The proportion of high‑severity cyber incidents has declined steadily over the past few years, reaching its lowest level in six years in 2025, according to Kaspersky’s latest global threat analysis. The findings, published in the Anatomy of a Cyber World: Global Report by Kaspersky Security Services, highlight significant progress in early threat detection and response.
The report shows that high‑severity incidents accounted for just 3.8% of all detected cases in 2025, down sharply from 14.3% in 2021, marking a consistent downward trend. High‑severity incidents are defined as attacks involving direct human action that cause substantial impact to an organization’s IT infrastructure. Kaspersky attributes the decline largely to faster detection and remediation by its Managed Detection and Response (MDR) experts, preventing attacks from escalating beyond medium severity.
In absolute terms, the number of high‑severity incidents detected by Kaspersky MDR fell by 19% in 2025 compared to 2024, underscoring improvements in both security visibility and customer readiness. The data suggests that many attack attempts are now being identified earlier in the kill chain, reducing their operational and financial impact.
“The steady decline in high‑severity incidents shows that proactive, human‑led security operations can stop sophisticated attacks before they cause serious damage.”
— Sergey Soldatov, Head of Security Operations, Kaspersky
A deeper analysis of incident root causes provides insight into the evolving threat landscape. Human‑driven attacks remained the leading cause, accounting for around 23% of high‑severity incidents. Although slightly lower than in 2024, these attacks were detected in nearly 21% of customer environments, demonstrating that skilled adversaries continue to find ways to bypass automated defenses.
Interestingly, confirmed cyber exercises, such as Red Teaming activities, also made up more than 23% of reported incidents. While these activities are validated as testing, they are often reported by customers as real incidents before classification.
Social engineering attacks ranked third, responsible for over 15% of high‑severity cases and affecting nearly 18% of organizations. These incidents are classified as high severity when they succeed and require manual remediation, often exposing gaps in employee awareness. Security policy violations accounted for just under 14%, typically involving suspicious actions by legitimate accounts, such as data exfiltration.
Malware‑related incidents represented less than 12%, while traces of past attacks or advanced persistent threats (APTs) appeared in over 7% of cases. Vulnerability detection accounted for fewer than 5% of incidents.
Kaspersky emphasizes that the findings demonstrate the importance of hybrid security operations, combining human expertise with automated solutions like Extended Detection and Response (XDR) and SOC consulting services. This integrated approach enables organizations to detect threats earlier, respond faster and significantly reduce the likelihood of major cyber breaches.
