecurity during 2025—both as a defensive tool and as a threat?
Fabian Mittermair: AI will continue to develop at remarkable speed throughout 2025. Lower costs and increasingly mature models will create entirely new possibilities—for defenders as well as attackers.
Cybercriminals will use AI to identify vulnerabilities more quickly and accurately, analyze vast amounts of data efficiently and derive valuable intelligence about potential targets. One potential future threat is AI-generated malware capable of bypassing traditional detection technologies. While this technology is still in its early stages, we may begin to see the first practical examples emerge during 2025.
Overall, AI will accelerate and professionalize cyberattacks—particularly during the preparation phase, where attackers analyze target environments and refine their attack techniques.
On the defensive side, AI is already considerably more mature and widely available through commercial cybersecurity solutions. It helps organizations detect attack patterns at an early stage, optimize security configurations and automatically initiate defensive actions—often in real time and significantly faster than human operators.
One of AI’s greatest strengths is increased efficiency. It dramatically accelerates routine tasks such as generating scripts or modifying configuration files. As a result, even teams without deep expertise in every technical domain can substantially increase their productivity. This scalability is particularly valuable given the ongoing shortage of cybersecurity professionals.
Despite these advantages, organizations should maintain realistic expectations regarding AI’s current maturity.
AI will not replace cybersecurity professionals. Instead, it will serve as a powerful force multiplier, enabling security teams to become significantly more effective.
Organizations that invest confidently in AI while remaining aware of its limitations will strengthen their defenses—and ensure that attackers do not gain the upper hand.
Looking back over the past few years, which developments in cybersecurity have surprised you the most, and what do you expect for 2025?
Fabian Mittermair: The pace at which AI technology has evolved has genuinely surprised me. Even two years ago, I wouldn’t have expected AI to become so useful so quickly for both offensive and defensive cybersecurity applications. What surprised me even more was how rapidly organizations adopted these technologies—despite concerns around data privacy and cloud computing. That level of momentum was unexpected, but in my view, it’s ultimately a positive development.
I’m equally fascinated by the growing number of use cases for generative AI. I believe we’ll continue to see innovations over the coming years that fundamentally change how we interact with computers. Who knows—perhaps keyboards and mice will eventually give way to voice or gesture control. Changes like these will inevitably influence how attackers operate as well.
As for 2025, I’m looking forward to seeing what new innovations emerge. I’m excited to watch these developments unfold—and yes, my popcorn is already waiting for the next surprise. (laughs)
What advice would you give organizations to help them prepare for 2025?
Fabian Mittermair: First, continue investing in your people. Education, training and continuous learning remain essential—not only for IT and security teams, but for every employee. Cybersecurity is always a team effort, and every individual plays an important role.
Second, prepare for the day when an attack succeeds. That means establishing clear processes and capabilities for Incident Response, Business Continuity and rapid detection and containment. Organizations should assume that successful attacks are possible and be prepared to respond accordingly.
Third, test your defenses regularly. Penetration tests and realistic attack simulations help uncover weaknesses throughout the organization. More importantly, however, organizations must act on the findings and consistently implement the recommended improvements. The ultimate goal should be building broad and resilient cyber resilience.
Finally, I encourage organizations to embrace AI with confidence. Companies that use AI effectively will gain advantages not only in cybersecurity, but across their entire business. Those who ignore this technological shift risk falling behind over the coming years.
From the perspective of Offensive Security, what do you hope to see in 2025?
Fabian Mittermair: I see a clear trend towards more sophisticated attack simulations, such as Initial Compromise Assessments and Red Team Assessments.
While traditional penetration testing and application security assessments will remain important, the focus is increasingly shifting towards holistic security assessments. Organizations are rarely compromised simply because someone hacked a web server. Real attackers look for the weakest point—and that often lies within internal processes or with people themselves.
Identifying these weaknesses will be essential for building truly effective cyber defenses.
I’m also a strong believer in the Assumed Breach approach. Here, attacks are simulated from inside the network, with the Red Team acting as the attacker while the Blue Team is responsible for detecting and containing the intrusion.
After all, organizations should always assume that an attacker may eventually succeed. The real challenge is whether defenders can detect the compromise quickly, limit the impact, initiate effective countermeasures and remove the attacker from the environment before significant damage occurs.
I expect demand for these types of projects to continue growing over the coming years. They’re not only technically exciting and challenging—they’re also one of the best ways to strengthen our customers’ security teams and prepare their cybersecurity strategies for the future.
