Brian Jackson - stock.adobe.com
The year that speed changed cyber security
At a time when threat actors are operating at machine speed, understanding which essential systems are needed to keep the lights on can be the difference between business continuity and existential crisis
If last year proved anything in cyber security, it’s this: the battleground doesn’t just belong to those with the best tools or largest teams anymore. It belongs to those who can act faster than their adversaries.
2025 was a watershed year – not because attackers unveiled new zero-days or defenders fell behind – but because of one defining shift that quietly reshaped the entire landscape: speed.
Attackers didn’t become more intelligent. Defenders didn’t lose their skill. What changed was the tempo of operations. Intrusion, lateral movement, and exfiltration now happen at machine speed, outpacing human escalation chains designed for a slower era.
Organisations have spent years investing in detection fidelity and recovery strength. Now, the ones that win are those that excel in response velocity, making quality decisions with incomplete information before an attacker completes their playbook.
The new attack tempo
Early last year, a major Asia-Pacific logistics provider dealt with what appeared to be routine credential theft. Within an hour, the attacker had moved laterally across subsidiaries in three countries and began exfiltrating sensitive shipment data, assisted by automated tooling and reused playbooks.
In another case, a financial services firm in Sydney saw ransomware encrypt critical systems less than 90 minutes after the initial intrusion point. Their endpoint detection and response (EDR) platform raised an alert within minutes, but the organisation’s escalation path required executive approval for major isolation actions. By the time that approval arrived, the attack had already propagated.
These examples aren’t anomalies. They’re indicators of the new norm. In 2025, reaction lag, not detection gaps, became the dominant vulnerability.
When certainty became a liability
Cyber security principles have traditionally treated certainty as sacred: verify before isolating, confirm before containing. That approach emerged from decades of risk management discipline, but 2025 showed how dangerous it has become when timelines collapse.
Enterprises that insisted on confirmation before containment often discovered their confidence too late. By the time an incident was “proven,” data had already been copied, encrypted, or destroyed, and recovery options were narrower and more expensive.
By contrast, the enterprises that fared best weren’t reckless. They were pre‑authorised. For example, a large healthcare network in New Zealand successfully contained a stealthy persistent threat last July because of a pre‑agreed “isolate first” methodology. Their security operations centre (SOC) had the authority to trigger segmented network lockdown the moment their correlation engine flagged simultaneous credential anomalies across critical systems.
They didn’t wait for certainty. They acted on the assumption that inaction was riskier. Later analysis showed that part of the triggering activity was benign, but leadership agreed the temporary disruption cost was trivial compared to the damage a successful compromise would have caused. The new resilience calculation: error is cheaper than hesitation.
The decision velocity gap
If 2024 was the year of tooling upgrades, then 2025 exposed a subtler gap: one not in technology, but decision architecture.
Security teams today can detect faster than ever. Machine‑learning‑based detection, cross‑layer correlation, and anomaly scoring have compressed identification times to minutes. Yet, organisational latency – the delay between alert and authorisation – remains measured in hours or days.
The gap has become one of the most exploitable dimensions in modern defence. Attackers have no board approvals, no compliance committees, no external auditors. They can act within seconds while defenders remain constrained by governance designed for safety over speed.
As many CISOs across Australia and New Zealand (ANZ) are discovering, the defender’s playbook still assumes time exists. In a growing number of breaches, the adversary finishes before the defender begins.
Bridging the decision gap requires an enterprise to understand their minimum viable business (MVB), the smallest version of the business that can still function and serve customers when an incident compromises systems and operations.
Rather than attempt to restore everything, everywhere, all at once, this approach focuses on essential services for revenue generation and regulatory requirements. It prioritises the minimum set of applications and data those services rely on, and the infrastructure required to run them safely, even during degraded conditions.
In a world where attacks complete in minutes but forensics take days, understanding MVB can be the difference between business continuity and existential crisis.
Speed changed cyber last year. In 2026, those who understand their MVB – and can restore it fast – will be the ones that stay in business long enough to tell the story.
Niraj Naidu is head of engineering at Rubrik ANZ
