The report is based on anonymized and aggregated threat data from network, endpoint, and DNS security solutions from WatchGuard. The figures show that attackers are accelerating and refining their methods. As a result, organizations that primarily rely on reactive security are increasingly at risk.
Some notable conclusions from the report:
1. New malware and zero-days are increasing sharply
Throughout 2025, the number of new malware variants increased each quarter. Particularly between the third and fourth quarters, the increase was exceptionally strong. At the same time, nearly a quarter of all detected malware qualifies as zero-day, as traditional detection does not recognize these threats.
Furthermore, it appears that attackers are increasingly packaging and obfuscating their malicious code to evade detection. On endpoints, WatchGuard found more than fifteen times as much previously unseen malware as in earlier periods.
2. Encrypted traffic hinders visibility
Additionally, the report shows that 96% of the blocked malware was delivered via TLS. Attackers exploit encrypted connections to hide their activities within regular web traffic. Organizations that do not implement HTTPS inspection therefore miss crucial signals.
Although the number of network exploits decreased in the second half of 2025, the majority of attacks still target known vulnerabilities in modern web applications. Layered network security, including intrusion prevention, remains essential.
3. Attackers are targeting money more effectively
Cybercriminals are also adapting their approach in their revenue models. In the second half of 2025, WatchGuard observed phishing campaigns that used malicious PowerShell scripts to set up Malware-as-a-Service tools, including remote access trojans. Attackers consciously evade automated file analysis.
Although the total number of ransomware incidents decreased by 68.42 percent year-on-year, publicly disclosed ransom payments reached a record level. This indicates a shift towards fewer, but financially heavier attacks. Additionally, cryptomining remains a popular way to generate revenue once attackers have gained access.
Also read: Odido hacked: 6.2M accounts – this is the real risk
Implications for MSPs
According to Corey Nachreiner, Chief Security Officer at WatchGuard Technologies, this development calls for a different approach. "The current threat landscape has become too complex for standalone security solutions and reacting only when things go wrong. The risk for MSPs is significant. A security incident at a client results in higher costs, damages trust, and weakens their competitive position. The MSPs that are successful in 2026 and beyond will demonstrate that they actively detect threats and protect their clients with one cohesive security approach across the entire IT environment."
WatchGuard advises that managed service providers choose a single security platform that monitors network traffic, protects endpoints, and secures identities. They must inspect encrypted traffic, signal anomalous behavior immediately, and automatically block threats. Only in this way can they reduce the likelihood of incidents, limit damage to clients, and maintain control over their own support costs.
Also read: Proofpoint launches Proofpoint Partner Network to accelerate growth and profitability of partners
Full report available
The full Internet Security Report for the second half of 2025 is available via the website of WatchGuard.
Also read: Orange Cyberdefense: Quick reporting is crucial in the international approach to cybercrime
