From the field to the report and back again: How incident responders can use the Year in Review

The Year in Review distills Talos IR's observations into structured intelligence, but defenders should also be feeding this report back into their own preparation cycles. Here's how.

Every year, Cisco Talos publishes  Year in Review , a comprehensive look at the previous year’s threat landscape.  It’s drawn from an enormous volume of telemetry, such as endpoint detections, network traffic, email data, and boots-on-the-ground  Cisco Talos Incident   Response (Talos   IR)   engagements .

  As incident responders, we see threats mid-detonation in the wreckage of an Active Directory environment, or in the lateral movement artifacts left behind by an affiliate who got in using nothing more than a valid account. The Year in Review distills those raw observations into structured intelligence, but that intelligence loop works both ways. The same report that our IR casework feeds into is the report that defenders should be feeding back into their own preparation cycles.

IR casework shapes the Year in Review, the Year in Review shapes your readiness  When Talos IR closes out an engagement with customers, the tactics, techniques, and procedures (TTPs) we observe through forensic work and analysis are catalogued, aggregated, and analyzed alongside broader Cisco telemetry.

 When we track the emergence of a new exploit like React2Shell redefining attacker speed, or when we see Qilin rise to dominate the ransomware landscape while legacy groups like others maintain rare, sustained momentum, those shifts in the adversary ecosystem become the intelligence that informs what we are on the lookout for during the next investigation.  When we observe patterns of behavior, they may form trend lines that  span multiple years  and reveal how the landscape is evolving.

  For defenders, this means the Year in Review is not a theoretical document.  It is a distillation of what actually happened to organizations we respond to, investigated by the people who were in the room when things broke down.  Here are some suggestions on how to operationalize these findings. Turning findings into tabletop scenarios  One of the most immediate and practical applications of Year in Review is raw material for tabletop exercises. The report hands you the adversary playbook.

 For example, the 2024 Year in Review highlighted that identity-based attacks accounted for 60% of all Talos IR cases, with Active Directory being the focal point in 44% of those incidents.