Modern cyberattacks rarely begin with a dramatic breach. More often, they start with a stolen identity, a trusted account, or a simple human mistake.
Bogdan Botezatu from Bitdefender explores how the cyber threat landscape has fundamentally changed and why many organizations are still defending against yesterday's risks. From identity-first attacks and operational resilience to vulnerability disclosure and intelligence-driven product innovation, he shares what it takes to build security strategies that are designed for today's realities, not yesterday's assumptions.
Cyber risk has changed from being mostly a technical problem to being a business continuity, legal, reputational, and operational risk. The most damaging attacks today are not always the most technically advanced. Many start with stolen credentials, exposed infrastructure, vulnerable software, compromised third parties, or an employee being manipulated into doing something that looks routine.
The main shift is speed and scale. Attackers industrialized the process by using automation, malware-as-a-service, initial access brokers, AI-assisted social engineering, and highly specialized criminal supply chains. A company may be targeted by a ransomware group, but the intrusion may have started weeks earlier with an infostealer infection on a contractor’s laptop or credentials bought on an underground market.
Are businesses keeping pace? Some are, but many are still treating cybersecurity as a procurement exercise. Buying tools is not the same thing as reducing risk. The organizations that are keeping pace are the ones that connect security to business impact, measure exposure continuously, and assume that prevention, detection, response, and recovery all matter. The ones falling behind are still trying to solve current threats with annual audits, static policies, and a SOC team drowning in alerts.
The biggest blocker is not always the technology, but fragmentation. Many organizations have too many tools, too little integration, unclear ownership, and no operational discipline around the basics. They collect alerts but do not always convert them into decisions. They buy detection but do not improve response. They deploy controls but leave exceptions everywhere until the exceptions become the policy.
There is also a gap between executive intent and operational reality. The board may understand that cyber risk matters, but the security team still has to fight for patching windows, asset visibility, identity hygiene, endpoint coverage, and user education.
Real resilience comes from reducing complexity, knowing what assets and identities exist, enforcing least privilege, testing response plans, and making security part of everyday operations. Technology matters, but without process, accountability, and measurable outcomes, it becomes expensive furniture.
One of the most important patterns is the growing role of identity as the entry point. Attackers increasingly prefer to log in rather than break in. Infostealers, phishing kits, session cookie theft, MFA fatigue, and compromised business accounts are all part of the same trend: valid credentials are becoming one of the most valuable assets in the criminal economy.
We are also seeing more blending between cybercrime categories that used to be treated separately. Scam operations, malware distribution, fake advertising, compromised social media accounts, malicious browser extensions, and ransomware access markets are increasingly connected. A consumer infected with an infostealer can become the first step in a corporate compromise. A fake ad campaign can become a credential harvesting operation. A compromised account can be reused for scams, malware, or business email compromise (BEC).
Another area that deserves attention is the abuse of legitimate tools and services. Attackers use trusted platforms, remote management tools, cloud infrastructure, collaboration apps, and built-in operating system utilities because this helps them hide in normal activity. Security leaders need to stop thinking only in terms of malware and start paying closer attention to behavior, identity, command chains, and business context.
The useful conversation is not “we saw a new threat, let’s add a new feature.” The useful conversation is “what does this threat tell us about where customers are exposed, where controls fail, and where attackers are getting leverage?”
Threat research gives us the adversary view: how attacks actually work, what infrastructure they use, how they adapt, and where they make money. Vulnerability disclosure shows us where technology and process break down before criminals weaponize it at scale. Market intelligence adds the customer reality: budget constraints, skills shortages, compliance pressure, operational friction, and the fact that not every organization has a large security team.
Product innovation happens when those three views meet. The goal is to turn intelligence into protection that is practical: fewer blind spots, better prevention, stronger detection, faster investigation, clearer prioritization, and controls that customers can actually deploy without breaking the business. The best security products do not just know what attackers are doing. They help customers act on that knowledge before the incident becomes a headline.
Research discoveries are not just published for awareness. They feed directly into protection. When researchers uncover a campaign, they identify infrastructure, tools, malware behaviors, command-and-control patterns, exploitation methods, victimology, and attacker tradecraft. That intelligence can become detections, blocking rules, behavioral models, indicators of compromise, hardening recommendations, and product improvements.
This is especially important because attackers reuse ideas even when they change tools. A specific domain or file hash may disappear quickly, but the behavior often persists. The real value is learning how the adversary operates, not just naming the campaign.
For customers, this means research becomes earlier detection, better prevention, and more relevant response guidance. It also helps product teams understand where protections need to evolve: endpoint hardening, identity protection, cloud detection, scam prevention, vulnerability prioritization, or managed detection and response. Good research should make the customer harder to compromise.
Expectations are rising, and that is a good thing. Customers, regulators, researchers, and partners increasingly expect vulnerability disclosure to be clear, timely, and actionable. The old approach of minimizing details or treating disclosure as a public relations inconvenience has never brought any real value. Trust depends on transparency, especially when vulnerable technology is embedded across supply chains.
Responsible disclosure is also becoming more operational. It is not enough to assign an identifier and publish a note. Organizations need to explain impact, affected versions, mitigations, timelines, and practical remediation steps. They also need mature relationships with researchers, because researchers are often the first people to find problems that would otherwise remain unaddressed.
At the same time, disclosure has to be handled carefully. Too little information leaves defenders exposed. Too much operational detail too early can help attackers. The industry needs balance: coordinated timelines, accurate technical information, and a bias toward helping defenders act quickly.
Cybercriminals are brutally pragmatic. They test constantly, abandon what does not work, reuse what does, and optimize for outcomes. They do not care about organizational charts, legacy processes, or whether a technique is fashionable. If phishing works, they use phishing. If stolen credentials work better, they buy credentials. If fake ads produce victims, they scale fake ads. It is ugly, but it is efficient.
Organizations should borrow that operational mindset. Test assumptions continuously. Measure what actually reduces risk. Kill controls that exist only for theater. Fix the paths attackers actually use, not just the ones that look good in a strategy deck.
The most useful habit is fast feedback. Criminal groups learn from every failed campaign and every successful compromise. Defenders need the same discipline: run exercises, review incidents honestly, tune controls, close gaps, and adapt faster. Cybersecurity is not won through perfect plans, but through iteration, evidence, and the willingness to fix boring problems before attackers turn them into expensive ones.
Bogdan leads Bitdefender's threat research and reporting unit, hunting and documenting nation-state operations, cyber-espionage campaigns, and advanced malware. With 18 years at Bitdefender, he is a recognized authority on emerging attack techniques and frequently speaks at major industry conferences including Black Hat and DEFCON.
More about Bogdan: 
Bitdefender is a cybersecurity leader delivering best-in-class threat prevention, detection, and response solutions worldwide. Guardian over millions of consumer, enterprise, and government environments, Bitdefender is one of the industry’s most trusted experts for eliminating threats, protecting privacy, digital identity and data, and enabling cyber resilience.
With deep investments in research and development, Bitdefender Labs discovers hundreds of new threats each minute and validates billions of threat queries daily. The company has pioneered breakthrough innovations in antimalware, IoT security, behavioral analytics, and artificial intelligence and its technology is licensed by more than 180 of the world’s most recognized technology brands. Founded in 2001, Bitdefender has customers in 170+ countries with offices around the world.
Learn more at bitdefender.com
TechIntelPro empowers B2B technology decision-makers with the latest industry trends, deep insights, leadership perspectives and actionable intelligence to drive both organizational and professional milestones, and thrive on the tech pulse.
