In our latest Cloud Threats Retrospective, we analyzed publicly documented cloud incidents alongside cloud telemetry and hands-on investigations. The findings show that many of the risks driving attacker activity remained familiar, even as the environments and conditions around them changed.
Proven Cloud Risk Paths Still Matter
Across the cloud incidents analyzed in 2025, the majority of initial access stemmed from well-known weaknesses, including vulnerabilities, exposed secrests, and misconfigurations. These entry points were not novel, but they remained highly effective, accounting for roughly 80% of documented cloud intrusions.
What changed was not the existence of these risks, but the environments in which they appeared and the speed at which they could be exploited.
Systemic Weaknesses Drove Broader Impact
Several of the most consequential incidents of the year showed how systemic weaknesses can amplify impact far beyond a single environment. When attackers gained access through shared infrastructure, trusted integrations, or widely used components, a single weakness could cascade across many organizations.
These incidents reinforced an important shift: understanding cloud risk now requires looking beyond individual assets to the relationships and dependencies that connect them.
AI Expanded Where Familiar Risks Appear
AI did not appear to introduce an entirely new class of cloud risk in 2025, but it expanded the cloud attack surface in meaningful ways. New AI services, pipelines, identities, and data paths increased the number of places where familiar issues such as misconfigurations or exposed credentials could emerge, often closer to sensitive data and high-value workloads.
As AI adoption accelerated, many organizations found themselves managing new components faster than security practices could fully adapt.
AI Supported Existing Attacker Workflows
In incidents analyzed by Wiz Research, AI was most often observed supporting and accelerating existing attacker behaviors, such as reconnaissance, automation, and post-access activity. These capabilities reduced friction and effort in certain stages of an intrusion, but they largely built on techniques defenders already recognize.
What This Means for Cloud Security Teams
The takeaway from 2025 is not that everything stayed the same. Rather, familiar risks, when combined with scale, shared trust, and AI-driven environments, can lead to dramatic security outcomes.
Security teams that maintain visibility into exposure, identities, and how risk propagates across cloud, development, and AI systems are better positioned to detect and disrupt attacker activity before it escalates.
