FIRST Reports Record Growth and Expanding Global Impact

December 10, 2025 - The Forum of Incident Response and Security Teams (FIRST) today announced a milestone year of expansion and innovation, reinforcing its role in strengthening global cyber resilience.

In 2025, FIRST achieved record-breaking growth, advanced technical collaboration, and delivered practical tools and actionable resources for the broader security community.

Expanding Global Community

FIRST membership surpassed 820 teams across more than 110 countries, representing organizations from national CERTs to multinational enterprises including CISA, Google, Airbus, Samsung, Standard Bank Group, ColCERT, and the Australian Cyber Security Centre.

“At a time of rapidly expanding cyber threats, FIRST’s growth reflects global trust, cooperation, and shared purpose,” said Chris Gibson, CEO of FIRST.

Member-Led Innovation

FIRST’s 30+ Special Interest Groups (SIGs) and volunteer community produced high-impact resources, publications and training programs. Highlights include:

• Threat Detection & Scoring: The newly launched “Suspicious” framework by Thales CERT helps both non-experts and skilled investigators assess the risk of emails, files, and observables using a hybrid scoring model.
• DNS Abuse Guidance: The DNS Abuse SIG published comprehensive stakeholder advice rooted in its DNS Abuse Matrix including definitions, use cases, and actionable detection strategies.
• Ransomware Training: FIRST’s Multi-Stakeholder Ransomware (MSR) SIG released its first TLP:CLEAR Ransomware Empowerment Training, designed to widen access and raise baseline response capability globally.
• Cyber diplomacy: The Women of FIRST SIG partnered with the UN Cyber OEWG to advance participation and capacity in global cyber policy.
• Conference Innovation: At FIRSTCON25, SIG leaders from domains including AI security, human factors, and automation showcased evolving frameworks that drive the organization’s technical impacts.

Research and Frameworks

FIRST-supported research advanced global threat understanding through:

• Vulnerability Forecasting: Annual and quarterly Vulnerability Forecast Reports that identified the trends expected to drive vulnerabilities in 2025.
• Ransomware Insights: A detailed analysis of the Black Basta ransomware leak, offering attacker insights, defensive takeaways, and recommended mitigation practices.
• Applied Scoring Frameworks: FIRST’s Exploit Prediction Scoring System (EPSS) continues to power new defensive capabilities, including a recent integration with Proofpoint's Satori and Microsoft Security Copilot to help defenders prioritize active threats.

Building Capacity Worldwide

FIRST’s Community & Capacity Building (CCB) initiatives scaled significantly in 2025. FIRST Community Trainers, operational incident responders from across the globe, delivered over 33 trainings and workshops in 2025.

Highlights include:

• The Actioning Alerts & Advisories (A4) Initiative, funded by the UK Government, partnered directly with national CSIRTs in The Bahamas, Cameroon, Malawi, and Trinidad & Tobago, delivering technical training, threat-intel guidance, and communications mentorship in-country.
• FIRST's Africa Regional Liaison Initiative continued to leverage local partnerships to grow its impact. Most recently, the team partnered with the Shadowserver Foundation to deliver a cyber drill and threat-intelligence training in Ghana, bringing together over 60 participants from 21 institutions. The initiative is supported by UK International Development as part of the Africa Cyber Program.
• FIRST CORE, a foundational initiative launched with founding CORE supporter Fortinet, is expanding its impact by directly responding to the needs of the global incident response community.

“These collaborations aren’t plug-and-play,” said Klée Aiken, Director of Community & Capacity Building, FIRST. “They’re grounded in active listening, co-creation, and aligning to the real, on-the-ground priorities of CSIRTs everywhere.”

Additional strategic partnerships with the World Bank, Swiss Federal Department of Foreign Affairs (FDFA), Geneva Centre for Security Sector Governance (DCAF), International Telecommunication Union (ITU), ICT4Peace Foundation, and others continue to expand FIRST's reach.

Looking Ahead

FIRST’s priorities for 2026 and beyond include:

• Scaling community capacity building, particularly in underrepresented regions
• Deepening SIG-led innovation in areas like AI security, threat hunting, and ransomware
• Expanding global event access via regional symposiums and virtual formats
• Strengthening strategic funding models to ensure long-term sustainability

“By focusing on global recognition and trust, member value creation, development and education, becoming a source of expertise and information, and ensuring effective governance and financial resilience, FIRST can continue to advance its mission and support the evolving needs of the cybersecurity community,” said Oliver Caleff, Chair of FIRST.

FIRST’S 2025 - 2028 strategic plan is available at: https://www.first.org/about/strategy/2025-2028

Also available in PDF

---

Issued on behalf of FIRST. For further information, please contact FIRST Press.

About FIRST

FIRST aspires to bring together incident response and security teams from every country across the world to ensure a safe internet for all. Founded in 1990, the Forum of Incident Response and Security Teams (FIRST) consists of internet emergency response teams from more than 800 corporations, government bodies, universities and other institutions across 110 countries in the Americas, Asia, Europe, Africa, and Oceania. For more information and to see the full calendar of events, visit: FIRST.Org.

Connect with FIRST on social media via BlueSky, GitHub, LinkedIn, Mastodon, Meta, X and YouTube.