Forecast 2025: Offensive Security

2024 brought some exciting developments in IT security: from the CRA coming into force to the CrowdStrike incident in summer. Now we are in 2025 and the question arises: What’s next? Of course, it’s impossible to answer this question completely - but our Practice Heads have dared to take a look into the crystal ball and give an outlook on what might be coming in the cybersecurity world in 2025.

Today in our interview: Fabian Mittermair, COO & Head of the Offensive Security team

The year 2024 may be over, but let’s take a brief look back. In your opinion, what were the biggest challenges for companies from the perspective of cyber security?

Fabian Mittermair: From my point of view, the year 2024 was characterized by new regulations such as NIS2, DORA, or the EU’s Cyber Resilience Act. They are intended to strengthen the resilience of European companies against cyber attacks – but they required extensive adjustments to a company’s IT and processes. Many companies therefore had to fundamentally rethink their IT infrastructure and internal processes – a challenge that at the same time opened up new opportunities for more modern and effective security strategies.

Meanwhile, cyberattacks became significantly more sophisticated and targeted in 2024. Technological advances and geopolitical tensions drove the professionalization of cybercrime. Critical infrastructure and supply chains were particularly affected, once again underscoring the importance of holistic and proactive security concepts.

Another trend was the increasing use of artificial intelligence (AI), which was used by both cybercriminals and in defense. This development shows how dynamic and demanding the threat environment has become.

2024 has made it clear how important cybersecurity is. Those who actively address the challenges can not only minimize risks, but also gain a competitive advantage.

We are at the beginning of 2025 - which cyber threats do you see as particularly dangerous or relevant for 2025?

Fabian Mittermair: In 2025, the development of AI will be advancing rapidly. Declining costs and sophisticated models are opening up new possibilities for use – for defenders and attackers alike. Cybercriminals will use AI to detect vulnerabilities, create deepfakes or build AI-optimized malware. But the defense is also upgrading: AI recognizes attack patterns, closes security gaps and automates defense measures – faster than we could ever do manually. It remains crucial that we use the technology to our advantage and do not leave the playing field to the attackers.

The geopolitical tensions of recent years will continue to accompany us. When the warfare on the ground subsides, the battle moves online – where no ceasefire agreement applies. We must prepare for highly complex attacks reminiscent of spy thrillers, often with state support. And yes, we probably won’t find out about all the attacks. Critical infrastructure will be in the crosshairs, and distinguishing between criminal and state actors will become increasingly difficult.

2025 will be a challenging year – but it will also bring opportunities. Companies that act proactively, for example by conducting penetration tests or attack simulations, can close security gaps in a targeted manner and optimally set up their defenses. Those who have the courage to resolutely implement security strategies now will not only stay one step ahead of attackers, but will also turn cybersecurity into a real strength – as a basis for stability, trust and sustainable success.

How will the regulatory landscape in the area of cyber security change in the course of this year?

Fabian Mittermair: 2025 will be a decisive year for Austria: a new NIS law will implement EU regulations such as NIS2, DORA and the Cyber Resilience Act in a concrete way. Companies are faced with the challenge of not only planning strategies, but also implementing them effectively. This requires investments in technology, processes and strong partnerships.

A key aspect here is the obligation to proactively identify vulnerabilities – for example, through penetration tests or attack simulations. These measures are coming more into focus as a result of the new regulations, as they not only uncover security gaps but also help to demonstrate compliance with the requirements.

For organizations that have not yet conducted penetration tests, 2025 will be a year of learning. Realistic attack scenarios offer a completely new perspective on their own security situation and enable targeted improvements. At the same time, companies that already use classic penetration tests can use new approaches such as Red Team Assessments to uncover previously hidden vulnerabilities in processes and structures.

The new regulatory requirements make it clear: in 2025, cybersecurity must be approached proactively. Companies that seize this opportunity will not only improve their defenses, but also create a strong foundation for trust and sustainable success.

What role will artificial intelligence (AI) play in cyber security in 2025 – both as a tool for defense and as a threat?

Fabian Mittermair: The development of AI will continue to advance rapidly in 2025. Declining costs and sophisticated models are opening up new possibilities for use – for defenders and attackers alike.

Cybercriminals will use AI to identify vulnerabilities faster and more precisely, to efficiently analyze large amounts of data, and to derive potential targets for attacks. One potential threat is the development of complex, AI-generated malware that could bypass attack detection technologies. Even if this technology is still in its infancy in 2025, the first approaches could become visible. Overall, AI will accelerate and professionalize attacks – especially in the preparation phase, for example in the analysis of target systems or the adaptation of attack techniques.

On the defense side, AI is already well developed and accessible to many organizations in the form of various security software products. AI detects attack patterns early, optimizes configurations, and initiates automated countermeasures – often in real time and faster than humans could.

One major advantage of the technology lies in the increase in efficiency. AI significantly accelerates simple tasks such as creating scripts or modifying configuration files. This allows teams without extensive expertise in all areas to increase their productivity. This scalability is crucial to compensate for the shortage of security professionals.

Despite all the advantages, it is important to have a realistic assessment of the technology’s level of maturity. AI will not replace human personnel, but rather serve as a lever to increase the effectiveness of teams. By boldly investing in AI while also understanding its limitations, companies will optimize their defenses and not leave the playing field to attackers.

Which developments in cyber security have surprised you the most in the last years and what do you expect for 2025?

Fabian Mittermair: I have been genuinely surprised by the speed at which AI technology has developed. Just two years ago, I would not have expected that AI could be used so quickly and meaningfully for both attacks and defenses in cybersecurity. I was particularly surprised by how quickly companies have embraced corresponding products – despite potential challenges such as data protection or cloud computing. This momentum was unexpected, but in my view quite positive.

Equally surprising is the growing number of application scenarios for generative AI. I think that in the next few years we can expect to see many developments that could fundamentally change the way we interact with computers. Who knows whether we will soon still be using mice and keyboards or whether voice and gesture control will replace them. Such changes will also fundamentally influence the approach of attackers.

I look forward to seeing what innovations await us in 2025. I’m excited to observe and follow these developments – my popcorn is ready for any potential surprises (laughs)

What would you advise companies to do to be well prepared for the year 2025

Fabian Mittermair: Firstly, the further development of your own personnel remains crucial. Education, training and knowledge building are important not only for IT and security teams, but for all employees in the company. Cybersecurity is always teamwork – and every employee plays an important role.

Secondly, companies should prepare for an emergency. This means establishing measures and processes in case of a successful cyber attack. Incident response, business continuity and the ability to quickly detect and contain attacks are crucial.

Thirdly, regular testing is essential. Penetration tests and attack simulations help to uncover vulnerabilities in the organization. However, it is even more important to derive measures from these findings and implement them consistently. The goal must be robust cyber resilience that is broadly based.

In conclusion, I advise companies to be bold and to push ahead with the sensible use of AI. Those who use AI efficiently not only secure advantages in cyber security, but also in their overall business operations. Those who miss out on this technological change could fall behind in the medium term.

What do you wish for in 2025 from the perspective of your area of expertise?

Fabian Mittermair: I see a clear trend towards more complex attack simulations such as initial compromise assessments or red team assessments. While traditional penetration tests and application audits remain important, the focus will increasingly be on holistic approaches. Organizations are no longer attacked in isolation by hacking a web server – attackers look for the weakest point, and this is often found in internal processes or directly in personnel.

Identifying such vulnerabilities will be crucial to building truly effective cyber defense. I also find the “assumed breach” approach particularly important. This involves simulating attacks within a network (Red Team), while the defenders (Blue Team) have to detect and mitigate them. Because an attack can be successful at any time – the defense must then be able to minimize the damage, initiate countermeasures and quickly kick the attacker(s) off the network.

I expect projects of this kind to increase in the coming years. They are not only exciting and challenging, but also an excellent opportunity to train our customers’ security teams and make their security strategies fit for the future.