2025 Threat Detection Report: Practitioner playbook

Our 2025 Threat Detection Report is chock full of operational insights, with actionable guidance on every page. But what should you tackle first? Red Canary intelligence analysts Tony Lambert and Stef Rand sat down to discuss five key takeaways from the report for practitioners who are in the trenches of their organization’s environment. Watch their conversation below, and scroll down for action items you can implement right away.

1. Take stock of what tools are allowed in your environment

“Know your environment” is somewhat of a mantra in this industry, but it’s worth repeating in the context of remote monitoring and management (RMM) tools such as NetSupport Manager, the seventh most prevalent threat Red Canary observed last year. While many help desks use certain RMM tools for legitimate reasons, we’ve seen adversaries abuse products like ScreenConnect and Team Viewer for malicious activity, including ransomware attacks.

2. Consider the cloud, but don’t forget your endpoints

While cloud attacks are certainly increasing, some of the most serious incidents Red Canary thwarted last year occurred on individual unmonitored endpoints. Endpoint detection and response (EDR) remains a crucial component to achieving defense in depth.

3. Enable MFA to prevent valid credential abuse

Thanks to the continued commoditization of stealer malware, it has never been easier for adversaries to get their hands on a set of valid credentials. After debuting in the top 10 list of MITRE ATT&CK techniques we observed last year, Cloud Accounts takes the top spot in this year’s report. Multi-factor authentication is by far the most effective measure to prevent adversaries from logging into your environment directly.

4. Set group policies to prevent malicious scripts from executing

Three of our top 10 threats drop malicious scripts upon execution: SocGholish, Scarlet Goldfinch, and Gootloader. Luckily, Windows offers a relatively simple mitigation technique for this tactic: Defenders can change the default so that JavaScript files open in Notepad or another editor rather than immediately executing them. Read our blog on how to implement this control via Group Policy Objects (GPO).

5. Educate users to spot browser threats

Toward the end of last year, we saw fake CAPTCHA lures that ultimately tricked users into running malicious scripts, a technique our team refers to as “paste and run.” We also saw threats that masquerade as fake updates–like SocGholish and Scarlet Goldfinch–retain their effectiveness. We strongly encourage increasing user education and awareness around browser-based threats. For paste and run specifically, emphasize that any pop-up window or prompt—whether it’s a CAPTCHA or a “fix” of some kind—that asks users to press the Windows button + R or + X (the keyboard shortcut for the Windows Run dialog), followed by pressing CTRL + V (to paste the unknowingly copied PowerShell command) is almost certainly malicious.