There’s something disarmingly civilised about being invited to breakfast to discuss the collapse of civilised infrastructure. But that’s precisely the mood at a recent media briefing with Cisco Talos, the threat intelligence division quietly standing between organisations and the adversaries trying to dismantle them.
The format was simple: coffee, food, and a candid walkthrough of Talos’s 2025 Year in Review with the people who wrote it. What followed was one of the more grounding conversations I’ve had in cybersecurity journalism.
The Invisible Layer
Most Cisco customers, as Carl Solder, CTO for Cisco Australia and New Zealand was quick to point out, have no idea Talos exists. They buy the firewall. They configure the policies. They go about their day. What they don’t see is the intelligence layer underneath.
“You can have the best firewalls in the world,” Solder told me, “But if they don’t know the attack vectors, they’re useless.”
Talos sits as exactly that layer absorbing telemetry from across Cisco’s vast sensor network, analysing emerging threats, and feeding that intelligence back into the products. It’s the difference between a locked door and a locked door that knows someone is already in the building. And as Solder noted, most Cisco consumers aren’t aware of the work happening behind the scenes.
Manufacturing: The Sitting Duck
One of the more striking findings from the 2025 Year in Review is the manufacturing sector’s continued dominance as the most-targeted industry. The question asked to Matthew Olney, Director of Talos Threat Intelligence and Interdiction, was why?
His answer was blunt: outdated and end-of-life systems, for which patches simply no longer exist.
The report backs this up with hard numbers. Nearly 40% of the top-targeted vulnerabilities in 2025 directly impacted end-of-life devices, systems that organisations can no longer patch because the vendor has stopped supporting them. And it’s not just about legacy software sitting forgotten in a server room. The report notes that manufacturing environments operate hybrid IT and OT systems, carry lower cybersecurity budgets compared to sectors like finance, and have a very low tolerance for downtime which means taking systems offline to update them isn’t always a viable option.
The result is a sector that consistently presents as the most targeted in ransomware data leak site posts, a finding Talos tracked across three consecutive years.
Solder added the strategic dimension: organisations in this position need to fundamentally rethink their risk appetite. The question is no longer just “are we secure?” but “have we honestly assessed what we’re willing to expose, and what the consequences are?”
What Talos IR found in 2025 reinforces a theme that runs through the entire report: identity is the new perimeter. Ransomware operators, for instance, were observed relying heavily on the exploitation of identity-based weaknesses using social engineering for initial access, leveraging valid accounts throughout the attack cycle, and using built-in remote management tools that require user credentials for lateral movement. Phishing was involved in 40% of Talos IR cases observed across the year.
The Shrinking Window
The most sobering part of the conversation touched on AI, specifically on a theme that has become impossible to ignore speed.
The 2025 report is already a document about velocity. React2Shell, the most targeted vulnerability of the year, was only disclosed in December, yet it reached the top of the list because adversaries weaponised it almost immediately upon disclosure. The ToolShell vulnerabilities affecting Microsoft SharePoint, all disclosed mid-2025, climbed into the top five most targeted CVEs of the year within months. As the report puts it, newly disclosed vulnerabilities in widely deployed software can generate significant, organisation-wide impact long before typical patch cycles catch up.
The discussion at the briefing went further. Today, a capable AI model might take around ten hours to discover a previously unknown vulnerability. That window is closing. The conversation in the room was frank: by the end of this year or whenever the next generation of models matures that timeline could compress to under a minute.
The implications are significant. The current model of cybersecurity depends on a workable gap between discovery, disclosure, and patching. Defenders need time to respond. If AI closes that gap to near-zero, the entire patch window, the breathing room that allows organisations to catch up could collapse.
This isn’t a theoretical future. It’s a trajectory Talos is already tracking.
AI: Neither Ally nor Enemy
Perhaps the most quotable framing of the morning came in how the Talos team characterised AI’s role in security. Not as a weapon. Not as a shield. But as a bidirectional challenge.
AI security, in their framing, runs in two directions simultaneously: protecting the world from AI agents, and protecting AI agents from the world.
That duality captures something important that gets lost in the usual breathless AI coverage. The 2025 report describes AI as a dual-edged sword lowering the barrier to entry for novice attackers through tools like AI-generated phishing sites, while simultaneously raising the ceiling for advanced threat actors through capabilities like deepfake technology used to secure employment at target organisations.
At the same time, AI systems themselves the agents organisations are now deploying for automation, operations, and decision-making are becoming attack surfaces. The report specifically flags new AI-specific risks that organisations are now forced to defend against: context poisoning, prompt injection, and the emerging class of AI-enabled malware observed in the first months of 2026.
The security perimeter has expanded to include the intelligence itself.
For Talos, tracking all of this and feeding that intelligence back into the products is the work. For most of their customers, it’s invisible.
That invisibility, it turns out, is the point.
The Cisco Talos 2025 Year in Review is available at blog.talosintelligence.com.
