Now that we are well into 2025, cloud attacks are evolving faster than ever and artificial intelligence (AI) is both a weapon and a shield. As AI rapidly changes how enterprises innovate, security teams are now tasked with a triple burden:
- Secure AI embedded in every part of the business.
- Use AI to defend faster and smarter.
- Fight AI-powered threats that execute in minutes—or seconds.
Security is no longer about balancing speed and safety. In today’s cloud-native world, real-time, context-aware defense is a baseline expectation, not a competitive edge. The recent Sysdig Cloud Defense Report 2025 breaks down this tectonic shift. Below, we unpack its key insights for security practitioners aiming to stay ahead of an accelerating threat landscape.
AI: The Double-Edged Sword of Cloud Security
AI is transforming the security paradigm. It’s both empowering defenders while creating entirely new attack surfaces.
AI for Security: Fighting Fire with Fire
Attackers are automating faster. In campaigns like CRYSTALRAY, adversaries chain together open-source tools to perform reconnaissance, lateral movement, and credential harvesting. These attacks show a level of coordination and speed that would be impossible without automation. Security teams are responding in kind.
Tools like Sysdig Sage™, a fully integrated AI cloud security analyst, are driving mean time to respond down by 76%. More than half of Sysdig customers now use Sysdig Sage, with the software and business services sectors leading adoption.
Key ways security teams are leveraging AI include:
- Contextual enrichment: AI quickly correlates related events and aggregates data that makes alerts understandable.
- Summarization and deduplication: AI links alerts to previous incidents and helps focus on what’s relevant.
- Workflow automation: AI handles repetitive tasks like ticket creation, vulnerability analysis, and escalation logic.
- Decision acceleration: By acting as a tier-one analyst, AI allows human defenders to move faster and make informed decisions.
The lesson is simple: in a cloud world where attacks happen at machine speed, defense must be equally agile.
Security for AI: Protecting the New Digital Crown Jewels
But here’s the flip side: AI itself is now a prime target that needs to be protected. The Sysdig Threat Research Team has been identifying and reporting more attacks against LLMs and other AI tools since mid-2024. Sysdig observed a 500% surge in cloud workloads containing AI/ML packages in 2024, indicating massive adoption. However, a recent 25% decline suggests teams are buckling down on security and improving governance.
Recommendations to secure AI systems include securing APIs by authenticating and restricting access to public endpoints, hardening configurations by disabling open defaults like unauthenticated admin panels, enforcing least privilege to control root access and limit elevated permissions, monitoring for shadow AI through workload audits for unauthorized models and packages, and implementing data guardrails to filter prompts and outputs for sensitive information. The bottom line: AI requires the same level of rigor and protection as any other business-critical system, especially as it becomes deeply embedded across both customer-facing and back-end operations.
Runtime Security: No Longer Optional, But Foundational
Prevention may reign supreme, but in today’s cloud-native, ephemeral world, runtime visibility is your best shot at catching in motion that slips through the cracks.
The Case for Real-Time Threat Detection
Runtime detection isn’t just a defensive layer—it’s a strategic necessity in today’s cloud-native environments. With 60% of containers living for one minute or less and CI/CD pipelines emerging as high-value targets due to misconfigurations and insecure defaults, the window to detect and respond is incredibly narrow. Cloud attacks now unfold in 10 minutes or less, prompting the creation of the 555 Cloud Detection and Response Benchmark: a framework that guides security teams to detect threats in 5 seconds, investigate in 5 minutes, and respond within the next 5 minutes.
Why Runtime Context Matters
Traditional vulnerability scans bury teams under noise. But less than 6% of high and critical vulnerabilities are active in production. That means the rest are distractions.
Runtime insights help security teams:
- Prioritize real risks: Focus remediation on vulnerabilities loaded into memory.
- Reduce noise: Cut vulnerability lists by up to 99%.
- Collaborate better: Provide developers with clear, contextual remediation steps.
The CI/CD Pipeline: A Growing Target
CI/CD workflows sit at the heart of modern DevOps, enabling rapid, automated delivery. But in 2025, they’ve also emerged as an attractive and increasingly exploited attack surface. From repository compromises to misconfigured automation, attackers are finding creative ways to infiltrate build systems—often before code even reaches production.
Several high-impact vulnerabilities uncovered this year reveal just how exposed the CI/CD pipeline can be. These incidents serve as a wake-up call: your build system is part of your attack surface—and without real-time visibility, you might not spot an attack until it’s too late.
Tools like Falco and Falco Actions are helping defenders stay one step ahead by detecting threats as they execute, not after the damage is done.
Open Source: The Heart of Modern Security Innovation
Security has always been about community. Attackers share tools, and defenders must too. Open source tools now power much of the modern cloud defense strategy.
Falco has evolved from a basic intrusion detection system (IDS) into a powerful real-time detection engine, now supporting eBPF for deeper visibility into cloud-native environments, all with the support of the open source community. It integrates with tools like Falco Actions, Falcosidekick, and Falco Talon to provide broader control, automation, and workflow customization. This makes Falco especially valuable in regulated sectors such as finance, health care, and government, where self-hosted deployments and custom detection rules are critical for compliance and control.
The EU Data Act and the Rise of Sovereign Security
With regulations like the EU Data Act taking effect in September 2025, organizations are required to control and localize their data. Open source plays a critical role in meeting these requirements by enabling self-hosted deployments, offering transparent codebases for audit and compliance, and fostering community-driven innovation that supports trust and flexibility.
