Methodology

Behind the data

The Threat Detection Report sets itself apart from other annual reports with its unique data and insights derived from a combination of expansive detection coverage, diverse technological partnerships, and expert-led investigation and confirmation of threats. The data that powers Red Canary and this report are not mere software signals—this data set is the result of hundreds of thousands of investigations across millions of protected systems and identities.

Each of the more than 110,000 threats that we responded to have one thing in common: They weren’t prevented by our customers’ expansive security controls. This research is the result of a breadth and depth of analytics and analysis that we use to detect the threats that would otherwise go undetected.

Red Canary ingested 305 petabytes of security telemetry from 1,700 organizations’ endpoints, identities, cloud systems, and SaaS applications in 2025. We processed 329 billion records per day. Our detection engine generated 419 million investigative leads that our platform pared down to 8.5 million potentially malicious events. In the end, we detected 110,000 confirmed threats, 34,000 of which were higher-severity threats that might’ve represented a significant risk to our customers if we hadn’t detected them. Every one of these was scrutinized by detection engineers, intelligence analysts, researchers, threat hunters, and an ever-expanding suite of bespoke agentic AI tools.

The Threat Detection Report synthesizes the critical information we communicate to customers whenever we detect a threat, the research and detection engineering that underlies those detections, the intelligence we glean from analyzing them, and the expertise we deploy to help our customers respond to and mitigate the threats we detect.

What counts

Techniques

We map our custom detection analytics and the other security signals we use to detect threats to corresponding MITRE ATT&CK® techniques whenever possible. If the analytic or alert uncovers a realized or confirmed threat, we construct a timeline that includes detailed information about the activity we observed.

Because we know which ATT&CK techniques an analytic aims to detect, and we know which analytics led us to identify a realized threat, we are able to look at this data over time and determine technique prevalence, correlation, and much more.

Red Canary’s overall detection volume

Forever techniques

What we’ve learned over time is that a relatively small number of techniques play a role in a disproportionately large number of detections. It’s rare to see unexpected techniques in our top 10 or even 20 or 30, and when we do, it’s almost always because we’ve turned our focus to a new technological domain. For example, we’ve seen an increase in adversary abuse of cloud, identity, and SaaS-related techniques in recent years as we’ve invested in securing those technologies.

To that point, over the last five years, we’ve detected at least one of the 10 most prevalent techniques in 46 percent of all detections. Over the same time period, we detected at least one of the top 20 techniques in 63 percent of detections.

Threats

This report also examines the threats that leverage these techniques and other tradecraft intending to harm organizations. While Red Canary broadly defines a threat as any suspicious or malicious activity that represents a risk to you or your organization, we also track specific threats by associating malicious and suspicious actions with clusters of activity, specific malware variants, legitimate tools being abused, and known threat actors.

We track and analyze these threats continually throughout the year, publishing Intelligence Insights, bulletins, and profiles, considering not just prevalence of a given threat, but also aspects such as velocity, impact, or the relative difficulty of mitigation or defense. The Threats section of this report highlights our analysis of common or impactful threats, which we rank by the number of customers they affect.

Trends

Since this report is a macroanalysis of detection data from organizations of every size and from every sector, it’s rightfully biased toward threats and techniques that most organizations are likely to face. And we believe most organizations should prioritize those threats and techniques first and foremost. However, organizations are exposed to a great deal of risk from threats that may not be prevalent enough across enough organizations to rank among our top threats and techniques. As such, we also include extensive analysis of security trends from the year that we think security teams ought to be prepared for.

What doesn’t count

Consistent with past years, we exclude low-severity detections associated with unwanted software, confirmed testing, false positives, and otherwise sanctioned activity from the data we use to compile the top techniques and threats listed in this report.

Limitations

Red Canary optimizes for detecting and responding rapidly to early-stage adversary activity. As a result, the techniques that rank skew heavily between the initial access stage of an intrusion and any rapid execution, privilege escalation, lateral movement, and defense evasion. This will be in contrast to incident response providers, for example, whose visibility tends towards the middle and later stages of an intrusion, or a full-on breach.

We often detect and action threats early, shielding organizations from the wide array of risks associated with breaches and incidents. As such, one of the great benefits of this report is that it acts as a playbook that organizations can follow to develop the ability to detect threats early and often, before adversaries are able to accomplish their objectives and cause harm.

Knowing the limitations of any methodology is important as you determine what threats your team should focus on. While we hope our list of top threats and detection opportunities helps you and your team prioritize, we recommend building your own threat model by comparing the top threats we share in our report with what other teams publish and what you observe in your own environment.