Cyberbasics — Episode 1: threat landscape
This article is the first episode of the cyberbasics series, dedicated to the fundamentals of software security, aimed at developers who are not security specialists, startups, and SMEs.
The goal: build a solid, pragmatic security culture, free of unnecessary jargon. Share real-world lessons and concrete actions.

Objective: raising awareness
Let's be honest — one of the first challenges in software security is convincing people to get started. From the director who does not understand the issues, to the manager or product owner who cannot prioritise security tasks, to developers who do not see the point: getting people to care about cybersecurity is a constant battle.
The first step towards security is awareness — always. And for that, nothing beats a good overview of the threat landscape.
Busting the first myth: "we're too small to be targeted"
This belief is becoming less common as cyber incidents make headlines, but it remains one of the most dangerous assumptions in information security. The reports we will look at in this article consistently show that small organisations are not less targeted — they are simply less prepared, which makes them prime targets for cybercriminals.
The threat landscape
Every year, ANSSI (the French National Cybersecurity Agency) publishes its Panorama de la cybermenace 2025 and ENISA (the European Union Agency for Cybersecurity) publishes its Threat Landscape 2025. These reports document how attacks are evolving at national and European scale. The major trends of recent years point to several strong signals:
Ransomware remains the dominant threat
Ransomware attacks continue to grow and affect every sector. SMEs are particularly vulnerable: they have less capacity to respond and more often end up paying the ransom.
Supply chain attacks have become prime targets
Attackers are increasingly interested in the tools and libraries used by developers. Compromising an npm package, an open source repository, or a build tool can potentially reach thousands of downstream projects in a single blow.
Social engineering has become industrialised
Phishing, CEO fraud, and identity impersonation have not gone away — they have scaled up and grown more sophisticated. Generative AI now makes it possible to produce convincing phishing messages at scale, in any language, tailored to each target.
APIs and cloud infrastructure are concentrating a growing share of incidents
As cloud computing and microservice architectures have become widespread, the internet-facing attack surface has exploded. Poorly protected API keys, misconfigured storage services, and deployment tokens committed to public repositories are documented attack vectors exploited every day.
Who attacks, and why?
ANSSI and ENISA reports identify several categories of attackers with very different motivations.
State-sponsored groups — APTs
Actors backed by states (Russia, China, North Korea, and Iran, primarily) carry out long-term espionage, sabotage, and destabilisation operations. These groups, known by the acronym APT (Advanced Persistent Threat), target mainly governments, Critical Infrastructure Operators, defence, energy, and essential services. For the vast majority of developers and SMEs, these actors are not the primary direct threat — unless you work in a strategic sector or for highly sensitive clients.
Organised cybercrime
This is the most universal threat. These groups are profit-driven and operate opportunistically: they look for the most accessible targets, not the most prestigious ones. Ransomware, data theft, financial fraud — everything is exploitable. A poorly protected SME can be just as attractive a target as a large enterprise if it is simpler to compromise.
Hacktivists
Motivated by political or ideological convictions, they prioritise visibility: website defacement, denial-of-service attacks, data leaks. Targets are chosen for their symbolic value rather than their financial worth.
The insider threat
Often underestimated: a malicious employee or contractor with excessive access, or simply an unintentional human error. ANSSI regularly highlights that insider threats — whether deliberate or accidental — account for a significant share of reported incidents.
Not all threats affect everyone equally
This is the central point of this article: there is no universal threat profile. What exposes a freelance developer is not what exposes a SaaS startup, which is not what exposes a web agency.
Size is a factor, but it is not the only one — nor even the most decisive. What matters more is what you hold (data, access, secrets) and how you are exposed. To illustrate this, here are four typical profiles and the threats most relevant to each.
The individual developer
Open source contributor, package maintainer, personal project developer. Their main exposure is often invisible: compromising their accounts (GitHub, npm, crates.io) can have a disproportionate impact on thousands of projects that depend on them. The supply chain starts here, at the scale of a single person — and this is clearly a prime target, particularly exposed to spear phishing and credential theft.
The SaaS startup
It hosts user data, integrates dozens of third-party services, and deploys continuously. Main risks: poorly managed secrets (API keys in code, tokens in logs), vulnerable dependencies, misconfigured cloud infrastructure. The pace of development creates security debt that creeps up unnoticed.
The sole developer in a non-tech SME
This is often the only person managing the company's entire IT infrastructure. The company stores sensitive data — HR, clients, accounting — without any formalised security policy. This is an ideal ransomware target: maximum operational impact, minimal response capacity.
The agency, IT services firm, or freelancer
They have access to the production environments of many clients. Compromising an agency can potentially yield simultaneous access to dozens of client environments. The damage multiplier is considerable, and these organisations are often targeted precisely for this reason.
Key takeaways
The threat is real, diverse, and not limited to large organisations. Small structures are targeted, often because they are more accessible. But security does not need to be complex to be effective — it starts with one simple question: what exactly do I need to protect, and from whom?
Answering that question is risk analysis. That will be the subject of the next article: understanding what we have to protect, identifying what could compromise it, and starting to prioritise our efforts — without a 500-page framework, just the essentials for structured thinking.
Further reading
Annual threat reports
- Panorama de la cybermenace 2025 — ANSSI — annual overview of the cyber threat in France (French)
- ENISA Threat Landscape 2025 — ENISA — European threat panorama
- Data Breach Investigations Report 2026 — Verizon — statistical analysis of thousands of real-world data breaches, by sector and attacker type
Attacker group databases
- MITRE ATT&CK — Groups — the global reference cataloguing known APT and cybercriminal groups, their tactics, techniques, and tools
- Google Cloud Threat Intelligence — Mandiant research on active APTs, malware, and zero-days
Incident and data breach tracking
- CERT-FR — security alerts and advisories published continuously by ANSSI (French)
- Bonjour la fuite — collaborative database of data breaches reported in France and internationally (French)
This article is part of the cyberbasics series, aimed at developers and small organisations who want to build a solid, pragmatic security posture.