Arming the Defenders: A SOTI Report for Those Who Protect the Enterprise

Hats off to the defenders. First-line cybersecurity defenders must simultaneously monitor emerging threats, master new defensive technologies, absorb constant research updates, and recognize old threats in new forms — all while maintaining 24/7 vigilance over an organizations' digital assets. Fulfilling that mission requires a clear-eyed view of today’s rapidly evolving threat landscape, together with an understanding of the latest practices for countering those threats.

And the stakes are high: The half-life of a professional skill is estimated to be just five years — and it's even shorter for technical skills in cybersecurity. Without continuous learning, cybersecurity professionals can become less effective in as little as three months.

That’s what this year’s first State of the Internet (SOTI) report — Defenders’ Guide 2025 — is all about. The report deviates from our usual SOTI format by going beyond the trends to provide actionable insights from security experts who battle cyberthreats every day. The goal is simple: To arm you with the real-world strategies you need to safeguard your systems in today’s increasingly complex digital landscape. 

The content in this SOTI is unique, based on new, original Akamai research. The format is also fresh, reflecting a security-in-depth framework that focuses on three key areas: risk management, network architecture and host security. Each section is packed with proactive measures to improve your threat readiness through a research-driven cybersecurity strategy.

You can download the full Defenders’ Guide 2025 now to get the deep dive. In the meantime, here are some highlights.

The report outlines a new risk scoring methodology developed by Akamai researchers that was designed to quantify both internal and external risks. The methodology is the result of extensive analysis of endpoint exposure and other factors, and it addresses the challenges of risk register creation and quantification. 

It calculates the likelihood of compromise for externally exposed assets and the probability of lateral movement across internal assets. The resulting security score is invaluable for planning mitigation strategies such as endpoint security and microsegmentation rules.

The report also provides a fresh look at the metamorphosis of malware, including a detailed analysis of sophisticated botnet families such as NoaBot, FritzFrog, and RedTail. Our researchers identified common vulnerabilities and modern attack capabilities, from peer-to-peer architectures and fileless malware to cryptomining techniques used to generate cryptocurrency ransoms. 

Based on this evidence, the report includes information on botnet detection tools and practical mitigation strategies, including network segmentation, comprehensive patch management, regular backups, and ongoing employee cybersecurity training.

The report includes new research on VPN abuse, an especially hot topic given the recent increases in this activity. The report explores how VPN appliances have emerged as a key architectural vulnerability ripe for exploitation. A detailed analysis on how attackers crack open and abuse VPNs provides a clear understanding of the increasingly sophisticated techniques in play. Key vulnerabilities include:

• Authentication bypasses

• Remote code execution flaws

• Extraction of configuration data

• Default configurations and hard-coded encryption keys

The report examines mitigation strategies, including monitoring VPN configuration changes, limiting service account permissions, using dedicated identities for VPN authentication, and employing Zero Trust Network Access principles.

Cross-site scripting (XSS) remains a major threat to web applications. This SOTI report examines this class of JavaScript injection attacks based on a detailed technical analysis of real-world XSS attacks in 2024. Our research identified sophisticated exploitation techniques, including remote resource injection, cookie stealing, website defacement, and session riding attacks. Although more than 98% of remote JavaScript references were legitimate, the remaining percentage represented a variety of attack vectors.

Our findings underscore the need for multilayered defensive measures — including vulnerability scanning, web application firewalls, and proper encoding of user-controlled parameters — to address increasingly sophisticated XSS attack techniques.

While containers like Kubernetes offer tremendous flexibility, they also present novel security challenges. Our researchers took a close look at Kubernetes and found no fewer than six Common Vulnerabilities and Exposures (CVEs) that allow for command injection attacks that could lead to complete takeover of the Kubernetes cluster. The research team also identified a design flaw in the git-sync sidecar project that can allow for sensitive data exfiltration or persistent execution.

To mitigate these threats, the report recommends implementing comprehensive security policies, including Pod Security Policies, network policies, and runtime security measures. Additional mitigation strategies involve role-based access control, threat hunting techniques, and using tools like Open Policy Agent for policy-based actions. Our research underscores the importance of regular patching and maintaining vigilance against emerging threats in Kubernetes environments.

Based on cutting-edge research from hundreds of Akamai cybersecurity experts, the SOTI Defenders’ Guide 2025 report provides an in-depth view of current cyberthreats, together with actionable steps to safeguard systems from today’s fire hose of attacks by combining proactive steps with improved reactive response.  

The comedian W.C. Fields once quipped, “I don't have to attend every argument I'm invited to.” Likewise, taking a security-in-depth approach that encompasses risk management, network architecture, and host security can allow today’s defenders to choose not to participate in “arguments” with the proliferating horde of threat actors.