Cyber threats continue to evolve at a rapid pace — and static security programs are struggling to keep up. The latest HITRUST CSF Threat & Mitigation Analysis for H2 2025 reinforces the importance of aligning your security and compliance program to real-world attack activity.

Key Highlights from H2 2025

Between July and December 2025, HITRUST analyzed:

• 588,000+ threat indicators
• 4,650 threat intelligence articles
• 425 real-world breach reports
• 46,000+ mappings to MITRE ATT&CK techniques

The results confirm that HITRUST’s e1, i1, and r2 assessments remain responsive to today’s most common and impactful attack methods

The Most Common Attack Techniques

The top techniques observed during the period include:

• Phishing (T1566): Still the dominant initial access vector, with AI-enabled spear phishing campaigns increasing in scale and sophistication.
• Drive-By Compromise (T1189): Exploiting users through compromised or malicious websites.
• Exploitation of Public-Facing Applications (T1190): Targeting internet-facing systems and web applications.
• Exploitation of Remote Services (T1210): Leveraging unpatched remote access services for lateral movement.
• Event-Triggered Execution (T1546): Establishing persistence through built-in system mechanisms

Notably, the largest proportional growth was seen in:

• External Remote Services (T1133)
• Implant Internal Image (T1525)
• Steal Web Session Cookie (T1539)

These trends continue to emphasize credential abuse, remote access exposure, and persistence as primary risk drivers.

What This Means for Your Organization

Based on the findings, organizations should prioritize:

• Strengthening role-based security awareness training, particularly around phishing and AI-driven social engineering.
• Maintaining disciplined vulnerability management and patching processes.
• Deploying and actively monitoring anti-malware and endpoint detection tools.
• Implementing strong network segmentation and IDS/IPS controls.
• Enforcing multi-factor authentication (MFA) and privileged access governance.
• Reducing attack surface through asset inventory management and protocol restrictions

Why HITRUST’s Adaptive Model Matters

HITRUST’s Cyber Threat Adaptive (CTA) program continuously refines assessment requirements based on real-world intelligence and breach data

Organizations certified under e1, i1, or r2 are not just meeting a static checklist — they are aligning their controls to active adversarial behavior.

This adaptive approach enhances assurance for customers, regulators, and stakeholders alike.

How Frazier & Deeter Can Help

At Frazier & Deeter, our team works alongside organizations to turn HITRUST certification into a strategic advantage — not just a compliance milestone.

We help clients:

• Assess current readiness against evolving HITRUST requirements
• Strengthen control environments to address emerging threat trends
• Optimize remediation efforts for efficiency and impact
• Align HITRUST with broader enterprise risk and governance strategies

If you are preparing for an upcoming e1, i1, or r2 assessment — or simply want to validate your current posture against today’s threat landscape — we welcome the opportunity to discuss how we can support your objectives.

Connect with our team to start the conversation.

Explore related insights

Explore Insights & Resources

• • Article

  •

  March 17, 2026

  FD’s Comprehensive Guide to Employee Benefit Plan Audits

  Read more: FD’s Comprehensive Guide to Employee Benefit Plan Audits

  

• • Article

  •

  March 16, 2026

  Internal Audit Is Transforming: Technology, AI and Innovation Reshaping the Profession

  Read more: Internal Audit Is Transforming: Technology, AI and Innovation Reshaping the Profession