This time of year, everywhere you see, security guys like me are sharing our hot takes for the year ahead. However, reflecting on the past year is equally important. I like to see how my previous predictions held up and how things actually played out.
When it comes to retrospectives, it’s pretty easy to just cobble together the tidbits that will validate your point. However, it’s important to me to look at last year’s predictions with a more critical eye and find concrete evidence as to whether the predictions were resilient. That’s why we’re here today—to score my 2025 predictions and look ahead at what’s coming.
Original prediction: In 10 years, we’ll likely look back on this season as a defining period. As global tensions escalate and cyber makes itself obvious as a theater of modern warfare, the operating assumptions of cyber defenders will change. The true value of solutions and strategies developed during a period of relative “peace” will be challenged.
Accuracy: Validated ✅
2025 was definitely a busy year for nation-vs.-nation cyber activity. When I originally wrote this prediction, my thinking was that this year was going to feature more overt conversation around the uptick in attacker activity compared to whispers in back rooms.
This shift from covert to overt cyber conflict discourse happened exactly as predicted. Here are a few examples:
Original prediction: Ground-up cyber resilience initiatives like secure by design and secure by default (SBD) will gain traction with product vendors, especially as the increase in malicious activity pressures vendors to deliver clear evidence of good cyber hygiene to their customers.
Accuracy: Partially validated ✅
This one was mixed—and super interesting. Let’s start with what went right. One major win was the significant progress we saw in the EU/UK. The passage of the Cyber Resilience Act (CRA) and the Digital Operational Resilience Act (DORA) has accelerated the policy and accountability-driven spread of SBD principles. The CRA entered into force December 10, 2024, requiring products to be SBD (applies from December 2027), with fines up to €15 million or 2.5% of global revenue. DORA became applicable in January 2025. Furthermore, the Cyber Solidarity Act entered into force February 4, 2025, and the NIS2 Directive became effective October 2024. A late but quite spectacular entrant was Portugal amended Article 8.o-A to include exemptions for good-faith security research. These regulatory frameworks materialized as predicted.
Another win was in the private sector. The prediction that market solutions will fill gaps was correct. There has been a strong push in private market innovation toward tooling that makes SBD more accessible to developers (not just enforced or verified by security teams) by taking advantage of AI and CI/CD contexts and facilitating an actual “shifting left” of secure by design and secure by default. We’re seeing this in startups like Corrodor.dev, StackHawk, and Manifest, many of which were founded by ex-CISA employees, validating the ecosystem shift. These players are all doing interesting things in terms of using AI and modern development trends to solve SBD challenges.
Now let’s look at what didn’t materialize. My general observation is that the U.S. government-led efforts around SBD slowed dramatically due to a mixture of significant overall policy shifts, as well as changes in the role and ranks of CISA, which has traditionally been responsible for this. These factors slowed the momentum of top-down encouragement and the evangelism of SBD.
The other problem that slowed the momentum of SBD is the lack of enforcement of the “tangible progress” component of the SBD pledge. I’ve been skeptical of the effectiveness of the pledge itself because there is a troubling accountability gap. The pledge was voluntary and had no enforcement component. Only 4% of vendors that signed it actually showed progress after 12 months.
In situations like these, security is essentially reduced to a marketing tool. CISOs pushed their way to the front of the line to sign the pledge, built trust, and made a big deal about their participation. However, the actual accountability around what happened next trailed off.
Because of this, we’re seeing a slew of vulnerabilities and breaches, indicating that vendors aren’t necessarily getting the memo when it comes to implementation. Vendors aren’t getting their “SBD house in order,” and we’re seeing growing end-user frustration. We’re seeing a massive gap in vendors’ ability to provide decent evidence that improvements to product security are actually being made.
Original prediction: As nation-state threat actors continue to build and maintain their Operational Relay Boxes (ORBs) and as the IAB business model continues to proliferate, targeting of hardware in the form of IoT and edge-access devices will increase pressure on vendors of these products to fix vulnerabilities quickly and avoid their introduction in the first place.
IoT, hardware, and edge-device targeting definitely exploded in 2025. It feels like every week, there is a new internet-connected camera with a botnet in it that has just been discovered.
This can be seen in the discovery of Lap Dog and Flax Typhoon. Discovering multiple ORB networks, like LapDogs with over 1,000 nodes and Flax Typhoon with a staggering 200,000+ compromised devices, highlights how adversaries have moved beyond mere experimental capabilities to fully industrialized cyber warfare operations. The sophistication of campaigns, such as Salt Typhoon’s breach into telecommunications, underscores this shift. This infrastructure-as-a-service model for nation-state actors, combined with the proliferation of the IAB marketplace—showing a 118% growth in VPN access sales—suggests that we in the cybersecurity community are not just facing isolated threats. Instead, we’re up against mature, scalable attack ecosystems that will persist and evolve throughout the decade.
Although pressure on vendors has anecdotally intensified, this hasn’t resulted in meaningful action. This is likely due to the sheer amount of effort involved in writing and testing patches for hardware systems, as well as the logistics involved in applying those available patches.
Organizations need to be treating their systems as though they’re actively targeted 24/7. It gets proven time and time again that there is always another bug. With enough time, attention, and resources, there will always be another vulnerability found. This obviously extends beyond IoT and hardware but is especially true for legacy hardware.
Teams need to continue to look for vulnerabilities, keep up with patching, and understand what is urgent in their environments. Beyond that, think about what the bad guys are doing. Presume an attack has already happened and work backward from there. If you can approach security from both perspectives, I’d say you’re in a pretty good spot.
If you’re interested in learning more, I recommend checking out the data on the rise of hardware and IoT vulnerabilities in Inside the Mind of a CISO.
Overall, I’d say I’m pretty happy with my predictions from 2025. The threat predictions were accurate, but the market and policy response predictions were more of a mixed bag. This reflects the complexity of driving organizational change at scale.
Stay tuned; tomorrow we’ll be posting another blog on our 2026 security predictions.