If this year proved anything, it’s that breaches rarely break in loudly.
They spread quietly.
Across the incidents we’ve seen in 2025, the heavy damage didn’t come from the first compromise. It came from the movement that followed. The small hops between systems. The sideways shifts through identity gaps. The silent exploration of networks that nobody has looked at closely in years.
ENISA’s Threat Landscape 2025, published in October, backed this bluntly. Their incident review across July 2024 to June 2025 showed internal propagation as one of the dominant behaviours behind major impact, especially in manufacturing, healthcare and public services. The entry point varied. The spread looked almost identical.
The pattern is clear by now.
Containment, not prevention, is deciding outcomes.
Why Agent-Based Segmentation Fell Behind This Year
Ten years ago you could assume most devices in your environment could run an agent. In 2025 that assumption is gone.
Hybrid work meant personal devices touched sensitive systems.
Cloud workloads changed by the hour.
OT environments rejected agents outright.
SaaS applications created whole pockets of activity no endpoint tool could see.
And contractor access spiked across every sector.
We saw too many organisations trying to segment an estate that had outgrown the model entirely.
The result: when a breach occurred, only part of the environment enforced the controls needed to slow it down. The rest behaved like open territory.
This isn’t about negligence.
It’s about tools designed for a world that no longer exists.
What Agentless Segmentation Achieved in Real Incidents
This year, the teams that controlled spread fastest had one thing in common.
Their segmentation didn’t depend on endpoint participation.
Agentless controls allowed them to enforce identity boundaries and network behaviour without waiting for device compatibility. They saw movement across the messy parts of the estate, not just the compliant zones.
When you run incident response in 2025, you notice the difference immediately.
The organisations using agentless segmentation didn’t just “reduce risk”.
They gave responders room to work.
Containment held long enough for decisions to be made with clarity instead of panic.
That is the operational value.
It isn’t theoretical.
It shows up directly in recovery times.
What “Legacy Segmentation” Actually Looked Like in 2025
Legacy segmentation wasn’t outdated hardware or old vendors.
It was segmentation that only existed as architecture.
Policies written years ago.
Rules that had drifted.
Zones created for diagrams, not behaviour.
This year we saw several incidents where internal movement bypassed “segmented” areas because the controls hadn’t been validated in the real estate for a long time.
Identity sprawl, forgotten service accounts and unmonitored network paths erased whatever the original design intended.
By contrast, the organisations that endured the least internal damage had segmentation that was enforced continuously, not defined once.
2025 separated the theory from the function.
What Changed in the UK and Europe This Year
Across the UK and EU, the pressure to contain breaches grew for reasons that were bigger than compliance.
ENISA’s October 2025 report highlighted that internal propagation is now one of the most common accelerators of impact.
The NCSC’s 2025 annual review echoed the same theme, warning that too many organisations still underestimate post-compromise movement.
Several high-impact manufacturing incidents across the continent reinforced how quickly attackers could move between IT and OT when identity controls weren’t aligned.
These signals made one thing clear.
Segmentation is no longer a design aspiration.
It is a recovery necessity.
This shift didn’t come from frameworks.
It came from lived incidents.
Where Segmentation Held Up When It Mattered
Incident response exposes the truth of an organisation’s controls in ways a policy document never can.
The organisations that recovered strongest this year weren’t the ones with the neatest frameworks.
They were the ones with segmentation that held up under pressure.
This is what 2025 taught us.
Containment is no longer a security ambition.
It’s an operational requirement.
And going into 2026, the organisations that succeed will be the ones that build containment into the fabric of their estate, not the ones waiting for maturity to catch up.
