Mid-Year Report: How AI Is Rewriting the Rules of Cybersecurity
This summer, we’re checking in on our TechArena predictions for 2025 to see how they are holding up.
Today, TechArena correspondent Will Torresan sat down with digital engineering leader and innovator Sean Grimaldi to discuss how his cybersecurity predictions for 2025 have performed.
Will: How is modern security architecture adapting to AI-generated threats and software-defined everything?
Enterprise security architecture is changing. Companies increasingly deploy artificial intelligence (AI)-driven detection systems, zero trust architecture (ZTA), and cloud-native security tools to address threats.
AI’s role in security operations has quickly grown. Organizations use platforms such as security orchestration, automation, and response (SOAR), endpoint detection and response (EDR), and extended detection and response (XDR) to find anomalies and automate initial responses.
Zero trust architecture is also gaining adoption, led by the U.S. federal government. ZTA assumes no inherent trust. It applies access controls and continuously validates users and devices. This model reduces breach risk and limits breach impact.
Multi-cloud security is becoming standard as organizations integrate security earlier in development via DevSecOps across more of their accounts. Firms like Chainguard are a part of this by improving software supply chain integrity and helping reduce risk by starting with a clean slate.
Will: You predicted a rise in attacks via internet-connected devices (IoT) and operational technology (OT) on critical infrastructure like healthcare and energy. Have we seen significant incidents this year that demonstrate that vulnerability? How are enterprises minimizing their risk with this expanded attack surface?
Cyberattacks against OT and IoT rose, confirming predictions that critical infrastructure — notably in healthcare, energy, and public utilities — would be targets in 2025. Incidents, from state-sponsored grid intrusions in the U.S. to ransomware affecting hospital equipment in Australia, show how malicious actors exploit OT system weaknesses.
- Chinese state–sponsored actors remained undetected for 300 days inside OT systems at Littleton Electric Light and Water Department in Massachusetts, U.S. They collected operational data, showing how deeply malicious actors can embed within U.S. grid infrastructure.
- A Honeywell report showed a 46% increase in ransomware attacks on industrial OT systems in the first quarter of 2025. This totaled 2,472 incidents globally.
- Malicious actors hit health care. In Australia, ransomware disrupted Compumedics sleep study devices across four hospitals. The malware spread through IoT medical equipment, stopping diagnostic procedures and exposing data of over 2,000 patients.
- Malicious actors successfully attacked consumer and public IoT infrastructure. The “Ballista” botnet exploited Hikvision IP camera weaknesses, turning thousands of devices across North America, Europe, and Japan into tools for distributed denial-of-service (DDoS) attacks. This highlights risks of poorly secured edge devices.
- Russia’s cyber operations against Ukraine intensified. Their actions target the convergence of information technology (IT), OT, and IoT systems within Ukraine’s energy, telecom, and military sectors. Attacks on supervisory control and data acquisition (SCADA) and industrial control systems (ICS) caused outages in infrastructure, satellite communications, drone fleets, and military command systems. This shows the scale and impact of OT-centric operations.
While some enterprises focus on gaining visibility and inventory of all connected IoT and OT devices using specialized platforms and implementing network segmentation to isolate IT, OT, and IoT networks to limit lateral movement for attackers, this segment remains unsecured and at high risk.
Will: You warned about increased cybersecurity compliance drawing resources away from actual security improvements. Has the wave of compliance directives continued, and how have organizations kept up with new or existing regulations?
Cybersecurity compliance needs expanded in 2025. This increased pressure on organizations to meet a growing set of rules across regions and sectors. The change includes new rules and more enforcement of existing frameworks.
In Europe, the Network and Information Systems 2 (NIS2) Directive extended obligations to more critical sectors. The European Union’s (EU) Digital Operational Resilience Act (DORA) standardized operational resilience requirements across the financial sector. The EU Artificial Intelligence (AI) Act began AI-specific rules, a regulatory innovation. The Cyber Resilience Act (CRA) adds to the EU’s framework, imposing lifecycle security obligations on manufacturers, importers, and distributors of products with digital elements.
India’s Digital Personal Data Protection (DPDP) adds non-EU global compliance challenges.
In the U.S., the Securities and Exchange Commission (SEC) began enforcing its cybersecurity disclosure rules, requiring rapid reporting of material cyber incidents. Government agencies also issued Zero Trust architecture rules, shaping security strategy for organizations that interact with the federal government. The industry expects 2025 Health Insurance Portability and Accountability Act (HIPAA) Security Rule updates to introduce changes in healthcare cybersecurity, even under a Republican government.
U.S. states added distinct digital security laws:
- Delaware Personal Data Privacy Act (often abbreviated similar to India’s act)
- Iowa Act relating to Consumer Data Protection (Iowa CDPA)
- Maryland Online Data Privacy Act (MODPA)
- Minnesota Consumer Data Privacy Act (MNDPA)
- Nebraska Data Privacy Act (NDPA)
- New Hampshire Act relative to the Expectation of Privacy (NHPA)
- New Jersey Act Concerning Online Services, Consumers, and Personal Data (NJDPA)
- Oregon Consumer Data Privacy Act (OCDPA)
- Tennessee Information Protection Act (TIPA)
Organizations have often approached this by transferring compliance risks out. Some organizations increased budgets for compliance staff, but most outsourced parts of the function to managed security service providers (MSSPs), traditional consultants, and legal advisors to handle overlapping regulations.
Though these efforts help manage growing legal exposure and compliance obligations, they diverted time and resources. For many organizations, maintaining regulatory compliance is the focus of their cybersecurity teams.
Will: Looking at 2025’s security landscape, what AI-powered attacks or defenses have been the biggest surprises?
The 2025 security landscape shows significant developments in AI-powered defense. A key surprise is the blurring line between observability and security, driven by similar AI use. Both functions rely on collecting large amounts of telemetry data, including logs, metrics, traces, and events. AI enables security platforms to consume audits, logs, and global threat intelligence and contextualize it for an organization’s environment. This provides precise threat prediction and less “alert fatigue” for security teams. CrowdStrike’s Falcon XDR uses AI-driven behavioral analysis and cross-domain visibility to show attack paths. Darktrace’s “digital immune system” learns network behaviors to flag anomalies. This is a rich and interesting space that will shape the industry.
Agentic AI shows increasing maturity. These semi-autonomous AI systems execute operations with minimal human input. Their use has led to a reduction in mean time to detect (MTTD) and mean time to respond (MTTR). SentinelOne’s Singularity Extended Detection and Response (XDR) leads this effort with its autonomous response features that isolate devices and roll back systems in relatively straightforward ways.
AI trust, risk, and security management (AI TRiSM) is an emerging area (with the least memorable acronym ever) focused on securing AI systems themselves.
Will: With the escalating tariff conflicts and trade tensions we’ve seen throughout 2025, how has this geopolitical friction amplified or complicated the supply chain security risks you anticipated?
Geopolitical friction forces organizations to diversify supply chains. International tensions promote the development of parallel or segmented technology ecosystems. This creates complexity in managing multiple, potentially incompatible systems and security frameworks. It also hinders global threat intelligence sharing.
Nation-states interfere in each other’s supply chains. They use cyber capabilities as a statecraft tool, for example, disrupting global positioning systems (GPS). Additionally, governments impose export controls on advanced cybersecurity technologies. This can leave organizations in restricted regions vulnerable and complicate the deployment of consistent global security architectures.
Will: If you were writing predictions for 2026 right now, what would be your boldest prediction based on what you’ve observed in the first half of 2025?
Observability platforms might replace traditional security information and event management (SIEM) tools.
Cybersecurity faces a shift by 2026 as “security observability” platforms emerge, challenging traditional SIEM tools. Major observability vendors may absorb or replace security monitoring tools through acquisitions and expanded offerings.
The convergence of observability and security is accelerating. Organizations increasingly rely on platforms such as Datadog, Splunk, Dynatrace, Elastic, Sumo Logic, and New Relic. These platforms manage large volumes of operational data and are now also handling security observability. They use AI to apply security analytics to this data, reducing the need for separate security infrastructure.
This trend signals declining relevance for standalone SIEMs. It pressures security vendors, especially those lacking data and analytics capabilities, to adapt or consolidate. Security tools often operate in silos, with distinct teams and formats, despite analyzing overlapping data sets with observability platforms.
The lines between operational monitoring and threat detection are blurring. Observability platforms, originally for application performance and infrastructure health, now handle use cases traditionally served by security tools. These include threat detection and incident response.
Increased mergers and acquisitions are anticipated as observability vendors grow. They will acquire specialized security analytics firms or build security features natively.
This summer, we’re checking in on our TechArena predictions for 2025 to see how they are holding up.
Today, TechArena correspondent Will Torresan sat down with digital engineering leader and innovator Sean Grimaldi to discuss how his cybersecurity predictions for 2025 have performed.
Will: How is modern security architecture adapting to AI-generated threats and software-defined everything?
Enterprise security architecture is changing. Companies increasingly deploy artificial intelligence (AI)-driven detection systems, zero trust architecture (ZTA), and cloud-native security tools to address threats.
AI’s role in security operations has quickly grown. Organizations use platforms such as security orchestration, automation, and response (SOAR), endpoint detection and response (EDR), and extended detection and response (XDR) to find anomalies and automate initial responses.
Zero trust architecture is also gaining adoption, led by the U.S. federal government. ZTA assumes no inherent trust. It applies access controls and continuously validates users and devices. This model reduces breach risk and limits breach impact.
Multi-cloud security is becoming standard as organizations integrate security earlier in development via DevSecOps across more of their accounts. Firms like Chainguard are a part of this by improving software supply chain integrity and helping reduce risk by starting with a clean slate.
Will: You predicted a rise in attacks via internet-connected devices (IoT) and operational technology (OT) on critical infrastructure like healthcare and energy. Have we seen significant incidents this year that demonstrate that vulnerability? How are enterprises minimizing their risk with this expanded attack surface?
Cyberattacks against OT and IoT rose, confirming predictions that critical infrastructure — notably in healthcare, energy, and public utilities — would be targets in 2025. Incidents, from state-sponsored grid intrusions in the U.S. to ransomware affecting hospital equipment in Australia, show how malicious actors exploit OT system weaknesses.
- Chinese state–sponsored actors remained undetected for 300 days inside OT systems at Littleton Electric Light and Water Department in Massachusetts, U.S. They collected operational data, showing how deeply malicious actors can embed within U.S. grid infrastructure.
- A Honeywell report showed a 46% increase in ransomware attacks on industrial OT systems in the first quarter of 2025. This totaled 2,472 incidents globally.
- Malicious actors hit health care. In Australia, ransomware disrupted Compumedics sleep study devices across four hospitals. The malware spread through IoT medical equipment, stopping diagnostic procedures and exposing data of over 2,000 patients.
- Malicious actors successfully attacked consumer and public IoT infrastructure. The “Ballista” botnet exploited Hikvision IP camera weaknesses, turning thousands of devices across North America, Europe, and Japan into tools for distributed denial-of-service (DDoS) attacks. This highlights risks of poorly secured edge devices.
- Russia’s cyber operations against Ukraine intensified. Their actions target the convergence of information technology (IT), OT, and IoT systems within Ukraine’s energy, telecom, and military sectors. Attacks on supervisory control and data acquisition (SCADA) and industrial control systems (ICS) caused outages in infrastructure, satellite communications, drone fleets, and military command systems. This shows the scale and impact of OT-centric operations.
While some enterprises focus on gaining visibility and inventory of all connected IoT and OT devices using specialized platforms and implementing network segmentation to isolate IT, OT, and IoT networks to limit lateral movement for attackers, this segment remains unsecured and at high risk.
Will: You warned about increased cybersecurity compliance drawing resources away from actual security improvements. Has the wave of compliance directives continued, and how have organizations kept up with new or existing regulations?
Cybersecurity compliance needs expanded in 2025. This increased pressure on organizations to meet a growing set of rules across regions and sectors. The change includes new rules and more enforcement of existing frameworks.
In Europe, the Network and Information Systems 2 (NIS2) Directive extended obligations to more critical sectors. The European Union’s (EU) Digital Operational Resilience Act (DORA) standardized operational resilience requirements across the financial sector. The EU Artificial Intelligence (AI) Act began AI-specific rules, a regulatory innovation. The Cyber Resilience Act (CRA) adds to the EU’s framework, imposing lifecycle security obligations on manufacturers, importers, and distributors of products with digital elements.
India’s Digital Personal Data Protection (DPDP) adds non-EU global compliance challenges.
In the U.S., the Securities and Exchange Commission (SEC) began enforcing its cybersecurity disclosure rules, requiring rapid reporting of material cyber incidents. Government agencies also issued Zero Trust architecture rules, shaping security strategy for organizations that interact with the federal government. The industry expects 2025 Health Insurance Portability and Accountability Act (HIPAA) Security Rule updates to introduce changes in healthcare cybersecurity, even under a Republican government.
U.S. states added distinct digital security laws:
- Delaware Personal Data Privacy Act (often abbreviated similar to India’s act)
- Iowa Act relating to Consumer Data Protection (Iowa CDPA)
- Maryland Online Data Privacy Act (MODPA)
- Minnesota Consumer Data Privacy Act (MNDPA)
- Nebraska Data Privacy Act (NDPA)
- New Hampshire Act relative to the Expectation of Privacy (NHPA)
- New Jersey Act Concerning Online Services, Consumers, and Personal Data (NJDPA)
- Oregon Consumer Data Privacy Act (OCDPA)
- Tennessee Information Protection Act (TIPA)
Organizations have often approached this by transferring compliance risks out. Some organizations increased budgets for compliance staff, but most outsourced parts of the function to managed security service providers (MSSPs), traditional consultants, and legal advisors to handle overlapping regulations.
Though these efforts help manage growing legal exposure and compliance obligations, they diverted time and resources. For many organizations, maintaining regulatory compliance is the focus of their cybersecurity teams.
Will: Looking at 2025’s security landscape, what AI-powered attacks or defenses have been the biggest surprises?
The 2025 security landscape shows significant developments in AI-powered defense. A key surprise is the blurring line between observability and security, driven by similar AI use. Both functions rely on collecting large amounts of telemetry data, including logs, metrics, traces, and events. AI enables security platforms to consume audits, logs, and global threat intelligence and contextualize it for an organization’s environment. This provides precise threat prediction and less “alert fatigue” for security teams. CrowdStrike’s Falcon XDR uses AI-driven behavioral analysis and cross-domain visibility to show attack paths. Darktrace’s “digital immune system” learns network behaviors to flag anomalies. This is a rich and interesting space that will shape the industry.
Agentic AI shows increasing maturity. These semi-autonomous AI systems execute operations with minimal human input. Their use has led to a reduction in mean time to detect (MTTD) and mean time to respond (MTTR). SentinelOne’s Singularity Extended Detection and Response (XDR) leads this effort with its autonomous response features that isolate devices and roll back systems in relatively straightforward ways.
AI trust, risk, and security management (AI TRiSM) is an emerging area (with the least memorable acronym ever) focused on securing AI systems themselves.
Will: With the escalating tariff conflicts and trade tensions we’ve seen throughout 2025, how has this geopolitical friction amplified or complicated the supply chain security risks you anticipated?
Geopolitical friction forces organizations to diversify supply chains. International tensions promote the development of parallel or segmented technology ecosystems. This creates complexity in managing multiple, potentially incompatible systems and security frameworks. It also hinders global threat intelligence sharing.
Nation-states interfere in each other’s supply chains. They use cyber capabilities as a statecraft tool, for example, disrupting global positioning systems (GPS). Additionally, governments impose export controls on advanced cybersecurity technologies. This can leave organizations in restricted regions vulnerable and complicate the deployment of consistent global security architectures.
Will: If you were writing predictions for 2026 right now, what would be your boldest prediction based on what you’ve observed in the first half of 2025?
Observability platforms might replace traditional security information and event management (SIEM) tools.
Cybersecurity faces a shift by 2026 as “security observability” platforms emerge, challenging traditional SIEM tools. Major observability vendors may absorb or replace security monitoring tools through acquisitions and expanded offerings.
The convergence of observability and security is accelerating. Organizations increasingly rely on platforms such as Datadog, Splunk, Dynatrace, Elastic, Sumo Logic, and New Relic. These platforms manage large volumes of operational data and are now also handling security observability. They use AI to apply security analytics to this data, reducing the need for separate security infrastructure.
This trend signals declining relevance for standalone SIEMs. It pressures security vendors, especially those lacking data and analytics capabilities, to adapt or consolidate. Security tools often operate in silos, with distinct teams and formats, despite analyzing overlapping data sets with observability platforms.
The lines between operational monitoring and threat detection are blurring. Observability platforms, originally for application performance and infrastructure health, now handle use cases traditionally served by security tools. These include threat detection and incident response.
Increased mergers and acquisitions are anticipated as observability vendors grow. They will acquire specialized security analytics firms or build security features natively.
.png)
