I Need IT Support Now
Managed IT Houston Cybersecurity
Shane

CrowdStrike 2025 Global Threat Report: What West Houston Businesses Need to Know

51 Seconds to Breach: The New Reality of Cyber Defense

Threat Report
Attackers Now Break Out of the First Machine in 51 Seconds. And 79% of Their Attacks Use No Malware at All.

The CrowdStrike 2025 Global Threat Report calls it the "enterprising adversary." Here are the numbers that matter - and what to do about them.

TL;DR
The CrowdStrike 2025 Global Threat Report describes an "enterprising adversary" running attacks with business-like speed and efficiency. In 2024, the average breakout time - how fast an attacker moves from the first machine to the next - fell to 48 minutes, with a fastest recorded time of just 51 seconds. Malware-free attacks hit 79% of detections (up from 40% in 2019), making them hard to catch with old tools. Vishing (voice phishing) jumped 442% between the first and second half of the year, and China-nexus activity rose 150% overall. Attackers now favor identity - stolen logins, help-desk scams, and AI-generated phishing that gets clicked far more often. The response: phishing-resistant MFA, cross-domain detection, cloud security, and adversary-aware patching.

CrowdStrike's 2025 report shows adversaries operating like businesses - faster, stealthier, and increasingly focused on stolen identities rather than malware.

The theme of the year is the "enterprising adversary": attackers who run efficient, repeatable operations and reach for the fastest path in. That path is more and more about people and credentials, not malicious files. For a business, the practical message is that speed and identity are now the battleground - and defenses built for yesterday's malware will miss most of what is happening.

The number to sit with: 51 seconds. That is the fastest time an attacker took to move from the machine they compromised to the next one. Detection and response now has to work in minutes, not days.

The Headline Numbers

Four figures that capture how the game changed in 2024.

Faster breakouts, malware-free attacks, a vishing explosion, and a surge in China-nexus activity define the year.

CROWDSTRIKE 2025: THE YEAR IN 4 NUMBERS 51 sec fastest breakout time recorded 79% malware-free attacks +442% vishing H1 to H2 2024 +150% China-nexus activity
Selected 2024 findings from the CrowdStrike 2025 Global Threat Report.

Underneath those headlines: initial-access attacks made up 52% of the vulnerabilities CrowdStrike observed, access-broker advertisements rose 50% year over year, and interactive intrusions - hands-on-keyboard attacks - climbed 35%. The technology sector was the most targeted for the seventh year running.

How Attacks Accelerated

The clearest story is in the year-over-year change.

Nearly every metric moved in the attacker's favor - faster, quieter, and more identity-driven than before.

MetricBefore2024
Average breakout time62 minutes (2023)48 minutes (fastest 51 seconds)
Malware-free attacks40% of detections (2019)79% of detections
Vishing (voice phishing)Baseline+442% from H1 to H2
China-nexus intrusionsBaseline+150% overall (some sectors +200-300%)
AI vs human phishing click-through12% (human-written)54% (AI-generated)

How key attack metrics shifted, per the CrowdStrike 2025 Global Threat Report.

Identity is the connective tissue. Valid account abuse drove 35% of cloud-related incidents, and attackers leaned on vishing, access brokers, and trusted-relationship abuse to get in without tripping malware detection. That is why the report's top recommendation is to secure the entire identity ecosystem - not just the endpoint.

The Social-Engineering Business

Attackers added a human voice - and AI - to their toolkit.

Vishing and help-desk scams surged, and generative AI made the lures dramatically more effective.

Chart of vishing intrusions detected by CrowdStrike per month in 2024
Vishing intrusions detected per month, 2024 - Source: CrowdStrike 2025 Global Threat Report.

In a typical campaign, an attacker calls an employee posing as IT support, talks them into installing a remote-support tool or malicious payload, then uses that access to spread and steal data. CrowdStrike tracked eCrime groups like CURLY SPIDER, CHATTY SPIDER, and PLUMP SPIDER running exactly these plays. A close cousin is help-desk social engineering, where attackers call an organization's own help desk, impersonate an employee, and get a password or MFA reset - often after hours, to buy more undetected time.

  • AI-written phishing works far better. LLM-generated messages saw a 54% click-through rate versus 12% for human-written ones.
  • Deepfakes enable fraud. Cloned voices and video have been used in business-email-compromise and wire-fraud schemes.
  • Fake personas at scale. Adversaries used AI to build convincing fake LinkedIn profiles and run disinformation networks.

Could You Detect an Attacker in 51 Seconds?

CinchOps runs 24/7 detection and response and phishing-resistant identity controls built for the speed and stealth this report describes. See where your gaps are.

Talk to CinchOps
100% Free

Free Cybersecurity Assessment

Are your defenses built for malware or for identity-driven attacks? Get a FREE assessment of your MFA, detection speed, and cloud security.

Get Your Free Assessment

The old model was "find the malware." This report is telling you the malware often is not there - 79% of the time. Attackers log in with stolen identities and move in under a minute. The defense has to shift with them: protect identity first, and detect in real time, because you no longer have hours.
Shane Stevens, CEO, CinchOps - LinkedIn

Defense Built for the Enterprising Adversary

CinchOps delivers 24/7 detection and response, phishing-resistant MFA, cloud security, and adversary-aware patching to counter exactly these tactics - as part of everyday cybersecurity and managed IT.

Explore CinchOps cybersecurity →

How CinchOps Helps Secure Your Business

CinchOps is a Katy, Texas managed IT services provider serving businesses across the Houston metro, aligning defenses to the CrowdStrike report's own recommendations.

  • 24/7 detection and response. Real-time monitoring that works inside the critical breakout-time window.
  • Identity security. Phishing-resistant MFA and continuous monitoring for stolen-credential and help-desk attacks.
  • Cloud security. Protecting SaaS and cloud identities, where valid-account abuse now drives many incidents.
  • Vulnerability management. Adversary-centric patching that prioritizes the flaws attackers actually exploit for initial access.
  • Awareness training. Preparing your team for vishing and AI-crafted social engineering.

The adversaries are getting more enterprising - your defense should too. Contact CinchOps to build a security posture that keeps pace.

Frequently Asked Questions

What is breakout time, and why does 51 seconds matter?

Breakout time is how long it takes an attacker to move from the first machine they compromise to another system on the network. In 2024 the average fell to 48 minutes, and the fastest was 51 seconds - meaning defenders may have under a minute to detect and respond before an attacker spreads.

What are malware-free attacks?

Malware-free attacks use no malicious file - attackers log in with stolen credentials and use legitimate tools and hands-on-keyboard activity instead. They reached 79% of detections in 2024 (up from 40% in 2019), which makes them hard to catch with traditional antivirus that looks for known malware.

Why did vishing increase so much in 2024?

Voice phishing rose 442% from the first to second half of 2024 because it works: attackers call employees posing as IT support to trick them into granting access. Generative AI has made these and other social-engineering lures more convincing, with AI-written phishing clicked far more often than human-written messages.

What is the "enterprising adversary"?

It is CrowdStrike's term for attackers who operate like efficient businesses - running repeatable, scalable operations, buying access from brokers, and favoring the fastest, stealthiest path in (usually stolen identities) over slower malware-based methods.

How should a business respond to these threats?

The report recommends securing the whole identity ecosystem with phishing-resistant MFA, eliminating cross-domain visibility gaps with XDR and modern SIEM, defending the cloud as core infrastructure, prioritizing patches with an adversary-centric view, and knowing which adversaries target you. A managed security partner can deliver these together.

Discover More

Sources

Take Your IT to the Next Level!

Book A Consultation for a Free Managed IT Quote

281-269-6506