According to the ‘Anatomy of a Cyber World: Global Report by Kaspersky Security Services’, there has been a noticeable decline in the percentage of high-severity incidents over the past few years. While 2021 recorded the highest proportion at 14.3%, 2025 experienced the lowest in six years at just 3.8%. This trend indicates that many attack attempts were quickly detected and effectively mitigated by Kaspersky MDR experts, preventing their severity from escalating beyond medium levels.
High-severity incidents are defined as attacks involving direct human involvement that result in a significant impact on the customer's IT infrastructure. In 2025, the number of such incidents detected by Kaspersky MDR decreased by 19% compared to 2024, highlighting improvements in early detection capabilities and more effective remediation efforts among Kaspersky MDR clients.
A detailed analysis of the root causes of these incidents in 2025 reveals the following insights:
Human-driven attacks accounted for approximately 23% of high-severity incidents. Although this represents a slight decrease from 2024, they continue to be the primary cause of serious breaches. Kaspersky detected such attacks in nearly 21% of customers, demonstrating that motivated adversaries persist in bypassing automated defenses. Despite advancements in automated detection tools, these highly skilled attackers still find ways to evade security measures.
Confirmed cyber exercises like Red Teaming made up over 23% of incidents. When activity is verified as part of security testing, it’s often classified as infrastructure false positives. However, customers frequently request these activities to be reported as incidents on order to monitor MDR efficiency.
Social engineering ranked third, responsible for over 15% of high-severity attacks and affecting nearly 18% of organizations. These are classified as high-severity when successful and not automatically remediated, often leading to security awareness recommendations.
Malware incidents represented less than 12%, while artifacts from past human-driven attacks, or APT traces, were found in over 7% of cases. Vulnerability detection, though not core focus for Kaspersky MDR, was reported in fewer than 5% of incidents.
"The decline in high-severity incidents highlights the critical importance of adopting a proactive cybersecurity strategy. Human-led solutions such as Managed Detection and Response (MDR) and Incident Response remain essential in combating sophisticated, human-driven threats. To further enhance the effectiveness and efficiency of in-house security teams, organizations should incorporate advanced, automated solutions like Extended Detection and Response (XDR), which provide improved visibility and enable faster responses. Additionally, leveraging SOC consulting services can assist in building a robust Security Operations Center from the ground up or optimizing an existing one for maximum performance. An integrated approach to hybrid security operations empowers organizations to detect threats early, contain them swiftly, and ultimately prevent severe breaches from occurring," comments Sergey Soldatov, Head of Security Operations at Kaspersky.
To counter human-driven attacks, Kaspersky experts recommend the following:
· Augment your existing security controls with human-led detection and global threat intelligence through solutions like Kaspersky Managed Detection and Response (MDR), an expert-led service offering 24/7 monitoring, detection, investigation and rapid response to sophisticated cyberattacks.
· Receive comprehensive and detailed analysis of security incidents with Kaspersky Incident Response. This service covers the entire investigation and response process, including initial containment, evidence collection, identification of the primary attack vector and development of an effective mitigation plan.
· Align your internal processes and technologies with today’s evolving threat landscape through Kaspersky SOC Consulting. This service helps you build an in-house SOC from scratch, assess the maturity of an existing SOC or enhance specific capabilities such as detection and response procedures.
· Use centralized and automated solutions such as Kaspersky Next XDR Expert to enable comprehensive protection of all your assets. By aggregating and correlating data from multiple sources in one place and using machine-learning technologies, this solution provides effective threat detection and fast automated response.
To learn more about attacker tactics and techniques, the characteristics of detected incidents and their distribution across regions and industry sectors, read the full report.
