Sysdig: A new arms race on the evolving battlefield of cloud security
Real-time cloud security company Sysdig has released its 2025 Cloud-Native Security & Usage Report.
The company’s annual user analysis provides what it says are insights into real-world cloud security and usage trends, highlighting significant enterprise security progress while identifying key areas that demand attention.
The report suggests that organisations across North America; Europe, the Middle East and Africa; and the Asia-Pacific and Japan are making some defined strides in identity and vulnerability management, artificial intelligence (AI) security and threat detection and response.
However, as businesses scale their AI adoption and cloud footprints, the growing risk and complexity of machine identities, container image bloat and attacker automation introduce new hurdles for enterprise security.
“It has been fascinating to watch cloud security evolve since we started reporting on usage eight years ago. When we first looked at container lifespans in 2019, half lasted at least five minutes – today, 60% live for one minute or less,” said Loris Degioanni, Sysdig founder and CTO. “Given the short life span paired with how quickly attackers can move across cloud environments, I am encouraged to see defenders actively detecting and responding to threats in less than 10 minutes.”
Sysdig says that workloads using AI and machine learning packages grew by 500% over the last year, with the percentage of generative AI packages in use more than doubling. Despite this rapid adoption, public exposure decreased by 38%, signaling a commitment to secure AI implementations.
The suggestion here is that mature security teams are detecting threats in under five seconds and initiating response actions within 3.5 minutes on average.
Cloud attack window
This, thankfully, outpaces the 10-minute cloud attack window that has historically given adversaries the upper hand. The company says that achieving the 555 cloud detection and response venchmark isn’t just possible, it’s essential.
“Cybersecurity has long been an arms race between threat actors and defenders, but the battlefield is evolving,” said Crystal Morin, Sysdig cybersecurity strategist. “Organisations have made tremendous progress and the fact that mature security teams can now respond to threats within minutes is a game-changer. But with machine identities multiplying and cloud environments evolving in real time, automation and rapid response have never been more mission-critical. The data in this report makes me optimistic about the future of cyber defence.”
Morin and team say that organisations are prioritising real risk by reducing in-use vulnerabilities and this means that in-use vulnerabilities have declined to less than 6%, reflecting a 64% improvement in vulnerability management over the past two years. This shift illustrate that organisations are refining their approach to fixing what matters most – vulnerabilities actively running in production workloads – and more effectively strengthening their overall security posture.
In terms of other trends here, we know that organisations are using open source tools, such as Kubernetes, Prometheus and Falco (a Sysdig-originated technology base which has now passed one year as a CNCF graduated project), which is used to defend cloud infrastructure.
Machine identities outnumber humans
With 40,000 times more machine identities than human identities, the attack surface has expanded dramatically. Machine identities are also 7.5 times more risky, a dangerous liability given that nearly 40% of breaches start with credential exploitation.
The company also says the majority of containers live for one minute or less, but attackers don’t need that long: For the first time, 60% of containers now live for 60 seconds or less. While ephemeral workloads enhance application agility, cloud adversaries automate their reconnaissance to instantly identify and exploit weaknesses. Real-time detection and response is more essential than ever.
Degioanni and team say that container images are increasingly bloated and that’s creating undue security risk: The size of container images has quintupled, introducing unnecessary security risks and operational inefficiencies. Larger images increase the attack surface and make deployments more expensive, emphasising the need for more efficient containers.
Attackers, meanwhile, are also using open source capabilities i.e. while open source security tools have become foundational for organisations of all sizes, cybercriminals continue to rely on open source malware and weaponis open source software, a trend first documented in Sysdig’s 2024 Global Threat Year-in-Review.
