Oasis Security 2025 Predictions
Danny Brickman, CEO and Co-Founder, Oasis Security
Prediction #1: Compliance Requirements Will Drive Non-Human Identity Management in Highly-Regulated Industries
While every organization requires a solution to manage and secure its non-human identities (NHIs), in highly-regulated industries, the need for a dedicated NHI management solution is paramount. Financial institutions, for example, have access to vast amounts of sensitive data, and as such are highly regulated and frequently audited.
Payment Card Industry Data Security Standard (PCI DSS) 4.0 is rapidly approaching, and the revised guidelines place significant emphasis on managing NHIs, particularly system and application accounts with elevated privileges. With this, financial institutions will face increased scrutiny from auditors regarding the robustness of their NHI management practices. PCI DSS 4.0 requirements such as Requirement 7 (restricting access based on business needs and least privilege) and Requirement 8.6 (managing accounts with interactive login capabilities) highlight the need for comprehensive strategies to manage NHIs effectively.
As NHIs proliferate, financial institutions risk security breaches and regulatory penalties if they fail to adopt a robust strategy for NHI management. Organizations must begin addressing these challenges now, especially with mandatory PCI DSS 4.0 compliance coming in 2025, to ensure they meet evolving compliance standards and enhance their security posture.
Prediction #2: AI Adoption Will Lead to More Non-Human Identity Risk
AI adoption is creating new challenges when it comes to non-human identity management and security. A growing trend, termed “LLMJacking,” involves threat actors targeting machine identities with access to Large Language Models (LLMs), and either abusing this access themselves, or selling it to third parties. This threat will escalate in the year ahead, amplifying the need for robust non-human identity security measures.
Prediction #3: In 2025, Cybersecurity Personnel Will Need A Hybrid Skill Set
The cybersecurity field will increasingly demand professionals who combine technical expertise with a strong understanding of business objectives. As the threat landscape grows more complex, organizations will prioritize candidates with a hybrid skill set—deep cybersecurity knowledge paired with expertise in risk management and regulatory compliance. This shift will be driven by the need for cybersecurity to be seamlessly integrated into broader enterprise strategies, shifting away from a siloed approach to one that aligns directly with overall business goals.
YouMail 2025 Predictions
Alex Quilici, CEO, YouMail
Prediction #1: Personalized Extortion Scams Will Become a Growing Threat
The rise of personalized extortion scams, where cybercriminals research their victims using publicly available information, will redefine social engineering attacks. These schemes will use family names, relationships, or past events to create tailored threats, such as claims of unpaid debts or fabricated legal issues, pressuring victims into immediate payment via cryptocurrency. As cybercriminals adopt increasingly sophisticated techniques to exploit personal data, individuals and organizations must strengthen digital hygiene and educate themselves on recognizing and responding to these high-pressure, emotionally charged scams.
Prediction #2: Holiday Shopping Scams Will Reach New Levels of Sophistication
Cybercriminals will increasingly exploit the holiday shopping frenzy with highly targeted scams such as fake package delivery notifications, fraudulent order confirmations, and phishing texts claiming missed deliveries. These attacks will leverage advanced personalization tactics, using data from past breaches to craft convincing messages that reference real orders, family members, or known shopping habits. Consumers can expect a surge in fake text messages mimicking major retailers, creating a heightened need for vigilance and education on identifying these threats.
Prediction #3: Package Delivery Scams Will Dominate the Festive Season
Package delivery scams will become one of the most prevalent holiday threats, capitalizing on the surge of online shopping during the festive season. Cybercriminals will flood consumers with fake notifications about undelivered packages, tracking updates, and shipping delays, using trusted brands like UPS, FedEx, and USPS to lure victims into clicking malicious links. These scams will not only target financial information but also aim to harvest personal data for future attacks, highlighting the need for heightened consumer awareness and robust security practices during peak shopping periods.
Bugcrowd 2025 Predictions
Casey Ellis, Founder and Advisor, Bugcrowd
Prediction #1: Peacetime cyber vs. wartime cyber
In 10 years, we’ll likely look back on this season as a defining period. As global tensions continue to escalate and cyber makes itself obvious as a theater of modern warfare, the operating assumptions of cyber defenders will need to change. The true value of solutions and strategies developed during a period of relative “peace” will be challenged.
Prediction #2: Nation-state actors diversify and continue to get more aggressive
As global alliances continue to evolve, generative AI and technique-sharing accelerates time-to-effectiveness, and the “spectrum of attribution” broadens, attribution will become more of a challenge. Attackers, aware of this phenomenon, will be emboldened and the trend towards effectiveness over stealth that we’ve seen globally over the past 5 years will accelerate. I’m interested in the role of grass-roots Civil Cyber Offense activities, such as the IT Cyber Army.
Prediction #3: Hardware and IOT back in the spotlight
As nation-state threat actors continue to build and maintain their Operational Relay Boxes (ORBs) and as the IAB business model continues to proliferate, targeting of hardware in the form of IOT and edge-access devices will increase pressure on vendors of these products to fix vulnerabilities quickly, and avoid their introduction in the first place.
Prediction #4: AI security and safety begins to hit its stride
As the hype dies down and the real-world use cases of generative AI start to form, I expect the overall field of AI security and safety to mature significantly in 2025, addressing AI as a target, tool, and threat.
Prediction #5: Secure by Design, Secure by Default
Ground-up cyber resilience initiatives like Secure by Design and Secure by Default will gain traction by product vendors, especially as the increase in malicious activity causes pressure from vendors to deliver clear evidence of good cyber-hygiene to their customers.
Prediction #6: The wisdom of the crowd
The intelligence of the global hacker community will continue to bridge the gap between defenders, their attack surface, and the creativity and persistence of the adversary. This will manifest in increased adoption of vulnerability disclosure programs, a return to the practical return-focused value of public and private bug bounty programs, and the expansion of community-driven threat intelligence and disruption.
Dave Gerry, CEO, Bugcrowd
Prediction #1: Vendor consolidation will increase
In 2025, security vendor consolidation will accelerate in earnest. The operational inefficiencies that come with a fragmented security stack are hurting under-resourced security teams. Consolidating vendors reduces complexity and improves risk posture overall.
Prediction #2: The importance of supply chain security
Supply chain security will rise in prioritization and prominence in the upcoming year. The security ecosystem is only as strong as its weakest link, and vulnerabilities within the supply chain can create huge ripple effects across the business.
Prediction #3: Lack of resources for qualified security talent
Small and mid-size businesses will continue to experience limitations on hiring qualified security talent due to lack of resources. I predict these teams will turn towards crowdsourcing security talent for offensive testing in order to fill these gaps in a scalable way.
Prediction #4: CISO and CTO partnership will grow in closeness and importance in 2025.
Increased CISO involvement in AI safety and security—CISOs will own AI safety and security strategies in 2025. With the widespread adoption of AI systems, CISOs will be expected to defend and secure this new attack surface. CISOs must ensure that AI models are mapped out and mitigated properly.
Julian Brownlow Davies, VP, Advanced Services, Bugcrowd
Prediction #1: Proliferation of deepfake technologies powered social engineering attacks
Criminals will harness advanced deepfake technology to create highly convincing fake audio and video messages from trusted individuals or organizations. These deepfakes will be used in spear-phishing campaigns and fraud schemes, making it increasingly difficult for individuals and businesses to distinguish genuine communications from malicious ones. This will lead to a surge in investment in deepfake detection technologies and stricter verification protocols.
Prediction #2: Quantum computing begins to threaten current encryption standards
Advances in quantum computing will reach a point where they start to pose a legitimate threat to traditional encryption methods. While not yet powerful enough to break all encryption, these developments will accelerate efforts to adopt quantum-resistant cryptographic algorithms. Governments and large enterprises will begin transitioning to new encryption standards to future-proof their data security.
Prediction #3: Integration of crowdsourced security into SDLC
Companies will utilize platforms like Bugcrowd to perform continuous penetration testing and vulnerability assessments during development and after deployment. This shift will help in early detection of flaws, reducing the cost and impact of security issues, and promoting a proactive security culture.
Prediction #4: Integration of AI with human expertise in pentesting approaches
While AI will handle routine and large-scale vulnerability scanning, human expertise will remain crucial for interpreting results and identifying nuanced or context-specific security issues. A collaborative approach will emerge where AI handles the heavy lifting of data analysis, and human pentesters focus on strategic thinking and creative attack vectors. This synergy will enhance the overall effectiveness of penetration testing efforts.
Prediction #5: Rise of continuous red team as a service offerings
As organizations look to continuous exposure management, ongoing or continual simulated attacks become increasingly important to provide real time feedback to organizations on evolving threat actor TTPs that they are vulnerable to.
Nick McKenzie, Chief Information and Security Officer, Bugcrowd
Prediction #1: AI security liability and accountability will be in question
Organizations will continue to focus on securing all forms of AI for security vulnerabilities, bias, and data privacy. However, as organizations evolve, develop, and roll out agentic AI inline of core business processes (meaning that AI can make and act on its own informed business decisions autonomously), we’ll see more liability and accountability events publicly surface when ‘bad AI’ calls are made.
Prediction #2: Perimeter connectivity devices will be an exploited hotspot
2024 was all about vulnerabilities and exploits on numerous perimeter (edge) connectivity devices. We will see this continue into 2025 as a vector, compounded further by multinational government/agency backed broadcasts and directives on their use.
Prediction #3: Third party risk management (TPRM) processes need to be more robust
Threat actors (and hacks) will still continue to focus entry vectors via supply chain avenues. Security and third party assurance teams in turn will be more under the pump to show improvements and an increased vigilance into ongoing assurance testing methods in order to get deeper insights into supply chain “health.” With suppliers also now leveraging AI, TPRM processes themselves will require a whole new uplift to assess this area more deeply. This will be crucial for organizations to keep up with supply chain attacks.
Prediction #4: Investment budgets will decrease in “security mature” organizations for generic cyber asks
New security investment uplift budgets will start tapering off from previous years for pure-play control or capability tasks. Accountability spotlights will shine higher on CISOs for ROI expectations to do more with what you have and consolidate security product sets. For any new investment requests, justification needs now be strongly tied to compliance, business revenue, or customer enablement objectives.