A few security predictions for 2025

It's that time of year again... Here are a few trends that I see making their presence felt in 2025 - These are a work in progress, and I might expand on a few of these:

1. Peacetime cyber vs. wartime cyber: 10 years from now, we'll likely look back on this season as a defining period. As global tensions continue to escalate and cyber makes itself obvious as a theater of modern warfare, the operating assumptions of cyber defenders will need to change. The true value of solutions and strategies developed during a period of relative "peace" will be challenged.
2. Nation-state actors diversify and continue to get more aggressive: As global alliances continue to evolve, generative AI and technique-sharing accelerates time-to-effectiveness, and the "spectrum of attribution" broadens, attribution will become more of a challenge. Attackers, aware of this phenomenon, will be emboldened and the trend towards effectiveness over stealth that we've seen globally over the past 5 years will accelerate. In particular, I'm interested in the role of grass-roots Civil Cyber Offense activities, such as the IT Cyber Army.
3. Hardware and IOT back in the spotlight: As nation-state threat actors continue to build and maintain their Operational Relay Boxes (ORBs) and as the IAB business model continues to proliferate, targeting of hardware in the form of IOT and edge-access devices will increase pressure on vendors of these products to fix vulnerabilities quickly, and avoid their introduction in the first place.
4. "AI as a target" - Security and safety begins to hit its stride: As the hype dies down and the real-world use cases of generative AI start to form, I expect the overall field of AI security and safety to mature significantly in 2025, addressing AI as a target, tool, and threat.
5. "AI as a tool" for offense, and attack: 2024 has seen significant progress in agentic AI attack tooling, including the use of LLMs for discovery of 0-day, and for driving the "grunt-work" aspects of network and application offense. I'd expect to see non-commercial open-source tooling make big strides in 2025, including enabling malicious attackers.
6. "AI as a threat" - New attack surface goes brrrrr: One of the main practical use-cases that has sprung from the Generative AI revolution is a radically lowered barrier to rapid prototyping and development. This, combined with the solopreneur phenomenon and use of these tools within corporate innovation labs, is cranking out net-new code onto the Internet far more quickly than it can be secured, and including repeated anti-patterns by copy-pasting from sources like Stackoverflow.
7. Secure by Design, Secure by Default: Ground-up cyber resilience initiatives like Secure by Design and Secure by Default will gain traction by product vendors, especially as the increase in malicious activity causes pressure from vendors to deliver clear evidence of good cyber-hygiene to their customers.
8. The wisdom of the crowd: The intelligence of the global hacker community will continue to bridge the gap between defenders, their attack surface, and the creativity and persistence of the adversary. This will manifest in increased adoption of vulnerability disclosure programs, a return to the practical return-focussed value of public and private bug bounty programs, and the expansion of community-driven threat intelligence and disruption.