Security coverage is falling behind the way attackers behave

Cybercriminals keep tweaking their procedures, trying out new techniques, and shifting tactics across campaigns. Coverage that worked yesterday may miss how those behaviors appear today. Encryption remained part of many operations, though extortion relied more heavily on data theft, identity compromise, and business disruption. Groups such as Medusa, Qilin, and Interlock adopted double and triple extortion workflows, targeting backups, cloud assets, and identity systems to increase pressure. Smaller teams moved faster. These groups adopted multi-platform tooling, cloud abuse, and living-off-the-land techniques to reduce infrastructure overhead. The research shows ransomware activity driven by procedures rather than malware families, making behavioral coverage central to defense. Coverage gaps appear at the behavior layer One theme that runs through the findings is the presence of defensive gaps at the procedure level. Many organizations track techniques and tools, while execution details that signal intent receive less attention. The research connects observed procedures directly to detection and prevention controls, showing where coverage holds and where it breaks down. This approach centers on verification through observed activity. Mapping controls to attacker behavior shows whether alerts trigger during live intrusions or only during testing. The data shows controls failing to activate when attackers alter execution steps, even when the underlying technique remains the same. “Strength will be measured by the adversary behaviors you can stop, and that starts with how attackers operate and the exact techniques they use.” said Tidal Cyber CEO Rick Gordon. #Sinisa Markovic