HOUSTON — Hewlett Packard Enterprise (HPE) is sounding the alarm on a rapidly evolving threat landscape, where cybercriminal operations increasingly mirror the structure, efficiency, and scale of modern enterprises.
In its inaugural In the Wild threat report, released this week, HPE details how attackers are leveraging automation, artificial intelligence, and long-standing vulnerabilities to execute high-volume campaigns across global industries—often faster than defenders can respond.
Drawing on analysis of 1,186 active threat campaigns observed throughout 2025, the report paints a picture of an adversary ecosystem defined by industrialization, precision targeting, and operational maturity.
Cybercrime Operations Take on Enterprise-Like Scale
According to HPE Threat Labs, today’s threat actors are no longer loosely organized groups but highly coordinated operations with defined hierarchies, specialized roles, and scalable infrastructure.
Government entities were the most targeted sector, accounting for 274 campaigns, followed by finance (211) and technology (179). Additional sectors under sustained pressure include defense, manufacturing, telecommunications, healthcare, and education—underscoring attackers’ focus on critical infrastructure and high-value data environments.
Across the reporting period, researchers observed:
-
More than 147,000 malicious domains deployed
-
Nearly 58,000 malware samples identified
-
Active exploitation of 549 vulnerabilities
“In the Wild reflects the reality organizations face every day,” said Mounir Hahad, head of HPE Threat Labs, HPE. “Our research is grounded in real-world threat activity, not theoretical tests in controlled lab scenarios. It captures how attackers behave in active campaigns, how they adapt, and where they are finding success. These first-hand observations and insights help you detect threats more quickly, strengthen your defenses, and get a clearer view of the threats most likely to impact your data, infrastructure, and operations. That means stronger security, faster response, and greater resilience in the face of increasingly organized and persistent attacks.”
Automation and AI Accelerate Threat Velocity
A key finding of the report is the growing use of automation and AI to streamline and accelerate attack execution.
Threat actors are increasingly adopting “assembly line” workflows—sometimes orchestrated through platforms like Telegram—to automate data exfiltration and operational coordination in real time. At the same time, generative AI is being used to create synthetic voices and deepfake videos for social engineering campaigns, including executive impersonation and video-based phishing.
In one case highlighted by researchers, an extortion group conducted targeted analysis of VPN vulnerabilities to optimize intrusion strategies—demonstrating a shift toward data-driven attack planning.
These techniques enable adversaries to scale outreach, refine targeting, and maximize financial returns by focusing on sectors tied to economic value and national stability.
Visibility and Coordination Emerge as Defensive Priorities
While the threat landscape continues to grow more complex, the report emphasizes that effective defense is less about deploying additional tools and more about improving integration, visibility, and response coordination.
Key recommendations include:
-
Breaking down organizational silos to share threat intelligence across teams and ecosystems
-
Prioritizing patching of commonly exploited entry points, such as VPNs and edge devices
-
Expanding zero-trust architectures to limit lateral movement and enforce continuous authentication
-
Enhancing detection and response through AI-driven analytics and deception technologies
-
Extending security controls beyond the enterprise perimeter to include third-party and supply chain environments
Collectively, these measures can help organizations reduce dwell time, improve detection fidelity, and respond more effectively to coordinated attacks.
HPE Expands Threat Intelligence Capabilities
The report also marks the formal introduction of HPE Threat Labs, which объединяет (unites) threat intelligence resources from HPE and Juniper Networks to create a broader, more actionable dataset for identifying and tracking global threats.
By integrating this intelligence directly into its security portfolio, HPE aims to shorten the gap between threat detection and mitigation.
“Today’s attackers operate with the discipline and efficiency of global enterprises,” said David Hughes, SVP and GM of SASE and Security for Networking at HPE. “Defending against them requires the same level of operational rigor and integration.”
Industry Implications
The findings reinforce a broader industry shift: cyber risk is no longer a discrete IT issue but a business-critical function tied directly to operational resilience and digital trust.
As adversaries continue to professionalize and scale their operations, organizations that fail to modernize their security architectures, particularly around visibility, intelligence sharing, and response orchestration, risk falling further behind.
The In the Wild report is aimed at CISOs and security leaders seeking a clearer understanding of how modern attackers operate—and how to counter them in an increasingly industrialized threat environment.
The HPE Threat Labs 2026 In the Wild Threat Report is available now and is intended for CISOs, security leaders, and IT decision-makers seeking to understand how modern attackers operate and how to stop them. Explore the HPE showcase at RSA Conference 2026, March 23–26, at booth #1255 in South Hall, Moscone Center.