Talos IR trends - Cisco Talos Blog Blog Each quarter, Cisco Talos Incident Response recaps the malware families and attacker tactics they observed most in the wild. Find out what your organizations can learn so you don’t end up in the same position. April 22, 2026 06:00 IR Trends Q1 2026: Phishing reemerges as top initial access vector, as attacks targeting public administration persist Phishing reemerged as the most observed means of gaining initial access, accounting for over a third of the engagements where initial access could be determined.
Phishing has not been the top vertical for initial access since Q2 2025. Aliza Johnson Talos IR trends CTIR trends January 29, 2026 06:00 IR Trends Q4 2025: Exploitation remains dominant, phishing campaign targets Native American tribal organizations A drop in exploitation and ransomware, but a spike in phishing and credential abuse, show why timely patching and robust MFA matter more than ever. Dave Liebenberg October 23, 2025 06:00 IR Trends Q3 2025: ToolShell attacks dominate, highlighting criticality of segmentation and rapid response Cisco Talos Incident Response observed a surge in attacks exploiting public-facing applications — mainly via ToolShell targeting SharePoint — for initial access, with post-exploitation phishing and evolving ransomware tactics also persisting this quarter.
Lexi DiScola July 31, 2025 06:00 IR Trends Q2 2025: Phishing attacks persist as actors leverage compromised valid accounts to enhance legitimacy Phishing remained the top initial access method in Q2 2025, while ransomware incidents see the emergence of new Qilin tactics. April 28, 2025 06:00 IR Trends Q1 2025: Phishing soars as identity-based attacks persist This quarter, phishing attacks surged as the primary method for initial access.
Learn how you can detect and prevent pre-ransomware attacks. Cisco Talos Incident Response January 30, 2025 06:00 Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike This new report from Cisco Talos Incident Response explores how threat actors increasingly deployed web shells against vulnerable web applications, and exploited vulnerable or unpatched public-facing applications to gain initial access.
October 24, 2024 06:00 Talos IR trends Q3 2024: Identity-based operations loom large Credential theft was the main goal in 25% of incidents last quarter, and new ransomware variants made their appearance - read more about the top trends, TTPs, and security weaknesses that facilitated adversary actions. Caitlin Huey July 25, 2024 06:00 IR Trends: Ransomware on the rise, while technology becomes most targeted sector Although there was a decrease in BEC engagements from last quarter, it was still a major threat for the second quarter in a row.
Nicole Hoffman April 25, 2024 08:00 Talos IR trends: BEC attacks surge, while weaknesses in MFA persist Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information. January 24, 2024 08:00 IR Q4 2023 trends: Significant increase in ransomware activity found in engagements, while education remains one of the most-targeted sectors Talos IR observed operations involving Play, Cactus, BlackSuit and NoEscape ransomware for the first time this quarter.
October 24, 2023 08:00 Attacks on web applications spike in third quarter, new Talos IR data shows We observed the BlackByte ransomware group’s new variant, BlackByte NT, for the first time in addition to the previously seen LockBit ransomware, which continues to be the top observed ransomware family in Talos IR engagements. July 26, 2023 08:00 Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical Ransomware was the second most-observed threat this quarter, accounting for 17 percent of engagements, a slight increase from last quarter’s 10 percent.
April 26, 2023 08:00 Quarterly Report: Incident Response Trends in Q1 2023 In 45 percent of engagements, attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter. January 26, 2023 04:00 Quarterly Report: Incident Response Trends in Q4 2022 Ransomware continued to be a top threat Cisco Talos Incident Response (Talos IR) responded to this quarter, with appearances from both previously seen and newly observed ransomware families. ransomware October 25, 2022 08:00 Quarterly Report: Incident Response Trends in Q3 2022 A lack of MFA remains one of the biggest impediments to enterprise security.
July 26, 2022 10:03 Quarterly Report: Incident Response Trends in Q2 2022 For the first time in more than a year, ransomware was not the top threat Cisco Talos Incident Response (CTIR) responded to this quarter, as commodity malware surpassed ransomware by a narrow margin. This is likely due to several factors, including the closure of several ransomwa May 10, 2022 10:00 Talos Incident Response added to German BSI Advanced Persistent Threat response list Cisco Talos Incident Response is now listed as an approved vendor on the Bundesamt für Sicherheit in der Informationstechnik (BSI) Advanced Persistent Threat (APT) response service providers list [https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Themen/Dienst Jonathan Munshaw Headlines April 26, 2022 09:11 Quarterly Report: Incident Response trends in Q1 2022 Ransomware continues as the top threat, while a novel increase in APT activity emerges Ransomware was still the top threat Cisco Talos Incident Response (CTIR) saw in active engagements this quarter, continuing a trend that started in 2020.
As mentioned in the 2021 year-in-revie Caitlin Huey , Cisco Talos