In 2025, over 14 zero-day vulnerabilities were observed in edge devices such as routers, firewalls and VPN gateways — a vulnerability profile that, according to a Team Cymru analyst, helps explain why nation-state groups have so often been able to embed themselves in the U.S. defense industrial base for extended periods.
Stephen Campbell of Team Cymru on reconnaissance and pre‑positioning
Stephen Campbell, senior threat intelligence advisor at Team Cymru, argued in an April 29 article that several notorious state-backed cyber espionage groups have shifted toward far greater investment in reconnaissance and pre‑positioning operations. Campbell named specific units — China’s Volt and Salt Typhoon, Russia’s Fancy Bear (aka GRU Unit 26165), and Iran’s UNC1549 — and emphasized that their campaigns increasingly focus on preparing the “battlefield” in cyberspace rather than quick, noisy attacks.
“Volt Typhoon is a clear example. They maintained access to US critical infrastructure for over five years before it was publicly disclosed. This is not an attack. It is intelligence preparation of the battlefield, carried out in cyberspace,” Campbell wrote.
Edge infrastructure as the primary entry point
Campbell singled out edge infrastructure — internet routers, firewalls and VPN gateways — as the primary entry point relied upon by these nation‑state units. He noted that the profile of observed activity in 2025 included over 14 zero‑day vulnerabilities in such devices, and that telemetry from edge infrastructure often shows these devices communicating with previously unseen or short‑lived external infrastructure “often before those endpoints are publicly identified as malicious.”
That mix — vulnerable edge gear, zero‑days, and early, low‑visibility communications — is central to Campbell’s explanation for why intrusions can persist for years without triggering traditional detections.
Living‑off‑the‑land techniques and legitimate services
Campbell also highlighted a shift in adversary tradecraft away from custom malware toward “native system tools,” an approach he described as living‑off‑the‑land (LOTL). Because LOTL techniques make fewer endpoint alerts, Campbell argued network‑level monitoring becomes “critical” since network telemetry often contains the “only observable indicators.”
He added that nation‑state actors are increasingly making use of legitimate cloud platforms, code repositories and commercial virtual private server (VPS) providers rather than relying solely on clearly malicious servers, a tactic that makes attack traffic resemble routine enterprise usage and complicates detection efforts.
Small and mid‑size defense contractors: the telemetry gap
Campbell noted that about 80% of the U.S. defense industrial base is composed of small and mid‑size contractors. These firms “hold sensitive data. Contracts, technical specifications and personnel information tied to clearances,” yet many “are not resourced to defend at the same level as the primes,” creating what he called “a mismatch” between the sensitivity of the holdings and the level of protection.
Specifically, Campbell said many small defense firms are less likely to have robust endpoint detection capabilities and strict edge device patching policies, meaning those devices “can fall outside the scope of regular security monitoring.” This gap, when combined with edge‑focused targeting and LOTL tradecraft, is the core of his concern.
Recommended mitigations for small contractors
To address the structural gap, Campbell recommended a set of network‑centric controls and practices aimed at detecting pre‑positioning and constraining adversary movement. His recommendations include prioritizing network telemetry through NetFlow pattern recognition on edge devices and conducting infrastructure mapping to expose anomalous connections; hardening infrastructure with immediate patching and segmentation; and actively hunting for pre‑positioning by tracking anomalous DNS activity and lateral movement.
What this means for technologists, procurement leaders, and prime contractors
- Technologists and security teams: Expect to prioritize network telemetry and NetFlow‑style pattern recognition on edge devices, and to hunt for anomalous DNS and lateral movement as part of detection strategies.
- Procurement leaders at small and mid‑size contractors: The mismatch Campbell describes implies concrete choices on resourcing — investing in edge patching, segmentation and telemetry capabilities where previously endpoint tools alone might have been considered sufficient.
- Prime contractors and system integrators: Given that roughly 80% of the defense industrial base is made up of smaller firms, primes will need to account for downstream telemetry gaps when assessing supply‑chain risk and must consider whether and how to require or assist with NetFlow monitoring and edge hardening.
Campbell’s findings and prescriptions frame a clear operational focus: because edge devices have been a repeated target and because nation‑state actors are adopting quieter, network‑centric tradecraft, small defense contractors that lack network telemetry are at risk of long‑term compromise. The policy and procurement choices that follow — prioritizing edge patching, segmentation, and NetFlow analytics — are the practical next steps he outlines to close that gap.




