Between January and December 2025, threat actors launched 1,186 distinct attack campaigns targeting organisations worldwide. They deployed 147,000 malicious domains, distributed nearly 58,000 malware files, and exploited 549 separate vulnerabilities.
The numbers emerged Tuesday from HPE’s inaugural threat research report, released as security professionals gathered at RSA Conference 2026 in San Francisco. What the figures reveal, according to the company’s newly formed Threat Labs unit, is less about volume than structure—cybercrime has industrialised.
Government organisations absorbed the heaviest bombardment. Some 274 campaigns targeted federal, state, and municipal bodies throughout the year. Financial institutions faced 211 campaigns. Technology companies dealt with 179. Defence contractors, manufacturers, telecommunications providers, healthcare systems, and universities all appeared repeatedly in the data.
“In the Wild reflects the reality organisations face every day,” said Mounir Hahad, Head of HPE Threat Labs. “Our research is grounded in real-world threat activity, not theoretical tests in controlled lab scenarios. It captures how attackers behave in active campaigns, how they adapt, and where they are finding success. These first-hand observations and insights help sharpen detection, strengthen defences, and give customers a clearer view of the threats most likely to impact their data, infrastructure, and operations. That means stronger security, faster response, and greater resilience in the face of increasingly organised and persistent attacks.”
The shift isn’t just tactical—it’s organisational.
Threat actors now operate with hierarchical command structures resembling Fortune 500 companies. Specialised teams handle distinct phases of attacks. Some groups automated entire workflows, using Telegram channels to exfiltrate stolen data in real time, creating what researchers described as assembly-line efficiency. Others conducted market research on VPN vulnerabilities before launching intrusion campaigns, optimising target selection based on return on investment.
Generative AI accelerated several operations. Attackers produced synthetic voices for vishing campaigns—voice-based phishing that mimicked executives during urgent requests. Deepfake videos appeared in targeted impersonation fraud schemes. One extortion operation analysed virtual private network weaknesses across multiple vendors before concentrating resources on the most vulnerable implementations.
The professionalization creates a paradox. Attacks become more predictable in execution, following repeatable patterns and reusing infrastructure. Yet they’re harder to disrupt. Dismantling one malicious domain or taking down a command server rarely stops the broader campaign—attackers simply pivot to backup infrastructure already provisioned.
HPE’s research draws from Juniper Advanced Threat Prevention Cloud customer telemetry and a global network of honeypots, including TCP, SSH, and SMB variants distributed across multiple continents. The analysis covers every day of 2025, capturing live threat activity rather than simulated scenarios.
For defenders, the industrialisation of cybercrime demands corresponding sophistication.
Patching remains fundamental. VPNs, SharePoint instances, and edge devices represented the most frequently exploited entry points throughout the year. Organisations that delayed updates to these systems appeared repeatedly in successful breach attempts. The 549 exploited vulnerabilities weren’t exotic zero-days—many were known weaknesses with available patches that hadn’t been applied.
Zero trust architectures limited lateral movement once attackers breached perimeters. Continuous verification of users and devices before granting access reduced the blast radius when initial defences failed. Secure access service edge (SASE) approaches unified networking and security functions, surfacing attack patterns earlier by correlating data across previously siloed systems.
Visibility extended beyond corporate networks mattered. Home offices, third-party applications, and supply chain partners all provided entry vectors. Attackers understood the modern enterprise perimeter dissolved years ago—defences needed to follow suit.
“HPE Threat Labs was created to bridge the gap between cutting-edge research and real-world security outcomes,” said David Hughes, SVP & GM, SASE and Security for Networking, HPE. “The In the Wild report shows that today’s attackers operate with the discipline, scale, and efficiency of global enterprises, and defending against them requires the same level of strategy, integration, and operational rigour. By translating threat intelligence into our products, HPE Threat Labs is helping organisations reduce risk, limit disruption, and protect the systems their businesses depend on.”
The newly formed HPE Threat Labs unit combines security research talent from HPE and Juniper Networks, pooling threat intelligence to inform product development. The consolidation follows HPE’s acquisition of Juniper, completed earlier this year, and represents an attempt to convert raw threat data into actionable defences embedded directly in networking and security products.
At RSA Conference this week, where HPE occupies booth 1255 in Moscone Center’s South Hall, the company is demonstrating how threat intelligence feeds into its SASE and zero trust network access offerings. The timing isn’t coincidental—releasing a major threat report during the industry’s largest annual gathering ensures maximum visibility among the CISOs and security leaders who make purchasing decisions.
What the report doesn’t capture is equally telling. HPE hasn’t disclosed specific victim organisations, breach costs, or attacker success rates—metrics that would reveal the true effectiveness of these industrial-scale campaigns. The focus remains on observable tactics and infrastructure rather than business impact or attribution to specific threat groups.
The 274 government-focused campaigns suggest persistent interest in national infrastructure and sensitive data. Whether those represent nation-state espionage, ransomware operations seeking municipal payouts, or a combination remains unclear from the published findings. Financial and technology sectors attracted attention for obvious reasons—money and intellectual property respectively—but the targeting appears opportunistic rather than coordinated across threat actors.
Defence manufacturers, telecommunications providers, and healthcare systems each faced dozens of campaigns throughout 2025. The breadth reinforces that no vertical escapes attention. Attackers follow data, money, and strategic advantage wherever those assets reside.
For organisations reviewing their security posture after reading the report, the message centres on coordination over tooling. Sharing threat intelligence across teams and industries, applying available patches promptly, implementing zero trust principles, and extending visibility beyond traditional perimeters all require process changes more than budget increases.
Whether that resonates with security leaders facing budget constraints and competing priorities will become clear in the months ahead. The report arrives as many organisations reassess cybersecurity spending following a year of aggressive attacks. HPE is betting that demonstrating the industrial scale of modern threats will justify corresponding investment in defences.
The full report is available now, timed for maximum exposure at RSA Conference. By Thursday, thousands of conference attendees will have encountered the findings, either at HPE’s booth or through media coverage. Whether the data changes behaviour or simply confirms what security professionals already suspected remains the open question.