Understanding Red Canary’s 2025 Threat Detection Report

Red Canary, now part of Zscaler, has released its midyear update to the annual Threat Detection Report, shedding light on evolving cybersecurity threats detected in the first half of 2025. This report underscores the rapid rise in identity threats and the complex landscape of cloud-based techniques, influenced by the growing adoption of identity securities, generative AI, and improved detection measures.

The report states that as organisations adopt cloud-based identity services, they must adapt their cybersecurity strategies to acknowledge both overt threats and subtle, perilous activities that could lead to significant breaches.

“Security teams are evolving their endpoint-focused strategies to approaches that recognise more nuanced risks across dispersed environments," said Keith McCammon, Co-founder of Red Canary. "Unlike endpoint, where most of the data and context required for threat detection and response stems from a single source, identity and cloud threat detection requires visibility and correlation across disparate systems, coupled with a platform and team capable of performing timely investigations."

Cloud Account Activity: An alarming 500% rise in detections related to Cloud Accounts was noted, thanks partly to enhanced identity detection coverage and deployment of AI agents. These tools help identify unusual login patterns and suspicious behaviours, such as logins from unfamiliar devices, IPs, and VPNs, thereby heightening risky behaviour detection.

Cloud Risk Techniques: Newly identified cloud techniques, Data from Cloud Storage and Disable or Modify Cloud Firewall, now appear among the top 10 detected techniques. These represent not only explicit threats but risky behaviours forewarning potential breaches. Challenges arise from insecure configurations of AWS S3 storage buckets and open ingress ports, which adversaries and sometimes unwitting employees exploit.

Phishing Challenges: Analysis of user-reported phishing emails showed only 16% posed actual threats. Despite the low fraction, phishing continues to represent a vital attack channel. Adversarial tactics have become more refined over time, even utilising tools such as Google Translate to craft elusive phishing emails bypassing traditional security outlines.

Scarlet Goldfinch's Adaptation: This persisting threat now vectors through employing fake CAPTCHA techniques, deviating from their former reliance on fake browser updates. This shift underlines the adaptability of these actors in applying modern social engineering tactics to outsmart current defences.

As threats elvolve, it is crucial for companies to:

• Identity Security Controls: Use multi-factor authentication (MFA) and conditional access policies (CAP) to forestall unauthorised identity access.
• Cloud Misconfiguration Management: Regularly inspect and secure cloud settings in compliance with zero trust principles.
• Phishing Awareness: Deliver comprehensive user training to bolster defence against advanced phishing tactics.
• Monitor VPN and RMM Usage: Employ behavioural analytics to detect suspicious activity in VPN and remote management tool usage.

Through a concerted effort deploying these strategies, organisations can substantively fortify their cybersecurity framework, curtailing the risk and repercussions associated with the most recent adversarial techniques.

Methodology: Red Canary’s midyear report assures precision through an examination of threats confirmed from the vast telemetric data obtained from customer endpoints, networks, and cloud infrastructures during the first half of 2025.