THE Anatomy of a Cyber World Global Report 2026 from Kaspersky Security Services outlines a global view of MDR and IR activity, with the CIS accounting for 34.7 percent of customers, the Middle East for 20.1 percent, and Europe for 18.6 percent. In 2025, the MDR infrastructure processed an average of 15,000 telemetry events per host per day, generating about 400,000 security alerts, of which 39,000 were investigated after filtering out false positives.
Incident statistics show government (18.5%) and industrial (16.6%) sectors as the most targeted for IR, while the IT sector saw growth in IR requests and rose to third place, ahead of financial organisations. The report notes that high-severity incidents have decreased since 2021, largely driven by APT attacks and red teaming, while attacks exploiting Microsoft products and vulnerabilities remain common.
Initial attack vectors are dominated by exploitation of public-facing applications, valid accounts and trusted relationships, which together account for more than 80% of attacks in 2025. The document also highlights widely used LOLBins and legitimate tools observed in high-severity incidents, such as powershell[.]exe, Mimikatz and PowerShell.