A brief review of the Sysdig Cloud Defense Report 2025
Security leaders, practitioners, and enthusiasts are looking to keep up with an ever-changing cloud security landscape. So, over the last few weeks, we pored over data from the first half of 2025. Now, we’re sharing what we’ve learned.
It likely comes as no surprise that much of what was gathered involved artificial intelligence (AI). AI is hard to avoid today, especially with the rate at which organizations are adopting and implementing it. We gathered data on the integration of AI into cloud infrastructure, how AI is being secured, and what both AI-powered threats and threats against AI infrastructure look like. Did you know that AI and innovation are built on open source technologies? Or that the only way to identify modern cloud threats is with runtime visibility?
It’s 2025, and security teams are facing AI-powered transformations on every front. AI is a part of the problem and the solution, and it’s inseparable from the future of cloud security. And now it’s your turn: Take a moment, and dig right into a few of the defining details from the Sysdig Cloud Defense Report 2025.
AI is both a tool and a target
In the first half of this year we continued to see steady adoption of Sysdig Sage™, the first fully integrated AI cloud security analyst, by organizations that serve a variety of business sectors. It’s a clear sign that AI innovation knows no bounds. On average, using AI for investigations is also helping security teams drive down their mean time to respond by 76%.
The number of AI and machine learning (ML) packages running in workloads also indicates maturing AI adoption, including the discovery and removal of shadow AI. However, misconfigurations — such as an inadvertently publicly exposed AI tool that the Sysdig Threat Research Team (TRT) found in June — are allowing attackers to deploy malware.
The full report contains recommendations on how to best utilize AI in your security processes and how to properly secure AI used across your organization.
Runtime is the baseline
When analyzing the threats and vulnerabilities identified so far in 2025, many of them require runtime visibility for detection. Runtime security provides real-time alerting, enabling security teams to stop an attack before the damage is done, and this is no longer optional. Attackers understand our infrastructure, and they move quickly. With the use of AI and automated tools, cloud attacks happen in 10 minutes or less. The report details a few of the most significant threats of 2025 and how to defend against them using the power of runtime and the open source community.
Open source is the past, present, and future of security
Today’s defenders learned their craft and sharpened their skills through the transparency offered by free and open tools, research, and detections. Luckily for them, open source continues to be an anchor for modern security innovation.
We’ve continued to see the community’s trust in Falco, the CNCF’s open source runtime threat detection engine, with nearly 10 million new downloads since the beginning of the year. From data sovereignty compliance to real-time detection within CI/CD workflows, open source allows security teams the flexibility they need as they grow to enterprise scale.
And 2025 is still unfolding
Based on the security trends and the threat landscape we’ve seen so far this year, there are a few things we expect to happen before the end of the year. We believe both industry-specific and CI/CD targeting will persist. We also expect teams to increasingly build developer-friendly prioritization workflows, and that we will see AI evolve from a tool to a partner.
With AI being both on the offensive and defensive ends of attacks, ephemeral infrastructure complicating visibility, and open source everywhere, the right way forward is with a fast, transparent, and collaborative defense.
Check out the full Sysdig Cloud Defense Report 2025 for all the data, recommendations, and our predictions for the second half of the year and beyond.