Cloud defenders are gaining ground as the cloud landscape comes into focus, with 92% of organizations operating without risky human users
Sysdig, the leader in real-time cloud security, released its “2025 Cloud-Native Security and Usage Report.” The company’s annual user analysis provides in-depth insights into real-world cloud security and usage trends, highlighting significant enterprise security progress while identifying key areas that demand urgent attention.
The report reveals that organizations of every size and industry across North America; Europe, the Middle East, and Africa; and the Asia-Pacific and Japan are making measurable strides in identity and vulnerability management, artificial intelligence (AI) security, and threat detection and response. However, as businesses scale AI adoption and cloud footprints, the growing risk and complexity of machine identities, container image bloat, and attacker automation introduce new hurdles for enterprise security.
“It has been fascinating to watch cloud security evolve since we started reporting on usage eight years ago. When we first looked at container life spans in 2019, half lasted at least five minutes – today, 60% live for one minute or less,” said Loris Degioanni, Sysdig Founder and CTO. “Given the short life span paired with how quickly attackers can move across cloud environments, I am encouraged to see defenders actively detecting and responding to threats in less than 10 minutes.”
Security Progress: Cloud Defenders are Gaining Ground
- AI adoption is on the rise, and security is a clear priority: Workloads using AI and machine learning packages grew by 500% over the last year, with the percentage of generative AI packages in use more than doubling. Despite this rapid adoption, public exposure decreased by 38%, signaling a strong commitment to secure AI implementations.
- Cloud threat detection and response is faster than ever: Mature security teams are detecting threats in under 5 seconds and initiating response actions within 3.5 minutes on average – outpacing the 10-minute cloud attack window that has historically given adversaries the upper hand. Achieving the 555 Cloud Detection and Response Benchmark isn’t just possible, it’s essential.
- Organizations are prioritizing real risk by reducing in-use vulnerabilities: In-use vulnerabilities have declined to less than 6%, reflecting a 64% improvement in vulnerability management over the past two years. This shift shows that organizations are refining their approach to fixing what matters most – vulnerabilities actively running in production workloads – and more effectively strengthening their overall security posture.
- Open source security has become the enterprise standard: Organizations across the globe are using open source tools, such as Kubernetes, Prometheus, and Falco – which is used by more than 60% of the Fortune 500 – to defend their cloud infrastructure, evidence of quickly growing trust in open source security standards.
Opportunities for the Year Ahead
- Machine identities vastly outnumber humans – and they’re more vulnerable: With 40,000 times more machine identities than human identities, the attack surface has expanded dramatically. Machine identities are also 7.5 times more risky, a dangerous liability given that nearly 40% of breaches start with credential exploitation.
- The majority of containers live for one minute or less, but attackers don’t need that long: For the first time, 60% of containers now live for 60 seconds or less. While ephemeral workloads enhance application agility, cloud adversaries automate their reconnaissance to instantly identify and exploit weaknesses. Real-time detection and response is more essential than ever.
- Container images are increasingly bloated, and that’s creating undue security risk: The size of container images has quintupled, introducing unnecessary security risks and operational inefficiencies. Larger images increase the attack surface and make deployments more expensive, emphasizing the need for more efficient containers.
- Attackers, too, leverage open source capabilities: While open source security tools have become foundational for organizations of all sizes, cybercriminals continue to rely on open source malware and weaponize open source software, a trend first documented in Sysdig’s “2024 Global Threat Year-in-Review.”
“Cybersecurity has long been an arms race between threat actors and defenders, but the battlefield is evolving,” said Crystal Morin, Sysdig Cybersecurity Strategist. “Organizations have made tremendous progress, and the fact that mature security teams can now respond to threats within minutes is a game-changer. But with machine identities multiplying and cloud environments evolving in real time, automation and rapid response have never been more mission-critical. The data in this report makes me optimistic about the future of cyberdefense.”