SEATTLE – February 19, 2026 – WatchGuard® Technologies, a global leader in unified cybersecurity for managed service providers (MSPs), today released the findings of its latest Internet Security Report, revealing a sharp acceleration in evasive and encrypted threats that demand a more proactive and unified security approach from MSPs.
Based on anonymized, aggregated threat intelligence from WatchGuard’s network security, endpoint, and DNS filtering products, the biannual report shows that attackers are increasing both the volume and sophistication of malware, exposing the limitations of reactive, signature-based defenses still common across customer environments.
In 2025, new malware increased every quarter, culminating in a 1,548% spike from Q3 to Q4 alone. At the same time, 23% of detected malware evaded traditional signature-based detection, effectively qualifying as zero-day threats and reinforcing the need for behavioral, AI-driven protection.
Key Findings Highlight Gaps in Traditional Security Models
The report reveals several trends with direct implications for MSPs:
- Evasive malware is surging: With over 15 times more never-before-seen malware on the endpoint, threat actors are prioritizing new and obfuscated exploits designed to bypass static detection methods.
- Encrypted delivery is now the norm: 96% of blocked malware was delivered over TLS, creating major visibility gaps for organizations that do not perform HTTPS inspection.
- Endpoint techniques are evolving: Malicious scripts have been slowly dropping over the past year, as Windows binaries and living-off-the-land (LotL) tools have become the primary infection vectors, leveraging trusted processes to avoid detection.
- Network threats remain persistent: While network-based exploits declined in H2 2025, the majority of detections continue to target long-standing vulnerabilities, particularly in modern web applications, reinforcing the need for layered network defenses such as intrusion prevention systems (IPS).
Attackers Refine Delivery and Monetization
The research also shows attackers improving how they deliver and profit from malware. During the second half of 2025, WatchGuard observed phishing campaigns that used malicious PowerShell scripts to stage Malware-as-a-Service tools, including remote access trojans, while deliberately evading automated file analysis.
Although overall ransomware activity declined 68.42% year over year, public extortion payments reached record levels, indicating a shift toward fewer, higher-value attacks. Cryptomining activity remains a popular, low-friction monetization method for attackers once access is established.
What This Means for MSPs
“Today’s threat landscape has outgrown point solutions and reactive security models,” said Corey Nachreiner, chief security officer at WatchGuard Technologies. “For MSPs, the business risk is especially high. Client breaches increase support costs, damage trust, and create a clear competitive disadvantage. The MSPs that will succeed in 2026 and beyond are those that can clearly demonstrate proactive threat intelligence and unified protection across their customers’ environments.”
The findings reinforce the need for modern defense strategies that combine advanced endpoint protection, detection, and response (EPDR), AI-driven threat detection, and continuous monitoring. As attacks become more persistent and complex, MSPs are increasingly positioned to differentiate by delivering 24/7 managed detection and response services that reduce risk while creating long-term customer value.
For a more in-depth view of WatchGuard’s research, download the complete Biannual Internet Security Report.