Evolving Cybersecurity Training and Incident Response for Modern Threats
Security leaders are increasingly recognizing that traditional approaches to cybersecurity training and incident response are insufficient in the face of rapidly evolving threats. According to the Cytactic 2025 State of Cyber Incident Response Management (CIRM) Report, 57% of significant cyber incidents involve attack scenarios that organizations have never rehearsed, highlighting a critical gap in preparedness. Many organizations focus their tabletop exercises on well-known threats such as ransomware, but the real challenge often comes from novel and unexpected attack vectors. Security experts argue that tabletop exercises are frequently either too specific or too grandiose, failing to address the nuanced and likely scenarios that teams are more apt to encounter. For example, some enterprises have gone to great lengths, such as purchasing burner phones for secure communications during exercises, only to discover practical issues during the simulation. Analysts and consultants point out that these exercises often lack realism and do not align with the actual risk and threat profiles of the organization. Meanwhile, a global survey by DarkTrace found that 74% of cybersecurity professionals view AI-powered threats as a major challenge, and 90% expect these threats to significantly impact their organizations within the next one to two years. The increasing use of AI-generated malware and autonomous reconnaissance by adversaries means that threats are evolving in real time, outpacing the static, compliance-driven training models many organizations still use. Legacy approaches, such as annual penetration tests and semi-annual tabletop exercises, are no longer adequate, as they provide limited visibility and fail to build lasting strategic capabilities. These outdated models also assume that adversaries are predictable, which is no longer the case in the current threat landscape. Experts advocate for a shift toward Continuous Threat Exposure Management (CTEM), a discipline that emphasizes ongoing, threat-informed practice rather than occasional, fragmented exercises. This approach requires organizations to move from reactive defense to operational resilience, fostering cross-functional collaboration and daily engagement with emerging threats. By making training exercises more relevant, realistic, and tailored to the organization's specific context, security teams can better align with business objectives and improve their ability to respond to unforeseen incidents. The consensus among industry leaders is that a transformation in both mindset and practice is essential to keep pace with the dynamic nature of cyber threats. Organizations that fail to adapt risk being unprepared for the next wave of sophisticated attacks, particularly those leveraging artificial intelligence and automation. Ultimately, the future of cybersecurity training lies in continuous, adaptive, and business-aligned preparation that mirrors the complexity and speed of modern adversaries.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Security experts call for more realistic, organization-specific resilience exercises
Experts cited in October 2025 coverage urged organizations to move beyond compliance-driven tabletop exercises and run more frequent, practical drills tailored to their own operations. Recommendations included testing crisis communications, contact-list accuracy, burner-phone access, and partner-related incident response under realistic conditions.
Cytactic report finds 57% of major incidents were not previously rehearsed
The 2025 Cytactic report concluded that 57% of significant cyber incidents involved attack scenarios cybersecurity teams had not prepared for in tabletop exercises. The finding highlighted a gap between common rehearsal scenarios and real-world attacks such as lateral movement, quiet data exfiltration, phishing, credential harvesting, drive-by compromises, and burst DDoS activity.
Cytactic surveys 480 U.S. cyber leaders for 2025 incident response report
Cytactic's 2025 State of Cyber Incident Response Management Report surveyed 480 senior U.S. cybersecurity leaders, including 165 CISOs, about preparedness for significant cyber incidents. The survey found that many organizations were not rehearsing the kinds of incidents they later faced.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Beyond Penetration Testing: 10 Cyber Resilience Exercises to Strengthen Your Security Posture
foresiet.com
Open sourceCISOs must rethink the tabletop, as 57% of incidents have never been rehearsed
csoonline.com
Open sourceRed, Blue, and Now AI: Rethinking Cybersecurity Training for the 2026 Threat Landscape
cyberscoop.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Incident Management Strategies and Workforce Training for Cybersecurity Leaders
Effective incident management is a critical component of operational security for organizations of all sizes, enabling them to respond to and recover from cybersecurity incidents with minimal disruption. Executive leaders, particularly those aligned with CISSP principles, are encouraged to view incident management not just as a technical necessity but as a strategic enabler that minimizes business disruption, limits financial and reputational losses, and ensures regulatory compliance. The incident management lifecycle encompasses preparation, detection and analysis, containment, eradication, and recovery, with a strong emphasis on readiness and continuous improvement. Preparation involves establishing and training an incident response team, developing integrated response plans, maintaining updated asset inventories, and pre-arranging contracts with digital forensics and legal experts. Early detection is facilitated by monitoring systems such as SIEM, IDS/IPS, and EDR, and relies on clear definitions of security incidents and tiered severity classifications. Impact assessments and stakeholder communications are key outputs of the detection and analysis phase. Containment and eradication require swift action to isolate affected systems and remove threats, while recovery focuses on restoring operations and learning from the incident to improve future responses. In parallel, workforce training is essential to ensure that staff are equipped to handle the most common cyber threats. Research from Cleveland State University demonstrates that even organizations with limited resources, such as SMBs, can benefit from a streamlined approach to the NICE Cybersecurity Workforce Framework. By focusing on the most prevalent threats—phishing, malware, ransomware, and web-based attacks—training can be made more practical and relevant. Scenario-based curricula, which simulate real-world attacks like ransomware delivered via EternalBlue or PBX hacking, help learners develop both technical and legal response skills. These exercises are supported by virtual machine labs and legal case studies, ensuring that participants understand both the technical and regulatory aspects of incident response. The research highlights that a focused, scenario-driven training approach can be effective for organizations of any size, providing a model for larger enterprises to enhance their own incident management capabilities. By integrating technical skills with legal and regulatory knowledge, organizations can build resilient teams capable of responding to evolving cyber threats. Continuous learning and adaptation are emphasized as key to maintaining security maturity and operational continuity. The combination of robust incident management processes and targeted workforce training forms the foundation of a resilient cybersecurity posture for modern enterprises. Executive leaders are advised to invest in both strategic planning and practical training to ensure comprehensive preparedness for cybersecurity incidents. The integration of legal, technical, and operational considerations is essential for effective incident response and long-term organizational resilience. Ultimately, organizations that prioritize both incident management and workforce development are better positioned to navigate the complexities of today’s threat landscape.
Mar 21, 2026
Evolving Cybersecurity Threats and Organizational Preparedness in 2025
Geopolitical instability, rapid technological advancement, and persistent skills shortages are fundamentally reshaping the cybersecurity landscape for organizations worldwide. According to a PwC report, 60% of executives now rank cyber risk investment among their top three strategic priorities, driven by concerns over political instability, trade disputes, and shifting alliances. Despite this heightened awareness, only about half of surveyed organizations feel very capable of withstanding cyberattacks on common vulnerabilities, and a mere 6% report preparedness across all vulnerabilities, highlighting significant exposure through legacy systems and complex supply chains. The financial impact of breaches remains severe, with over a quarter of respondents experiencing incidents costing at least $1 million in the past three years, disproportionately affecting large enterprises and technology-driven sectors. Spending on cybersecurity is increasing, with 78% of organizations expecting budget growth, yet only 24% are channeling more resources into proactive measures such as monitoring, testing, and training, indicating a continued reactive posture. The ENISA Threat Landscape 2025 report underscores the professionalization of cybercrime, the convergence of criminal and state-aligned actors, and the rise of hacktivist groups leveraging ransomware for both ideological and financial gain. Ransomware remains the most disruptive threat across the EU, with groups adopting decentralized operations, double- and triple-extortion tactics, and exploiting regulatory compliance fears to pressure victims. The proliferation of Ransomware-as-a-Service (RaaS), public leaks of builder tools, and the emergence of access brokers have lowered barriers to entry, fueling a diverse and persistent threat ecosystem. Weak authentication practices persist in many organizations, with passwords and SMS codes still dominant despite their vulnerability to phishing and credential theft. A significant portion of employees have never received cybersecurity training, and outdated policies further exacerbate risk, as personal and professional security habits often overlap, creating additional attack vectors. The adoption of stronger authentication methods, such as device-bound passkeys, remains limited, and resistance to multi-factor authentication is common due to perceived complexity. The use of AI in both attack and defense is accelerating, with AI-generated phishing campaigns and adaptive malware becoming more prevalent, while defenders also leverage AI for predictive threat detection. The overall picture is one of rising threat sophistication, uneven organizational preparedness, and a pressing need for sustained investment in proactive security measures, workforce training, and the adoption of advanced technologies to build resilience against an increasingly complex cyber threat landscape.
May 4, 2026
Trends and Strategies in Modern Cybersecurity Defense
Organizations are facing a rapidly evolving threat landscape, with attackers increasingly leveraging stealthy techniques such as living-off-the-land, supply chain compromises, and edge device exploitation to bypass hardened traditional defenses. Security leaders are responding by adopting exposure-first strategies, improving telemetry, and focusing on proactive measures to reduce attack surfaces. The importance of understanding and managing what is visible to attackers, including third-party and supply chain exposures, is emphasized as a critical step in slowing adversaries and building resilience. Additionally, the shift toward edge computing, cloud adoption, and the proliferation of IoT devices are driving the need for unified, adaptive security frameworks that can protect data and operations across diverse environments. Security operations centers (SOCs) are being urged to improve the quality of their data inputs and adopt holistic, triathlon-like training approaches to enhance readiness, consistency, and endurance in defense. Endpoint detection and response (EDR) is recognized as necessary but insufficient on its own, with proactive exposure management and comprehensive edge-to-cloud strategies becoming essential. The integration of AI, the need for strong evidence retention, and the importance of collaboration across the industry are highlighted as key factors in staying ahead of threat actors. These trends underscore the necessity for organizations to rethink their security architectures and operational practices to address both current and emerging cyber risks effectively.
Mar 21, 2026