Cyberattacks targeting operational technology (OT) environments rose sharply in 2025, according to new research from Forescout, highlighting growing risks to critical infrastructure as attackers adapt to cloud services, AI platforms and increasingly distributed attack infrastructure.
Forescout’s 2025 Threat Roundup Report, produced by its research arm Vedere Labs, analysed more than 900 million cyberattacks observed globally between January and December 2025. The findings paint a picture of a threat landscape that is not only more aggressive, but also more agile, with adversaries shifting tactics, infrastructure and targets at unprecedented speed.
One of the most striking findings is an 84% increase in attacks using OT protocols, led by Modbus, Ethernet/IP and BACnet. These protocols are widely used across industrial control systems, building management systems and manufacturing environments, reinforcing concerns that cybercriminals and state-aligned actors are increasingly probing the digital foundations of critical services.
Attacks go global and harder to trace
The report shows cyberattacks are becoming more geographically dispersed. Malicious activity was traced to 214 countries and territories, with threat actors increasingly using infrastructure registered across a broader range of locations.
While China, Russia and Iran remained the most common sources of attacks, the top ten originating countries accounted for just 61% of malicious traffic, down 22% year-on-year. This dispersion makes attribution more difficult and reflects the growing use of cloud services and rapidly changing network infrastructure.
The United States was the most targeted country in 2025, followed by India and Germany. Although the number of cybercriminal and state-sponsored groups was broadly similar, cybercriminals were responsible for nearly six times more incidents, underlining the scale of financially motivated activity.
Cloud services increasingly abused
Cloud platforms are playing a growing role in modern attacks. Abuse of Amazon and Google infrastructure alone accounted for more than 15% of observed attacks, up from 11% in 2024.
Threat actors are also cycling through Autonomous Systems at speed, partly in response to law enforcement takedowns. Several of the most abused Autonomous Systems in 2024 disappeared entirely from the rankings in 2025, replaced by previously obscure providers, a sign of how quickly attackers can retool their infrastructure.
Web applications were once again the most targeted service type, accounting for 61% of attacks, followed by remote management protocols. The continued focus on externally exposed services reinforces the importance of attack surface management and continuous monitoring.
IT, IoT and OT all under pressure
Beyond OT environments, attacks against IoT devices rose from 16% to 19%, with IP cameras and network video recorders remaining popular targets. Exploits targeting network infrastructure devices accounted for 19% of all observed exploitation activity, reflecting ongoing weaknesses in routers, firewalls and edge devices.
Vulnerability exploitation also increased significantly. During 2025, 242 vulnerabilities were added to CISA’s Known Exploited Vulnerabilities catalogue, a 30% rise year-on-year, while Vedere Labs recorded a 213% increase in vulnerabilities in its own KEV list.
Crucially, 71% of exploited vulnerabilities were not included in CISA’s KEV catalogue, suggesting attackers are increasingly moving beyond well-publicised flaws and targeting gaps that many organisations may not prioritise.
AI platforms enter the crosshairs
The report also highlights early warning signs around AI security. Langflow, an open-source low-code AI development platform, emerged as one of the most exploited new vulnerabilities, indicating that the tooling underpinning AI adoption is already attracting attacker attention.
As organisations rush to deploy AI-driven workflows, these findings underscore the need to secure development pipelines and supporting infrastructure, not just the AI models themselves.
Reconnaissance takes centre stage
According to Forescout, attacker behaviour is shifting decisively towards deeper reconnaissance. Discovery activity now accounts for 91% of post-exploitation actions, up from just 25% in 2023.
This change suggests attackers are spending more time understanding compromised environments, mapping networks and identifying high-value targets before taking destructive action.
For defenders, this creates both a challenge and an opportunity. “This shift gives organisations a larger window to detect compromise before more damaging actions occur,” the report noted, provided they have the visibility to spot lateral movement and unusual discovery behaviour.
What defenders should do next
Forescout argues that traditional perimeter-focused security models are no longer sufficient. Instead, organisations need holistic visibility across IT, IoT and OT, combined with network segmentation, East–West traffic monitoring and rapid containment capabilities.
As Barry Mainz, CEO of Forescout, put it: “Deeper visibility, enhanced risk assessment, and proactive controls are non-negotiables for today’s defenders.”
With critical infrastructure increasingly in the firing line, the 2025 Threat Roundup makes clear that securing interconnected environments and detecting attackers early will be one of the defining cybersecurity challenges of 2026.
