Welcome to the Red Canary Threat Detection Report

Featured Content

EXECUTIVE SUMMARY

93,000 threats evaded your defenses – None of them got past us. Download the report.

On-demand Webinar

Detection Series Webinar

Join us for a technical examination of initial access tradecraft and learn related detection strategies

Office Hours

Subscribe for actionable insights to strengthen your defense and grow your cybersecurity skills.

Explore our new Field Guide

Our new Field Guide to Color Bird Threats showcases the Red Canary-named activity clusters our Intelligence team is tracking

MEET THE COLOR BIRDS

Raspberry Robin

Tangerine Turkey

Where Next

EXPLORE

Trends

Red Canary performed an analysis of emerging and significant trends that we’ve encountered in confirmed threats, intelligence reporting, and elsewhere over the past year.

TOP 10

Threats

We’ve analyzed the most prevalent threats occurring in our customer environments.

TOP 10

Techniques

We’ve analyzed the most common techniques occurring in our customer environments.

Getting Started

We are pleased to present Red Canary’s 2024 Threat Detection Report. Our sixth annual retrospective, this report is based on in-depth analysis of nearly 60,000 threats detected across our 1,000+ customers’ endpoints, networks, cloud infrastructure, identities, and SaaS applications over the past year.

This report provides you with a comprehensive view of this threat landscape, including new twists on existing adversary techniques, and the trends that our team has observed as adversaries continue to organize, commoditize, and ratchet up their cybercrime operations.

As the technology that we rely on to conduct business continues to evolve, so do the threats that we face. Here are some of our key findings:

Everyone is migrating to the cloud, including bad guys: Cloud Accounts was the fourth most prevalent ATT&CK technique we detected this year, increasing 16-fold in detection volume and affecting three times as many customers as last year.
Despite a spate of new CVEs, humans remained the primary vulnerability that adversaries took advantage of in 2023. Adversaries used compromised identities to access cloud service APIs, execute payroll fraud with email forwarding rules, launch ransomware attacks, and more.
While both defenders and cybercriminals have discovered use cases for generative artificial intelligence (GenAI), we see defenders as having the edge.
Container technology is omnipresent, and it’s as important as ever to secure your Linux systems to prevent adversaries from escaping to host systems.
Mac threats are no myth–this year we saw more stealer activity on macOS environments than ever, along with instances of reflective code loading and AppleScript abuse.
Often dismissed, malvertising threats delivered payloads far more serious than adware, as exemplified by the Red Canary-named Charcoal Stork, our most prevalent threat of the year, and related malware ChromeLoader and SmashJacker.
Our new industry analysis showcases how adversaries reliably leverage the same small set of 10-20 techniques against organizations, regardless of their sector or industry.

We also check back on the timeless threats and techniques that are prevalent year-after-year, explore emerging ones that are worth keeping an eye on, and introduce two new free tools that security teams can start using immediately.

Use this report to:

Explore the most prevalent and impactful threats, techniques, and trends that we’ve observed.
Note how adversaries are evolving their tradecraft as organizations continue their shift to cloud-based identity, infrastructure, and applications.
Learn how to emulate, mitigate, and detect specific threats and techniques.
Shape and inform your readiness, detection, and response to critical threats.

behind the data

Methodology

The Threat Detection Report sets itself apart from other annual reports with its unique data and insights derived from a combination of expansive detection coverage and expert, human-led investigation and confirmation of threats. The data that powers Red Canary and this report are not mere software signals—this data set is the result of hundreds of thousands of expert investigations across millions of protected systems. Each of the nearly 60,000 threats that we responded to have one thing in common: These threats weren’t prevented by our customers’ expansive security controls—they are the product of a breadth and depth of analytics that we use to detect the threats that would otherwise go undetected.

Behind the data

Methodology

Acknowledgments

Thanks to the dozens of security experts, writers, editors, designers, developers, and project managers who invested countless hours to produce this report. And a huge thanks to the MITRE ATT&CK® team, whose framework has helped the community take a giant leap forward in understanding and tracking adversary behaviors. Also a huge thanks to all the Canaries—past and present—who have worked on past Threat Detection Reports over the last six years. The Threat Detection Report is iterative, and parts of the 2024 report are derived from previous years. This report wouldn’t be possible without all of you!

Dive into the report

Trends

Top Threats

Top Techniques

2025 THREAT DETECTION REPORT

Featured Content

Explore our new Field Guide

Where Next

Getting Started

This report provides you with a comprehensive view of this threat landscape, including new twists on existing adversary techniques, and the trends that our team has observed as adversaries continue to organize, commoditize, and ratchet up their cybercrime operations.

As the technology that we rely on to conduct business continues to evolve, so do the threats that we face. Here are some of our key findings:

Everyone is migrating to the cloud, including bad guys: Cloud Accounts was the fourth most prevalent ATT&CK technique we detected this year, increasing 16-fold in detection volume and affecting three times as many customers as last year.

Despite a spate of new CVEs, humans remained the primary vulnerability that adversaries took advantage of in 2023. Adversaries used compromised identities to access cloud service APIs, execute payroll fraud with email forwarding rules, launch ransomware attacks, and more.

While both defenders and cybercriminals have discovered use cases for generative artificial intelligence (GenAI), we see defenders as having the edge.

Container technology is omnipresent, and it’s as important as ever to secure your Linux systems to prevent adversaries from escaping to host systems.

Mac threats are no myth–this year we saw more stealer activity on macOS environments than ever, along with instances of reflective code loading and AppleScript abuse.

Often dismissed, malvertising threats delivered payloads far more serious than adware, as exemplified by the Red Canary-named Charcoal Stork, our most prevalent threat of the year, and related malware ChromeLoader and SmashJacker.

Our new industry analysis showcases how adversaries reliably leverage the same small set of 10-20 techniques against organizations, regardless of their sector or industry.

We also check back on the timeless threats and techniques that are prevalent year-after-year, explore emerging ones that are worth keeping an eye on, and introduce two new free tools that security teams can start using immediately.

Use this report to:

Explore the most prevalent and impactful threats, techniques, and trends that we’ve observed.

Note how adversaries are evolving their tradecraft as organizations continue their shift to cloud-based identity, infrastructure, and applications.

Learn how to emulate, mitigate, and detect specific threats and techniques.

Shape and inform your readiness, detection, and response to critical threats.

behind the data

Methodology

Behind the data

Methodology

Acknowledgments

Dive into the report

Security gaps? We got you.

Sign up for our newsletter

Identity is the new perimeter

Identity is the new perimeter