Cybersecurity no longer sits quietly in the background for high-risk industries. Over the past year, it has increasingly shaped trust, partnerships, and whether organisations can move forward with confidence.

What stood out most in 2025 wasn’t the emergence of new classes of vulnerabilities. It was the gradual failure of assumptions that many teams were still relying on. Systems evolved, platforms scaled, and data sensitivity increased, while security models often stayed largely the same.

Much of our work this year took place inside live environments at critical moments. Audits, commercial partnerships, regulatory reviews, and funding discussions were already underway. The issues we encountered weren’t abstract trends or theoretical risks. They were concrete weaknesses discovered when the margin for error was already narrow.

Across biotech, AI, and other data-driven sectors, the same patterns surfaced again and again. Different companies, different stacks, similar failure points.

The observations below reflect what we repeatedly saw in practice throughout 2025.

What We Kept Seeing in 2025

Credential exposure remains the most reliable way in

Leaked API keys, CI/CD credentials, and forgotten test accounts were still the most common entry points we observed. In most cases, this wasn’t about attacker sophistication. It was basic hygiene quietly eroding as systems evolved.

Unmanaged assets quietly expanded the attack surface

Across many environments, teams no longer had a complete view of what was internet-exposed. Legacy services, temporary research infrastructure, forgotten subdomains, and proof-of-concept deployments frequently sat outside any formal asset inventory. These “unknown” assets often lacked monitoring, patching, or ownership, making them easy targets before any exploit sophistication was required.

Cloud misconfigurations continue to amplify risk quickly

Over-permissive IAM roles, exposed storage, and weak service-to-service authentication appeared frequently, particularly in fast-moving research, AI, and data platforms. Small missteps compounded into material exposure.

Compliance helps, but it doesn’t equal security

Frameworks such as ISO 27001, SOC 2, HIPAA, MDR, and IVDR provided useful structure. Several teams we worked with were technically “compliant” while still one leaked credential away from a material incident. Teams that paired compliance with real testing had a far clearer view of what could actually go wrong.

GenAI adoption outpaced most security programs

Many teams shipped AI capabilities before fully mapping data exposure paths, access controls, or model interaction risks. These gaps didn’t always surface immediately, but they are becoming harder to ignore.

What We Published This Year

This year, we focused less on volume and more on documenting the patterns we were repeatedly seeing across high-risk environments.

Original research on biotech security posture

We published the Biotech Cybersecurity Report 2025, based on an analysis of 50 biotech platforms. The report highlights recurring weaknesses, including insecure APIs, leaked credentials, outdated services, and cloud misconfigurations, and shows how small, systemic gaps compound into serious risk.

Incident analysis with broader implications

Our deep dive into the 23andMe breach examined how credential abuse and architectural assumptions combined to produce large-scale exposure, and why similar conditions still exist across much of the genomics ecosystem.

Technical and regulatory guidance grounded in real-world security

We also published detailed analysis on cloud and AI security, penetration testing in biotech environments, and practical guidance mapping HIPAA, ISO 27001, MDR, IVDR, and FDA cybersecurity expectations to real attack paths, not just audit checklists.

This work includes hands-on compliance self-assessment checklists and supporting tools designed to help teams evaluate real security posture beyond documentation and communicate that work clearly to partners, customers, and stakeholders.

Client Highlights

This year, we worked with biotech, healthtech, and AI-driven teams at points where security outcomes directly influenced audits, partnerships, and commercial decisions.

Across engagements, the work consistently centred on one question: Where does theoretical security break down under real-world conditions?

In practice, that meant:

• Tracing concrete attack paths across cloud infrastructure, APIs, and identity systems

• Validating whether “secure by design” assumptions still held as systems evolved

• Expanding testing as platforms scaled and data sensitivity increased

In more than one engagement, the most material risk wasn’t a zero-day or advanced exploit. It was a credential no one realised was still valid, an integration quietly bypassing intended controls, or a cloud permission that had expanded without visibility.

The teams that made the most progress treated security as a continuous engineering and risk discipline, not a milestone to clear for an audit or deal.

A New Step in How Clients Demonstrate Security

We introduced Sekurno Client Attestation Badges after repeatedly seeing teams struggle to communicate real security work to partners who were tired of generic claims and checkbox language.

Each badge links to a hosted attestation page that records completed security work, its scope, and its validity period following a Sekurno-led security engagement.

These badges make security verifiable in conversations where trust, partnerships, or regulatory scrutiny matter.

We’ve already seen this used in practice by teams such as Kaunt, OASYS NOW, and Zeno. If you’re interested in requesting an attestation badge following a completed engagement, you can contact us.

Looking Ahead

Heading into 2026, a few shifts are becoming clearer:

• Scrutiny is moving beyond certifications toward evidence of real-world security

• Continuous exposure monitoring is becoming more relevant than point-in-time reviews

• GenAI security is increasingly a leadership- and board-level concern

  
  

For organisations handling sensitive data, expectations are likely to keep rising, often quietly and without much warning.

A Question to Close the Year

We’d genuinely value your perspective:

What security assumption did you hold at the start of 2025 that you’re less confident about now?

You’re welcome to share your thoughts in the discussion on LinkedIn. Thank you to our clients, partners, and readers for the trust and thoughtful collaboration this year. We look forward to continuing the work in 2026.

Get future research like this

We publish occasional, research-driven updates on cybersecurity in high-risk environments.

Subscribe to receive future research and insights.