As the year draws to a close, it’s a good moment to pause, reflect, and take stock.

2025 has been another busy year in security. New attack techniques, familiar weaknesses, and a growing gap between what organisations think they can see and what’s actually exposed.

In the spirit of the season, here are 12 security lessons from 2025, with one practical takeaway for each.

1. 1. 1. One attack surface is never just one
         What looks like a single application almost always hides dozens of external dependencies.
         If you only map what you built yourself, you are almost certainly missing what attackers see.

      2. Two many tools doesn’t guarantee coverage
         More tooling often means more noise, not better visibility.
         It may be time for a tools audit to check whether your stack actually shows you what is exposed externally.

      3. Three forgotten assets can undo months of hard work
         Old domains, test environments, and legacy services remain prime entry points.
         Regular asset discovery is one of the simplest ways to reduce real-world risk.

      4. Four hours is too long to spot a real issue
         Detection speed matters more than ever.
         Ask how quickly you would notice a new exposed service or integration appearing today.

      5. Five integrations you didn’t approve still exist
         Shadow IT is no longer just an internal problem.
         Third-party scripts and SaaS integrations should be treated as part of your attack surface.

      6. Six-monthly scans no longer reflect reality
         Environments change weekly, sometimes daily.
         Security testing needs to match the pace of change, not audit calendars.

      7. Seven compliance controls don’t equal security
         Passing audits does not mean risk is under control.
         Use compliance as a baseline, not proof that threats are being managed.

      8. Eight vulnerabilities matter more than eight thousand
         Prioritisation consistently beats volume.
         Focus first on exploitable, exposed issues rather than raw vulnerability counts.

      9. Nine out of ten breaches still start externally
         The perimeter has not disappeared, it has expanded.
         External visibility remains one of the highest leverage areas for improvement.

      10. Ten alerts are worse than one clear signal
          Alert fatigue continues to slow teams down.
          Clear context about what changed and why, matters more than another notification.

      11. Eleven teams now share responsibility for security
          Security is no longer owned by a single function.
          Shared visibility helps technical and non-technical teams make better decisions.

      12. Twelve months of change means constant adaptation
          Attackers adapt quickly, and so must defenders.
          Security programmes that evolve continuously outperform those that rely on static controls.

As we head into the festive break, we want to say a genuine thank you to our customers, partners, and the wider security community. Your feedback and challenges continue to shape how we think and what we build.

We’ll be back in the new year with exciting updates and a continued focus on helping organisations understand and reduce the risks that matter most.

Until then, we wish you a well-earned Christmas break and a secure start to the year ahead.

— The AppCheck Team