Ransomware and infostealer threats continue to evolve faster than most organizations can respond. While traditional defenses, including backup and recovery strategies, remain critical, Picus Security’s Blue Report 2025 demonstrates that today’s most damaging attacks increasingly focus on credential theft, data exfiltration, and lateral movement rather than encryption alone. By quietly exploiting weak credentials and bypassing traditional controls, attackers achieve their objectives while remaining largely undetected.
The Blue Report 2025, which draws on over 160 million real-world attack simulations, validates concerns first highlighted in the Red Report 2025. Together, the two reports reveal a growing gap between adversary tactics and the defenses organizations have in place. Modern attacks are leveraging old-school stealth, persistence, and credential abuse to bypass controls, highlighting a critical need for Continuous Threat Exposure Management (CTEM) and Adversarial Exposure Validation (AEV) to continuously test defenses against real-world threats.
What Is the Blue Report?
Unlike reports that focus solely on threat trends or surveys, the Blue Report evaluates the actual effectiveness of security controls in real-world conditions. Conducted across industries, regions, and attack surfaces, it measures prevention and detection performance against MITRE ATT&CK techniques, ransomware families, infostealer behaviors, and newly disclosed vulnerabilities.
By providing an evidence-based view of how defenses perform, the Blue Report helps security teams prioritize high-risk exposures, strengthen resilience, and adopt CTEM strategies underpinned by AEV. The data-driven insights go beyond theory, showing exactly where security measures succeed and where they silently fail.
Key Findings: Credential Theft and Data Exfiltration
The 2025 findings reveal troubling trends. Password cracking succeeded in 46% of tested environments, nearly doubling from 25% in 2024. Meanwhile, attacks leveraging Valid Accounts (T1078) achieved a 98% success rate, underscoring how easily attackers exploit stolen or weak credentials to bypass security controls.
Data exfiltration prevention, already a concern in previous years, dropped to just 3%, despite the rising prevalence of infostealer malware and double-extortion ransomware campaigns. These gaps illustrate a critical point: even when organizations have invested in backups and detection, attackers can leverage stealth, persistence, and credential abuse to achieve their objectives without triggering alerts.
Infostealers have evolved from opportunistic malware scraping browser credentials to persistent, targeted tools used in sophisticated campaigns. By remaining quiet and blending into normal activity, they evade detection while exfiltrating sensitive data over extended periods. The Blue Report demonstrates that most organizations are underprepared for this reality, with limited outbound monitoring, insufficient DLP enforcement, and weak behavioral analytics.
Ransomware Without Encryption
Traditional ransomware defenses, such as robust backup and recovery strategies, are no longer sufficient. Ransomware operators have shifted toward encryptionless extortion, stealing data and threatening public exposure rather than encrypting files. Variants like BlackByte (26% prevention), BabLock (34%), and Maori (41%) continue to bypass controls—not due to insufficient recovery plans but because upstream tactics like credential abuse and lateral movement are not being effectively prevented.
Even if backed-up data can be restored, the damage from leaked information or compromised accounts has already occurred. This reality reinforces the need to focus on upstream prevention and detection, before data leaves the network and credentials are misused.
Prioritizing the Threats That Matter
In a world of competing priorities and finite resources, knowing what to address first is critical. The Blue Report 2025 helps organizations cut through the noise by revealing the real-world effectiveness of security controls, identifying which gaps represent the greatest operational risk, and providing context by sector, region, and attack technique.
By adopting CTEM strategies and operationalizing AEV, security teams can validate their controls, understand their actual exposure, and act decisively on the most critical threats. Whether improving data exfiltration defenses, stopping credential abuse, or tuning detection rules, these practices enable organizations to align resources with the exposures that truly matter.
Take Action: See Where You Stand
The Blue Report 2025 makes one thing clear: relying on assumptions, static controls, or outdated detection logic is no longer enough. Infostealers are thriving, ransomware is stealthier, and data exfiltration is often undetected.
With Adversarial Exposure Validation, organizations can go beyond dashboards and alerts to test defenses against real-world attacks, identify critical gaps, and strengthen their security posture proactively. Download the Blue Report 2025 today to explore the latest findings, understand your exposure, and learn how CTEM and AEV can help your organization stay ahead of emerging threats.
