FIRST marks record growth in global cyber defence
The Forum of Incident Response and Security Teams reported record membership growth and an expanded programme of technical work and training during 2025, as the organisation stepped up its role in coordinated cyber defence.
The global association for incident response teams said its membership passed 820 teams across more than 110 countries. Members range from national computer emergency response teams to corporate groups at organisations such as CISA, Google, Airbus, Samsung, Standard Bank Group, ColCERT and the Australian Cyber Security Centre.
"At a time of rapidly expanding cyber threats, FIRST's growth reflects global trust, cooperation, and shared purpose," said Chris Gibson, CEO of FIRST.
Membership and SIGs
FIRST said more than 30 Special Interest Groups and a wider volunteer community produced new frameworks, publications and training programmes during the year. The work covered areas including threat detection, DNS abuse, ransomware response and cyber diplomacy.
The Thales CERT team launched a "Suspicious" framework under the FIRST umbrella. The framework offers a structured way for non-specialists and experienced investigators to assess risk in emails, files and other observables. It uses a hybrid scoring model that breaks down factors contributing to a judgement of suspicious activity.
The DNS Abuse Special Interest Group released detailed guidance for stakeholders. The document draws on the group's DNS Abuse Matrix and sets out definitions, example use cases and practical detection methods for different forms of DNS misuse.
The Multi-Stakeholder Ransomware Special Interest Group delivered its first TLP:CLEAR Ransomware Empowerment Training. The group designed the material for open sharing and for broad use across different types of organisations.
The Women of FIRST Special Interest Group worked with the UN Open-Ended Working Group on security in the use of information and communications technologies. The collaboration focused on participation and skills in global cyber policy.
FIRSTCON25 featured Special Interest Group leaders from domains including AI security, human factors and automation. They presented new and evolving frameworks that the organisation said are shaping its technical impact across the incident response community.
Research and scoring
FIRST-backed research projects continued alongside the community work. Analysts produced annual and quarterly Vulnerability Forecast Reports that examined patterns in software flaws and set out the trends they expect to influence vulnerability exposure in 2025.
The group also published an in-depth study of the Black Basta ransomware leak. The analysis described attacker behaviour, defensive lessons and suggested mitigation practices for organisations facing similar threats.
FIRST's Exploit Prediction Scoring System remained a central element of its technical work. EPSS estimates the likelihood that vulnerabilities will be exploited in the wild. The organisation said EPSS is now integrated with products such as Proofpoint's Satori and Microsoft Security Copilot. Users of those tools can apply EPSS data when they order their response to active threats.
Global capacity building
FIRST expanded its Community and Capacity Building initiatives during the year. Community Trainers, who are operational incident responders from around the world, ran more than 33 training sessions and workshops.
The Actioning Alerts and Advisories initiative formed part of this programme. The project received UK Government funding and worked with national CSIRTs in The Bahamas, Cameroon, Malawi and Trinidad & Tobago. The work included technical training, guidance on threat intelligence and mentoring on incident communications.
The Africa Regional Liaison Initiative continued its expansion through local partnerships. FIRST said it recently worked with the Shadowserver Foundation on a cyber drill and threat-intelligence training in Ghana. The exercise brought together more than 60 participants from 21 institutions. UK International Development supports the initiative as part of the Africa Cyber Programme.
FIRST CORE, which it developed with founding supporter Fortinet, also broadened its reach in 2025. The initiative focuses on the core requirements of incident responders and adapts its work based on feedback from the global community.
The organisation highlighted the role of close collaboration with regional partners in this work.
"These collaborations aren't plug-and-play," said Klée Aiken, Director of Community & Capacity Building, FIRST. "They're grounded in active listening, co-creation, and aligning to the real, on-the-ground priorities of CSIRTs everywhere."
Partnerships and strategy
FIRST said it has expanded partnerships with multilateral and international organisations. Partners include the World Bank, the Swiss Federal Department of Foreign Affairs, the Geneva Centre for Security Sector Governance, the International Telecommunication Union and the ICT4Peace Foundation.
These relationships sit alongside its work with national governments and private sector members. The organisation said this mix supports cross-border incident response and information sharing.
Looking ahead, FIRST set out priorities for 2026 and beyond. It plans to grow community capacity building with a focus on underrepresented regions. It also plans to deepen Special Interest Group work in areas such as AI security, threat hunting and ransomware, and to widen access to its events through more regional symposiums and virtual formats.
The group aims to refine funding structures that underpin its programmes and governance. It said these changes are intended to support long-term stability for its activities.
"By focusing on global recognition and trust, member value creation, development and education, becoming a source of expertise and information, and ensuring effective governance and financial resilience, FIRST can continue to advance its mission and support the evolving needs of the cybersecurity community," said Oliver Caleff, Chair of FIRST.
