-optimized.jpg){kind=avatar}
For years, cybersecurity has focused on tools, tactics, and techniques. But the real shift has been economic. Cybercrime has quietly adopted the same model that transformed the software industry: everything-as-a-service, writes David Sancho, Senior Threat Researcher, TrendAI.
A decade ago, security software was something you installed once. Today, it is subscription-based, cloud-hosted, and continuously updated. The incentives are clear: recurring revenue for providers, convenience and reliability for users. Cybercrime followed the same path – but not just because it works. Because it had to.
From tools to managed operations
What began as standalone malware has evolved into a service-driven ecosystem. Infostealers, phishing kits, and ransomware are no longer just tools attackers configure and run. They are managed services designed to remove friction and scale operations. Take infostealers. Previously, an attacker had to configure malware, maintain infrastructure, and process stolen data manually. Today, that complexity is abstracted away. Payloads are updated continuously to evade detection. Infrastructure is handled centrally. Stolen data is presented through dashboards, ready to use.
Phishing has gone through the same transition. Hosted kits provide templates, infrastructure, and maintenance. The attacker’s role is reduced to distribution. Ransomware shows the same pattern in a different form. Affiliates handle access and deployment, while operators manage tooling, infrastructure, and negotiation. In some cases, affiliates receive only a minority share of the proceeds, reflecting the value of centralised expertise. This is what matters: the attack chain is fragmenting, and each part is being optimised.
A model under pressure
This motivating force behind this shift is not just convenience. It is about pressure.
For years, credential theft was a volume business. Infect at scale, harvest credentials, resell them. That model still works, but it works less reliably than it used to. Multi-factor authentication has reduced the effectiveness of password-only compromise. Passkeys are starting to remove replay altogether. At the same time, log markets are saturated, and the value of generic credentials is declining.
Attackers are adapting. The focus is moving towards higher-value artefacts: session tokens, authentication cookies, and context-rich identity data. The shift is not in what is stolen. It is in how fast it is turned into usable access. That change rewards speed, prioritisation, and workflow efficiency. And it is exactly what service models are designed to deliver.
Lower barriers, faster scale
The immediate consequence is a collapse in the barrier to entry.
Attackers no longer need deep technical expertise. With minimal investment, they gain access to mature tooling, infrastructure, and support. In many cases, these services look indistinguishable from legitimate SaaS platforms: dashboards, updates, performance metrics. But the bigger impact is not accessibility. It is replication.
Once a technique works, it is packaged, distributed, and reused at scale. Innovation shifts from creating new attacks to optimising existing ones. The result is not necessarily more sophisticated attacks. It’s an increase in reliability through being faster, repeatable and easier to scale.
From services to systems
The next step is already visible. As margins tighten and time-to-monetisation shrinks, these services are starting to connect into workflows. Collection, analysis, and monetisation are no longer separate stages. They are becoming a continuous process. Stolen data is triaged faster. Higher-value targets are prioritised earlier. Access is validated and used with minimal delay. The payload matters less than the workflow around it.
This is where the model changes again. Not just service-driven, but system-driven. Automation will accelerate this. Not by replacing attackers, but by removing friction between stages. Sorting logs, identifying valuable accounts, preparing lures are increasingly streamlined when automated. The outcome is simple: less time between compromise and monetisation.
Scaling the “boring” attacks
For defenders, the risk is not new categories of attacks. It is the amplification of familiar ones.
Credential theft, phishing, and account takeover are not new. What has changed is how efficiently they can be executed. Attackers no longer need to break in. They log in. And they do it faster than before, using data that is already validated and ready to use. This makes fundamental controls more critical, not less. Identity and access management, multi-factor authentication, and behavioural monitoring are now the primary line of defence.
A strategic response
Defenders need to respond to this shift with a strategic one.
First, assume attackers have access to mature, well-supported services. That is the baseline. Second, prioritise visibility across identity, endpoint, and access activity. When attackers use legitimate credentials, detection depends on behaviour, not malware. Third, move faster. As the window between compromise and monetisation shrinks, delayed response becomes the main risk. Finally, reinforce fundamentals. The rise of service-driven cybercrime does not make basic security practices obsolete. It makes them unavoidable.
The real shift
Cybercrime has not just adopted a service model. It has adapted it under pressure. As traditional approaches lose efficiency, attackers are reorganising around speed, specialisation, and monetisation. The result is an ecosystem that behaves less like a collection of tools and more like a coordinated system. That’s the shift defenders are still underestimating. And as attack operations become systems, defenders will need similar systems-level thinking.
