Hi Friends,

Hope you are doing well.

Welcome to the Q4 2025 wrap-up. Q4 2025 has been a defining period for the cybersecurity industry, marked by record-shattering "mega-deals," a ruthless surge in manufacturing-targeted ransomware, and a regulatory landscape that is finally putting teeth behind its mandates.

Below are some key IT, OT, AI - Cybersecurity insights from Q4 2025 related to:

Hop on to the section that interest you more.

Why read this?

Lots have happened in Q4 2025. Consider this as condensed summary of some key events across the security industry.

If you're seeking insights on any of the above topics, I hope you'll find some valuable information that can shorten your search quest.

In case you missed previous quarterly updates for 2025 you can find them here:

→ Q3 2025 | Q2 2025 | and Q1 2025.

But before we begin, do me a favour and make sure you “Subscribe” to let me know that you care and keep me motivated to publish more. Thanks!

Ready? let’s dig in.

Yours truly.

— Yousuf.

♻️if you know someone in your professional circle who will benefit from these resources and interested in learning. Thanks 🌟

Together with (Sponsor):

They optimized for LLMs, not just Google.

FAQs. Comparison pages. Transparent pricing. LinkedIn presence. These aren't vanity plays. They're what gets you cited in ChatGPT, Gemini, and Claude when your buyers are researching, your investors are looking, and your future hires are deciding where to work.

Download the free AEO Playbook for Startups from HubSpot and get the exact checklist. Five minutes to read.

Unlock the playbook

Q4 2025 closed a record‑setting year for cybersecurity:

For CISOs, 2025 was an inflection point:

The role expanded beyond cybersecurity into resilience, AI governance, and enterprise risk stewardship — yet surveys and commentary highlight rising burnout, personal liability concerns, and a need to reset governance so that accountability matches authority.

According to pinpoint research group Q4 2025 Cybersecurity Vendor Transaction Report; a total of 127 cybersecurity fundings, mergers & acquisitions (M&A) transactions were recorded, including 13 mergers & acquisitions (M&A) events. A total of $4.6 Billion raised over 112 funding rounds tracked.

Cybersecurity investments/fundings surged by 171% in Q4 2025 compared to Q4 2024 — a strong sign of market confidence and acceleration in innovation.

In Q4 2025, cybersecurity investment saw its second consecutive quarter of year-over-year growth, indicating a focus on early-stage innovation and platform consolidation.

Early stage funding (Seed, Series-A) represents 63% of all Q4, 2025 funding rounds recorded. 112 funding rounds were tracked in Q4 2025 compared to 56 in Q4, 2024.

Ten rounds of funding >$100M were recorded in Q4, 2025 accounting for 57% of all funding in the period.

In 2025 security vendors raised $13.97 Billion, a 47% increase over 2024.

The "Platformization" era reached its zenith in Q4 2025, as strategic buyers spent billions to build all-in-one security suites.

The quarter’s 13 M&A events included some of the year’s most notable transactions:

These deals highlight a drive towards consolidation in platforms, focusing on AI-driven risk scoring, observability, and vertical specialization. AI remains central in M&A and GTM discussions.

Despite rising total investment, security budgets remained under pressure.

An IANS Research survey shows cybersecurity budget growth rates at a five-year low, with median increases dropping to 4.5% in 2025. (eSecurity Planet).

The gap between slowing budget growth and rising total spend indicates a focus on fewer vendors, with CISOs prioritizing platform consolidation and ROI.

Global cybersecurity spending is projected to reach $213 billion in 2025, driven by compliance, insurance, and operational needs. (Security Boulevard).

A Tenable + ESG study shows security leaders are re-evaluating risk priorities and vendor strategies, emphasizing measurable controls and reducing tool overlap. (Security Boulevard).

Meanwhile, cybersecurity risk has surged to the top of the boardroom agenda with a global survey of business leaders ranking cyber risk as the #1 threat to their organization in 2025 (CySecurity News).

Here’s another interesting summary on Cybersecurity Market Review Q4 2025 by Altitude Cyber.

Solganick’s Q4 2025 M&A update reports 105 cybersecurity M&A transactions in the quarter, down slightly from 111 in Q3 2025 and 123 in Q4 2024, but still historically elevated.

The firm notes that October opened strong while November and December moderated, suggesting buyers began to prioritize integration and pricing discipline after a year of blockbuster deals.

Momentum Cyber’s 2025 year‑end report characterizes 2025 as a “record‑breaking” year with $102 billion in total cybersecurity deal value and eight transactions above the $1 billion mark, underscoring that the slight Q4 deceleration came off an exceptionally high base.

Across 2025, strategic buyers clustered around a few themes: identity, cloud and data security, and AI‑centric platforms.

A Windsor Drake M&A round‑up shows hyperscalers and large security vendors pursuing platform consolidation:

Solganick’s Q4 deal list reinforces this pattern at the mid‑market..

For OT practitioners, ServiceNow–Armis and LevelBlue–Cybereason signal that major platforms are leaning into industrial visibility, EDR/XDR and telemetry across converged IT/OT estates, not just IT endpoints.

Security Innovation Lab’s Q4 2025 roll‑up estimates $14 billion invested into “security‑relevant” startups globally in Q4 2025, spanning cybersecurity, identity, secure AI infrastructure, counter‑UAS, and defense‑adjacent systems.

The authors emphasize that late‑stage and growth rounds accounted for the largest share, with investors favouring companies already showing revenue or government traction, especially where AI‑native telemetry, detection at scale, or defense autonomy are central.

European data from Axeleo Capital’s Q4 2025 Cybersecurity Index shows a similar pattern: the region logged €443 million across 43 deals, more than doubling Q3’s €216 million and far exceeding the €176 million raised in Q4 2024, driven by a surge in late‑stage rounds such as Exein’s €100 million and Feedzai’s €70 million raises.

Early‑stage still dominates deal count (58 percent of transactions were pre‑seed or seed), but its share dropped from 64 percent in Q3, indicating a tilt toward scaling proven platforms rather than seeding many small experiments.

Pinpoint Search Group’s October 2025 snapshot adds color: 48 total transactions and $1.3 billion raised, a 115 percent increase over October 2024, with 65 percent of rounds at seed or Series A and several nine‑figure financings.

Notably, AI/LLM‑security, GRC, fraud detection, and identity providers (e.g., Skyld, Matters.AI, Polygraf AI, CyberCube) attracted meaningful early‑stage capital, showing how AI‑driven risk measurement, exposure management, and data protection became core funding themes by Q4.

Funding snapshot: Q4 VC hit $5B (highest quarterly since Q2 2022), pushing the full-year total to $16.5B across 868 deals. Capital concentrated in late-stage/growth rounds. AI-native startups captured 50.5% of global cyber VC deals.

Big cheques went to identity-for-AI-agents (Saviynt $700M), data security (Cyera), and OT/IoT platforms.

stiennon.substack.com | Momentum Cyber's Almanac - by Richard Stiennon

Platform consolidation around XDR, identity, and AI‑assisted operations means vendor ecosystems may shrink a bit while suite capabilities expand; this simplifies procurement but raises concentration and supply‑chain risk.

The capital shift toward AI‑native security and industrial telemetry startups suggests that future‑ready security architectures will lean heavily on high‑volume data ingestion, graph‑based risk modeling, and AI‑assisted detection spanning IT, OT, and physical domains.

Mega-deals defined the full year (Google/Wiz cloud security, Palo Alto/CyberArk identity, etc.), signaling a two-tier market: scaled platforms gobble capabilities while PE rolls up services.

Buyers win scale; sellers with strong ARR, AI differentiation, or OT visibility command premium multiples (e.g., IAM at 16.4x, threat intel lower).

Beyond 2025, cybersecurity companies are expected to receive more funding than in recent years, especially those that are just starting out and have strong teams, as well as those that help save costs or use AI effectively.

Multiple threat‑intelligence sources characterize Q4 2025 as the most active and volatile quarter of the year for ransomware with attackers exploiting end-of-year staffing gaps and holiday production pressures. The trend of significant, high-profile, cyber incidents, ransomware attacks and data breaches in Q4 2025 (double-extortion, supply-chain amplification, and data-only leaks - no encryption needed), continued to rise throughout the quarter, with some major attacks and incidents causing business and supply chain disruptions, emphasizing the ongoing cybersecurity challenges faced by organization spread across multiple industry sectors.

NordStellar’s breakdown shows small and mid‑sized businesses with 51–200 employees and $5–25 million in revenue as prime ransomware targets, especially in general manufacturing, machinery and electronics, and U.S. SMBs relying on third‑party IT providers.

NordStellar’s annual ransomware analysis reports 9,251 ransomware cases recorded on dark‑web leak sites in 2025, up 45 percent from 6,395 in 2024, with incident volume peaking in Q4; December alone saw 1,004 incidents, the highest monthly count in two years.

Cyble and NCC highlight that construction, professional services, manufacturing and IT services are consistently among the most attacked sectors, with industrials leading October’s sector‑wise counts.

Ransomware didn’t slow—it accelerated. Cyble’s Q4 2025 review tallies 2,018 claimed ransomware attacks in the quarter—roughly 673 per month — more than 30 percent above the average pace during the first nine months of 2025 and maintaining that elevated rate into January 2026.

December was especially brutal. GuidePoint Security called 2025 the most active year on record, with Q4 victim counts hitting multi-year highs.

NCC Group’s October 2025 Threat Pulse marks the start of this "golden quarter," noting a 41 percent month‑on‑month jump in October to 594 ransomware attacks, with Qilin responsible for 29 percent of activity and industrials the most targeted sector at 28 percent of cases.

Ransomware Peak: 2025 saw very high (ZeroFox observed ~1,429 incidents in Q4 — a slight increase from Q2). recorded ransomware / digital-extortion incident cases globally, a 45% jump from 2024.

The pattern: continuing double/extortion and targeted disruption of operations. December alone set a two-year record with over 1,000 incidents in a single month.

Across these datasets, Qilin emerges as a leading ransomware‑as‑a‑service operator, with activity more than doubling between Q3 and Q4 and focusing heavily on industrial organizations, while groups such as Akira and a resurgent Cl0p remain highly active.

Healthcare, manufacturing, and retail remained prime targets. Verizon’s 2025 DBIR (reflecting broader 2025 trends) showed ransomware in 44% of analyzed breaches — a notable rise.

CSIS’ timeline of significant cyber incidents highlights several November 2025 events with systemic implications: a ShinyHunters‑linked intrusion where attackers abused Gainsight OAuth integrations to access data from over 200 Salesforce customers; a ransomware attack on OnSolve’s CodeRED emergency alert system that disrupted public warning capabilities across multiple U.S. states; and politically motivated DDoS campaigns by NoName057 against Belgian telecom, health, and defense websites.

Also in November, an unidentified threat actor breached the U.S. Congressional Budget Office, raising concerns over cyber‑enabled surveillance of legislative deliberations.

PKWARE’s 2025 breach round‑up notes incidents such as a ransomware‑driven breach at pharma company Inotiv and a major municipal ransomware attack that forced a U.S. city to declare a state of emergency and mobilize National Guard cyber units — illustrating how 2025 blurred the line between "IT incidents" and national‑security‑relevant events.

Cyber Management Alliance’s October 2025 incident summary adds a long tail of notable attacks, including a telecommunications SIM‑swap breach impacting Australian providers Dodo and iPrimus, and exploitation of a Fortra GoAnywhere MFT deserialization vulnerability (CVE‑2025‑10035) by Storm‑1175 to deploy Medusa ransomware — both emblematic of identity and file‑transfer supply‑chain weaknesses.

Supply Chain & Third-Party Fallouts:

Air IT and other Q4 threat reports emphasize expanded use of AI to craft phishing emails, impersonate senior staff, and automate vulnerability scans, especially against public‑sector and partner ecosystems.

A coordinated phishing campaign against local US councils using AI‑generated supplier impersonation, exploited partner ecosystems.

Gen’s Q4 2025 threat report points out that the quarter was less about entirely new malware families and more about the reuse and re‑tooling of proven infostealer and scripts, even as operations such as "Operation Endgame" disrupted infrastructure for crimeware like Rhadamanthys, VenomRAT and Elysium, leading to visible declines in some families’ activity.

These cases underscore how identity compromise, AI‑powered phishing, and hybrid cloud‑on‑prem ransomware paths are now standard attack patterns against infrastructure operators and engineering‑heavy enterprises.

Manufacturing in the Crosshairs: The manufacturing sector remained the primary target, accounting for nearly 20% of all global cases. Attackers increasingly target industrial logistics to force quick payments during high-pressure shipping windows..

OT/ICS reality check: Kaspersky documented 161 publicly confirmed industrial incidents in Q4 2025.

Dragos reported material upticks in ransomware hitting manufacturing, transportation, and ICS engineering organizations — Qilin led the pack. Encryption of virtualization layers (VMware ESXi) continued to cause “Denial of View/Control” and multi-day outages.

Major impact on Jaguar Land Rover, Volkswagen, Asahi’s, Bridgestone production facilities.

Also, ransomware incident at a major UK engineering firm that started on legacy on‑premise servers and spread into Azure, encrypting both cloud and on‑premise backups — a textbook hybrid IT/OT and cloud scenario.

Aviation: Heathrow Airport: Faced logistics and baggage handling chaos in late November following a credential theft breach. An attempted disruption at Heathrow Airport via compromised privileged credentials for an internal employee portal, affecting logistics and scheduling.

Q4 remained a high‑risk period for ransomware, especially industrials manufacturing & supply-chain operations, and mid‑market organizations (that cannot tolerate prolonged downtime and may be tempted to pay) remain high-impact targets.

OT and critical‑infrastructure defenders must plan for hybrid attack paths (legacy on‑prem to cloud and back) and emergency‑services dependencies (e.g., CodeRED), treating supplier SaaS integrations and MFT systems as high‑value assets with continuous assurance.

Key takeaway for IT/OT leaders: Ransomware is now primarily an extortion business. Backups alone aren’t enough — underlines focus and importance on exfiltration prevention, segmentation, backups, vendor risk management, and OT/ICS protective controls and rapid detection of lateral movement into OT (aggregated by incident reports).

The Q4 surge proves attackers are doubling down on volume while refining TTPs (valid credentials, IAB access, RDP/WinRM pivots).

Action step:

Run a Q1 2026 tabletop assuming a Qilin-style affiliate hits your OT-support VMs. Measure time-to-containment against the industry’s 42-day average (vs. 5 days for mature programs).

Here are some of the updates on regulations and standards in the cybersecurity field from Q4 2025.

Compliance is moving from "best practice" to "statutory duty," with management now facing direct legal liability.

Although the NIS2 Directive’s legal obligations were finalized earlier, 2025—particularly the second half of the year—was when ENISA turned abstract requirements into actionable guidance.

On 26 June 2025, ENISA issued a 170‑page Technical Implementation Guidance on Cybersecurity Risk Management Measures to support the EU Implementing Regulation (EU) 2024/2690, detailing how digital infrastructure and ICT service providers can meet NIS2 requirements and what evidence to produce across 13 thematic areas (from overarching policies to cryptography and access control).

In parallel, ENISA published guidance mapping NIS2 obligations to the European Cybersecurity Skills Framework (ECSF) and to various EU and international standards, helping entities connect compliance tasks with specific role profiles and avoid duplicate efforts where existing certifications already cover similar controls.

For operators of essential and important entities—including energy, transport, health, and manufacturing—these documents effectively became operational playbooks in Q4 2l025 as national transposition of NIS2 progressed and organizations prepared for audits and supervision.

On 29 September 2025, NIST released draft revisions of SP 800‑172 and SP 800‑172A (version r3), adding enhanced security requirements and corresponding assessment procedures to support cyber‑resiliency objectives for systems processing controlled unclassified information (CUI).

These updates align with the source controls in SP 800‑53r5 and focus on protecting against advanced, persistent threats—making them particularly relevant to defense industrial base contractors and critical‑infrastructure operators running mixed IT/OT environments that interface with federal systems.

For CISOs, the SP 800‑172r3 drafts signal a tightening of expectations around resilience (segmentation, recovery, deception, and advanced monitoring) and the need to align procurement and architecture decisions with enhanced control baselines rather than relying solely on minimal NIST SP 800‑171 compliance.

While not strictly confined to Q4, 2025 saw cumulative regulatory pressure: the EU moved toward full application of the AI Act and continued to push NIS2 transposition, while U.S. federal agencies maintained momentum on cybersecurity frameworks and sectoral rules.

The EU’s AI Act entered into force in August 2024 and will be fully applicable by August 2026, but some provisions already applied by 2025: prohibitions on certain AI practices and AI literacy obligations from February 2025, and governance rules and obligations for general‑purpose AI models from August 2025.

Even where explicit Q4 2025 enforcement actions are not yet widely reported, the combination of NIS2, the AI Act, and national supervisory initiatives effectively raised the bar for cyber and AI governance expectations across European critical sectors.

OT angle: Guidance increasingly links IT/OT convergence, supply-chain risk, and ransomware reporting.

What it means for you:

Compliance is no longer a checkbox sprint—it’s about evidence-based resilience. Document, test, and map your controls to these frameworks now. The Omnibus push signals Brussels wants faster innovation, not paperwork.

Action step: Update your 2026 compliance calendar with NIS2/Germany deadlines and NIST CSF 2.0 + AI Profile crosswalks.

AI is transforming cybersecurity in Q4 2025 by driving new laws, increasing threat sophistication, and pushing organizations to adopt advanced AI defenses and governance.

The focus has shifted from "Co-pilots" to "Agents" — AI systems that act autonomously on behalf of humans.

AI wasn’t just a buzzword in Q4—it became a regulated cyber asset.

Global: G7 Cyber Expert Group statement on AI + cybersecurity in finance; FTC scrutiny of AI “companion” chatbots for kids; state-level AI bills (ownership of generated content, risk-management policies).

In Q4 2025, several Asia Pacific countries made significant strides in AI regulations and guidance, focusing on compliance, governance, and innovation.

For more comprehensive coverage checkout the following Global AI Regulations Roundups from Securiti:

The dual edge: AI supercharges defense (autonomous detection, threat intel) but introduces new attack surfaces (model poisoning, deepfakes, prompt injection).

What it means for you:

Treat AI systems as critical infrastructure. Secure the data supply chain, enforce model-level protections, and embed AI risk into your enterprise risk management (ERM) program.

Action step:

Pilot the NIST Cyber AI Profile against one high-value use case (e.g., AI-powered SOC or OT predictive maintenance).

Together with (Sponsor):

AI will eliminate 300 million jobs in the next 5 years.

Yours doesn't have to be one of them.

Here's how to future-proof your career:

Start learning AI now

By Q4 2025, the Chief Information Security Officer (CISO) role is expanding to emphasize strategic communication, stakeholder management, and integrating security into business strategies, while maintaining traditional cybersecurity duties and fostering cyber resilience.

The CISO role is no longer purely technical; is no longer “the tech person who says no.”, it is a governance and strategic business function. Boards and CEOs now see cyber risk as enterprise risk.

From Operator to Governor: CISOs are now expected to sit on specialized cybersecurity committees or have direct reporting lines to the Board to oversee "resilience dashboards".

Regulatory Literacy: A key requirement for Q4 2025 is "regulatory literacy"—the ability to navigate the overlap between DMA, DSA, GDPR, and AI Act without slowing down business operations.

Digital Sovereignty: CISOs are increasingly making "governance responses" to infrastructure choices. A prime example was the International Criminal Court (ICC) switching its email provider to a European solution to avoid the "digital colonialism" of extraterritorial legal reach.

Key shifts documented in 2025 reports (accelerating in Q4):

IANS Research and Artico Search’s State of the CISO 2025 report, based on responses from more than 830 CISOs and security leaders, finds that most CISOs’ roles now extend well beyond traditional cybersecurity into broader business, risk, and resilience responsibilities.

Study segments CISOs into Strategic (28%), Functional (50%) and Tactical (22%) archetypes, distinguished by levels of C‑suite and board access.

Strategic CISOs — those with strong influence in both spaces — earn significantly higher compensation than their peers, reflecting the premium on business‑aligned leadership.

Evanta / Gartner leadership surveys show cyber resilience has become the top functional priority for CISOs in 2025, surpassing long‑dominant domains such as IAM/zero trust and cloud security, and highlighting a shift from prevention‑only thinking to resilience and recovery.

These surveys also note renewed emphasis on security operations and data management/loss prevention, driven in large part by AI‑related data‑loss risks.

The RH‑ISAC 2025 CISO Benchmark Report quantifies this trend: a 26% rise in data‑management and loss‑prevention focus, 12% growth in CISOs reporting to business executives (from 7% in 2024 to 19% in 2025), and a 7% increase in CISOs reporting directly to CEOs and boards.

NIST CSF remains the dominant framework underpinning these programs, with adoption scores rising year over year.

At the same time, multiple 2025 studies and commentaries expose severe strain on cyber leadership.

Proofpoint’s Voice of the CISO 2025 report finds that 76% of CISOs expect a material cyberattack in the next 12 months while 58% admit their organizations are unprepared, and 63% report experiencing or witnessing burnout in prior year; 65% say their organizations have taken steps to protect them from personal liability, but many still feel under‑resourced.

Nagomi’s 2025 CISO Pressure Index and BitSight’s burnout analysis echo these concerns, with findings that 60 percent of CISOs fear losing their jobs after a breach and roughly half of organizations report security and risk teams experiencing burnout.

Cyber Management Alliance and other practitioners have warned that this environment leads to "high accountability, low control" dynamics, particularly in highly regulated sectors.

A December 2025 article, The CISO at the Crossroads – From 2025 Fatigue to 2026 Resilience, frames the year as an inflection point: CISOs were "asked to control risk without the authority to shape the system creating that risk," resulting in chronic decision overload, tool sprawl (40–70 tools per environment), and continuous crisis response.

The piece argues that 2026 must rebalance governance so that executive ownership of risk is explicit and the CISO role centers on risk stewardship rather than acting as a catch‑all for every cyber problem.

Survey commentary from Evanta and others stresses that measuring and communicating risk to boards is now a fundamental CISO responsibility—in effect, CISOs are expected to translate technical exposure into business‑aligned risk narratives that non‑technical directors can act on.

The IANS / Artico study shows that Strategic CISOs (with the strongest C‑suite and board engagement) not only earn more but also exert outsized influence on security program maturity and budget alignment, reinforcing that "seat at the table" is not cosmetic but materially correlated with outcomes.

What it means for you: If your CISO still lives under the CIO with a narrow technical mandate, you’re behind. The winning profile in 2026: business translator, risk quantifier, and resilience architect.

Action step for CISOs: Prepare one slide for your next board meeting that ties a top cyber risk to a revenue or OT-uptime KPI — and shows how you’re using AI to reduce it. For executives: Give your CISO budget and airtime to lead cross-functional resilience initiatives.

By the end of Q4 2025, following meta‑trends were clear.

First, capital and consolidation continue to reshape the vendor landscape toward integrated, AI‑assisted security platforms spanning identity, XDR, and data protection— creating new efficiencies but also new forms of concentration risk CISOs must manage.

Second, ransomware and large‑scale incidents are not abating; they are intensifying, particularly for industrials, mid‑market organizations, and public‑service providers, with AI‑supported social engineering and supply‑chain abuse now routine.

Third, regulators and standards bodies are moving from high‑level aspirations to detailed implementation guidance for both cybersecurity and AI, while the CISO role stretches into an enterprise‑risk, resilience, and AI‑governance function that must be supported by rebalanced accountability and investment in leadership health.

For IT/OT and AI‑driven organizations:

Strategic task entering 2026 is to turn these signals into an integrated agenda:

Your move:

Stay ahead. Stay secure.

Until next time—keep the lights on (and the attackers out).

Questions or topic requests for Q1 2026? Hit reply.

Some Source links above and further reading below.

Securing Things Academy: (coming soon)

IT & OT CySEAT (Cyber Security Education And Transformation) course is designed for IT and OT cybersecurity practitioners. Join the wait-list → here.

Checkout a brief overview below:

In case you’ve missed - here are some of my recent most viewed social posts.

Whenever you are ready - I can help you with:

A - IT & OT Cybersecurity Advisory / Consulting services - for securing your business and or its digital transformation journey.

B - Security Awareness Training & Phishing Awareness Portal - Train your staff and build a Security awareness program through our subscription based service.

C - Securing Things Academy (STA) - Security trainings for IT & OT practitioners.

Visit the newsletter website for Links to above services and or reach out at info[at]securingthings[dot]com or DM me via LinkedIn.

D - Securing Things Newsletter - Sponsor this newsletter to showcase your brand globally, or subscribe to simply Get Smarter at Securing Things.

Reach out at newsletter[at]securingthings[dot]com or DM me via LinkedIn.