Beyond the smash-and-grab: Threat data shows attackers spending more time on ‘discovery’

The popular image of a cyberattack – a fast, noisy “smash-and-grab” operation – doesn’t match what Forescout’s Vedere Labs says it’s seeing in its latest threat data. In the company’s 2025 Threat Roundup, researchers argue that a growing share of intrusions look less like immediate disruption and more like quiet preparation: Attackers get in, then spend most of their time figuring out what’s worth targeting.

In a recent Cyber Focus podcast interview, Daniel dos Santos, vice president of research at Forescout, pointed to one finding he said stood out in their observations: More than 90% of post-breach activity they measured was classified as “discovery.” In practical terms, discovery can include scanning internal systems, mapping identities and permissions, and locating high-value assets – work that can set up everything from data theft to ransomware, depending on what the actor decides to do next.

Dos Santos framed the trend as part of a broader evolution in ransomware operations. The early playbook of “get in, encrypt, get out,” he argued, has increasingly given way to campaigns that spend more time inside networks, including efforts to identify leverage points for disruption or extortion.

One of the report’s sharper implications is a prioritization problem: Defenders may be over-weighting a single reference list when deciding what to patch. Vedere Labs says more than 70% of the vulnerabilities it observed being exploited were not in CISA’s Known Exploited Vulnerabilities catalog. Dos Santos did not cast that as a knock on KEV, but as a reminder that different datasets measure different things and that “exploitation” can be defined in ways that don’t line up cleanly across organizations.

The practical takeaway, he argued, is that teams should treat KEV as a baseline, not a ceiling. Organizations still need visibility into broader exploitation activity and then apply local context such as asset criticality, segmentation, compensating controls and operational constraints to decide what warrants immediate action.

The report also points to continued exposure in operational technology environments, where even basic internet-facing access can invite opportunistic probing. Cilluffo cited findings that OT protocol attacks surged in 2025, with Modbus leading activity. Dos Santos said the issue is not limited to high-end nation-state campaigns; tactics and tooling spread quickly, and less sophisticated actors can now discover and target exposed systems with minimal effort.

At the same time, attacker infrastructure is getting harder to filter by “where it came from.” The report finds that nearly 60% of observed attacks originated from ISP-managed networks – traffic that can be routed through compromised consumer devices such as home routers, cameras, doorbells and solar inverters. Dos Santos added that similar blurring happens when malicious activity is proxied through major cloud platforms, where it can look routine at first glance. For defenders, the consequence is straightforward: origin-based blocking is less reliable, and the best signals may come from behavior – especially early-stage discovery – rather than geography or “known bad” hosting.

For more on this and other important cyber topics, check out the full catalog of Cyber Focus podcasts: https://mccraryinstitute.com/podcast/