Tidal Cyber Releases Industry-First Threat-Led Defense Report, Powered by Unmatched Adversary Behavioral Intelligence

RESTON, Va., Dec. 8, 2025 /PRNewswire/ -- Tidal Cyber, the category owner of Threat-Led Defense, today announced the release of the 1st Annual Threat-Led Defense Report, the only industry report built entirely on real adversary behavior revealing the top techniques they use.

Leveraging tens of thousands of real technique and procedure observations collected directly through the Tidal Cyber platform and its exclusive Procedures Library, the report delivers the deepest behavioral view of modern adversaries available today. Powered by NARC, Tidal Cyber's AI engine that reads unstructured threat intelligence and extracts procedure-level detail, the report exposes the techniques that are surging, the procedures adversaries repeatedly use across campaigns, and how tradecraft evolved from 2023–2025.

"This report represents a turning point for defenders," said Scott Small, Director of Cyber Threat Intelligence at Tidal Cyber. "For the first time, security teams can see adversary behavior at the same level of depth and fidelity we use internally to research and model threats. No one else in the market offers this level of procedural intelligence and that's what makes this report possible."

Unlike traditional CTI reporting, which often catalogs threats without showing defenders what to do about them, the Threat-Led Defense Report maps all adversary behaviors directly to defensive controls via MITRE ATT&CK, ATLAS, D3FEND, and other key frameworks. This provides security leaders with a clear, defensible understanding of which protections are strong, weak, or missing entirely, and which improvements will create the highest business value.

"Intelligence only becomes valuable when it becomes actionable," Scott added. "By extracting and structuring adversary procedures, we make it possible for defenders to align their controls with exactly how attackers operate- not how we think they operate."

The report challenges the industry's longstanding reliance on static scans, patch counts, and exposure models that fail to reflect real attacker behavior. Instead, it delivers a behavioral-first view of risk grounded in what adversaries actually do and how they perform inside victim environments.

Key findings highlight:

• The top techniques with the highest procedure recurrence across ransomware, espionage, and financially motivated campaigns.
  
  
• Behavioral shifts in leading groups such as Medusa, Qilin, and Interlock, including new entry vectors, stealth mechanisms, and extortion workflows.
  
  
• How attackers reuse specific procedures across sectors, enabling earlier trending and higher-confidence detection engineering.
  
  
• Where defenses most commonly break down and what organizations must prioritize to reduce residual risk

"Strength will be measured by the adversary behaviors you can stop, and that starts with how attackers operate and the exact techniques they use." said Tidal Cyber CEO Rick Gordon. "This report gives CISOs, detection engineers, and threat hunters the behavioral clarity they've been missing and a defensible path to defensive resilience."

The Tidal Cyber 2025 Threat-Led Defense Report sets a new standard for threat led-defense, offering a data-driven picture of operational behavior rooted in attacker action. As organizations face mounting pressure to demonstrate resilience, Tidal Cyber provides the only real threat-led defense platform capable of revealing the threats that matter most, mapping defenses to adversary behavior, and operationalizing intelligence at the procedure level.

The report is available today at www.tidalcyber.com.

About Tidal Cyber

Tidal Cyber enables organizations to implement Threat-Led Defense by aligning security programs to real adversary behavior. Through NARC, the industry-leading Procedures Library, Coverage Maps, Confidence Scores, and a comprehensive ATT&CK-aligned platform, Tidal Cyber empowers defenders to understand and reduce residual risk based on how attackers truly operate.

SOURCE Tidal Cyber