“The threat landscape is evolving” is one of those vendor-marketing phrases that says everything and nothing. It’s true the way “the weather is changing” is true. The actual question is which changes matter, which are vendor narratives optimized to sell the next product, and which require real shifts in how organizations defend themselves. Anyone making security decisions needs a framework for telling those apart.
Most threat-landscape claims fall into one of three buckets, and most security budgets get spent in the wrong one.
Real shifts deserve real responses
Some changes genuinely require new defenses. The shift from on-premise infrastructure to cloud and SaaS broke perimeter-based security models. Identity became the new perimeter, and organizations that didn’t move to identity-centric controls left obvious holes. The rise of supply-chain attacks like SolarWinds shifted attention from your own code to your dependencies. The maturation of ransomware-as-a-service made the economics of attack accessible to less skilled adversaries, which changed who you needed to defend against.
These are structural changes that warrant strategic responses. Identity governance, software bill of materials, third-party risk programs, and ransomware-specific incident response are reasonable investments because they map to durable changes in how attacks work, not the fashion of any given quarter.
Most “novel” threats are old ones rebranded
Vendors thrive on novelty. Every quarter brings a new threat actor name, a new attack technique acronym, a new category of product to address it. Strip the marketing away and most “novel” threats are variations on social engineering, credential theft, lateral movement, and exfiltration. The TTPs evolve at the margin. The fundamentals are remarkably stable across decades.
That stability matters because it means the controls that worked five years ago mostly still work. MFA, least privilege, network segmentation, patching, logging, and backups would prevent the majority of incidents that make headlines. Organizations chasing the latest acronym while skipping these fundamentals are buying paint for a house with no foundation.
The signal worth tracking
A few changes are worth watching closely. AI-assisted phishing has dramatically lowered the cost of producing convincing social engineering at scale, which means user training that depended on grammatical errors and tonal weirdness is increasingly obsolete. Living-off-the-land techniques, where attackers use legitimate admin tools rather than custom malware, are harder for traditional endpoint detection to catch.
Cloud misconfiguration remains a persistent leading cause of breaches because the configuration surface is huge and changes constantly. Identity-based attacks, including OAuth abuse and consent phishing, exploit the trust model of modern SaaS rather than any specific software vulnerability.
These deserve attention not because they’re new but because they’re persistent and the existing toolkit is partially mismatched.
The takeaway
The threat landscape does change, and treating it as static is foolish. But the change is mostly continuous and mostly at the margins. Most security spending should still go toward the unsexy fundamentals: identity, patching, logging, segmentation, backups, and incident response. The novel threats matter, but they matter less than the well-understood ones that organizations keep failing to address. Don’t let the marketing budget rearrange your priorities for you.
Leave a Reply