Tibor Kiss

At Next ’25, we introduced several new innovations within BigQuery, the autonomous data to AI platform. BigQuery ML provides a full range of AI and ML capabilities, enabling you to easily build generative AI and predictive ML applications with BigQuery. The new AI and ML capabilities from BigQuery ML include: 

• a new state-of-the-art pre-trained forecasting model (TimesFM) which drastically simplifies forecasting problems

• support for generating or extracting structured data with large language models (LLMs)

• a set of new row-wise inference functions enabling you to mix gen AI processing with standard SQL

• expanded model choice with Gemini and OSS models

• the general availability of the Contribution Analysis feature, useful for explaining changes in your business metrics

Let us explore these new capabilities.

1. TimesFM forecasting model in BigQuery

Accurate time series forecasting is essential for many business scenarios such as planning, supply chain management, and resource allocation. BigQuery now embeds TimesFM, a state-of-the-art (SOTA) pre-trained model from Google Research, enabling powerful forecasting via the simple AI.FORECAST function. Trained on over 100 billion real-world time-points, TimesFM provides impressive zero-shot forecasting accuracy across various real world domains and at different granularities without requiring you to train or tune on your data. 

Key benefits of TimesFM in BigQuery include:

• Managed and scalable: A fully managed, highly scalable forecasting engine within BigQuery.

• Easy forecasting: Generate forecasts for one or millions of time series in a single query – no model training required.

Here’s a basic example of creating a forecast using the new AI.FORECAST function with TimesFM: 

SQL

SELECT * FROM AI.FORECAST(
  TABLE dataset.table,
  data_col => "data",
  timestamp_col => "timestamp",
  model => "TimesFM 2.0",
  horizon => 30
)

This query forecasts the “data” column for the next 30 time units, using “timestamp” as the time identifier. Please see the documentation for more details.

2. Structured data extraction and generation with LLMs

Extracting structured information consistently from unstructured data such as customer reviews, emails, logs etc. can be complex. BigQuery’s new AI.GENERATE_TABLE function simplifies structured data extraction/generation using the constrained decoding capabilities of LLMs. This function takes a model, a table of input data and an output_schema as inputs and outputs a table whose schema is determined by the output_schema parameter.

Here’s how you can use AI.GENERATE_TABLE: 

SQL

SELECT * FROM AI.GENERATE_TABLE(
  MODEL project_id.dataset.model,
  (SELECT medical_transcripts as prompt from table),
  STRUCT("age INT64, medications ARRAY<STRING>" AS output_schema)
)

In this example, the output table has ‘age’ and ‘medications’ columns — no complex parsing required. The output is written as a BigQuery temporary table. To materialize the results to a permanent table, the above query can be used in a DDL statement:

CREATE TABLE project_id.dataset.my_structured_table
AS <AI.GENERATE_TABLE subquery>

Please see the documentation for more details.

3. Row-wise (Scalar) LLM functions

The first wave of BigQuery’s LLM functions focused on table-valued functions (TVFs) that output entire tables. We are now introducing row-wise AI functions for LLM inference for more flexible and expressive data manipulation and analysis. These scalar functions enhance the usability of LLMs within BigQuery, as they can be used anywhere a value is needed, such as in SELECT, WHERE, JOIN, and GROUP BY clauses. Let’s go though some of the capabilities we are adding: a) Basic text generation with AI.GENERATE

First, let’s see how the new AI.GENERATE() can be used for convenient row-wise LLM inference:

SELECT
  city,
  AI.GENERATE(
    ('Give a short, one sentence description of ', city),
    connection_id => 'us.test_connection',
    endpoint => 'gemini-2.0-flash').result
FROM mydataset.cities;

b) Structured output with AI.GENERATE

In addition, the structured output generation capabilities introduced above also extend to row-wise AI functions. In this example, the query generates state capitals for a list of states, using the output_schema argument to set two custom fields in the output struct — state and capital:

SQL

SELECT
  state,
  AI.GENERATE(
    ('What is the capital of ', state, '?'),
    connection_id => 'us.example_connection',
    endpoint => 'gemini-2.0-flash',
    output_schema => 'state STRING, capital STRING').capital
FROM mydataset.states;

c) Type-specific functions (e.g., AI.GENERATE_BOOL)

For common tasks requiring specific data types like boolean, integer, or float, BigQuery now offers simple, type-specific functions. For instance, you can use AI.GENERATE_BOOL for classification or validation tasks:

SQL

SELECT city.name, AI.GENERATE_BOOL(
  ("Is", city.name, "in the state of WA?"),
  connection_id => "us.example_connection",
  endpoint => 'gemini-2.0-flash').result
FROM city

Additional type-specific functions, namely AI.GENERATE_INT and AI.GENERATE_DOUBLE, are also available for generating integer and floating-point results. Please see the documentation for more details.

4. Expanded model choice: Gemini, OSS and third-party

BigQuery ML allows you to use LLMs to perform tasks such as entity extraction, sentiment analysis, translation, text generation, and more on your data using familiar SQL syntax. In addition to first-party Gemini models, BigQuery supports inference with open-source and third-party models, which comes in two flavors:

• Customer-managed endpoints for open source models (previously announced): You can host any open source model of your choice on a Vertex AI Model Garden endpoint and then use it from BigQuery.

• Model as a service integrations: Access fully managed model endpoints directly through BigQuery. This already included models like Anthropic’s Claude, and we are excited to announce newly added support for Llama and Mistral models, further expanding model choice available to developers.

5. Contribution analysis now generally available

Businesses constantly need to answer questions like “Why did our sales drop last month?” or ” For what user, device, demographics combination was our marketing campaign most effective?” Answering these “why” questions accurately is vital, but often involves complex manual analysis. The BigQuery contribution analysis feature automates this analysis and helps you pinpoint the key factors (or combinations of factors) responsible for the most significant changes in a metric between the control and test groups you define. 

Now generally available, the BigQuery ML contribution analysis release includes enhancements focused on improved interpretability and performance, including: 

• A new summable by category metric to analyze the sum of a numerical measure of interest normalized by a categorical variable

• Top-K Insights by Apriori Support option to automatically fetch k insights with the largest segment size

• A redundant insight pruning option, which improves result readability by returning only unique insights 

Let’s say you want to understand what drove changes in the average sales per user across various vendors and payment types between the control and test data. To answer this with a contribution analysis model, you tell BigQuery which factors (dimensions) to investigate (dimension_id_cols), what metric you care about (contribution_metric), and which column identifies your test/control groups (is_test_col).

SQL

-- Define the contribution analysis task

CREATE MODEL bqml_tutorial.contribution_analysis_model
OPTIONS (
    model_type = 'CONTRIBUTION_ANALYSIS',
    dimension_id_cols = ['vendor', 'month', 'payment_type'],
    contribution_metric = 'sum(sales)/count(distinct user_id)',
    is_test_col = 'is_test_col',
    top_k_insights_by_apriori_support = 25,
    pruning_method = 'PRUNE_REDUNDANT_INSIGHTS'
) AS
SELECT * FROM dataset.input_data;

Once the model is created, you can use a SQL query like the following to generate insights:

SELECT * FROM ML.GET_INSIGHTS (MODEL bqml_tutorial.contribution_analysis_model);

BigQuery returns a prioritized list showing which combinations of factors (e.g., “Users paying via Amex Credit Card from Vendor”) had the most significant impact on the average sales per user between your control and test groups.

Bring AI into your data

The latest BigQuery ML updates bring powerful AI/ML capabilities directly into your data workflows. Between forecasting with TimesFM, automated root-cause analysis with contribution analysis, flexible row-wise LLM functions, streamlined structured data generation, and expanded model choice, you can move faster from data to insights and impactful outcomes. 

You can also view the Next ‘25 breakout session, including a demo showcasing these capabilities.

AI is fundamentally transforming the compute landscape, demanding unprecedented advances in data center infrastructure. At Google, we believe that physical infrastructure — the power, cooling, and mechanical systems that underpin everything — isn’t just important, but critical to AI’s continued scaling. 

We have a long-standing partnership with the Open Compute Project (OCP) that has been instrumental in driving industry collaboration and open innovation in infrastructure. At the 2025 OCP EMEA Summit today, we discussed the power delivery transformation from 48 volts direct current (VDC) to the new +/-400 VDC, which will enable IT racks to scale from 100 kilowatts up to 1 megawatt. We also shared that we’ll contribute our fifth-generation cooling distribution unit, Project Deschutes, to OCP, helping to accelerate adoption of liquid cooling industry-wide.

Transforming power delivery with 1 MW per IT rack

Google has a long history of advancing data center power delivery. Almost 10 years ago, we championed the adoption of 48 VDC inside the IT rack to significantly increase the power distribution efficiency and reduce losses compared to what typical 12 VDC solutions delivered. The industry responded to our call to action to collaborate on this technology, and the resulting architecture has worked well, scaling from 10 kilowatts to 100 kilowatts IT racks. 

The AI era requires even greater power delivery capabilities for two distinct reasons. The first is simply that ML will require more than 500 kW per IT rack before 2030. The second is the densification of each IT rack, where every millimeter of space in the IT rack is used for tightly interconnected “xPUs” (e.g. GPUs, TPUs, CPUs). This requires a much higher voltage DC power distribution solution, where power components and battery backup are outside of the IT rack.

We are excited to introduce +/-400 VDC power delivery that can support up to 1 MW per rack. This is about much more than simply increasing power delivery capacity — selecting 400 VDC as the nominal voltage allows us to leverage the supply chain established by electric vehicles (EVs), for greater economies of scale, more efficient manufacturing, and improved quality and scale, to name a few. As part of the Mt Diablo project, we are collaborating with Meta, and Microsoft at OCP to standardize the electrical and mechanical interfaces, and the 0.5 specification draft will be available for industry feedback in May. 

The first embodiment of this work is an AC-to-DC sidecar power rack that disaggregates power components from the IT rack. This solution improves the end-to-end efficiency by ~ 3% while enabling the entire IT rack to be used for xPUs. Longer term, we are exploring directly distributing higher-voltage DC power within the data center and to the rack, for even greater power density and efficiency.

The liquid cooling imperative

The dramatic increase in chip power consumption — from 100W chips to accelerators exceeding 1000W — has made advanced thermal management essential. Packing more powerful chips into racks also creates significant challenges for cooling density. Liquid cooling has emerged as the clear solution, given its superior thermal and hydraulic properties. Water can transport approximately 4000 times more heat per unit volume than air for a given temperature change, while the thermal conductivity of water is roughly 30 times greater than air. 

At Google, we’ve deployed liquid cooling at GigaWatt scale across more than 2000 TPU Pods in the past seven years with remarkable uptime — consistently at about 99.999%. Google first used liquid cooling in TPU v3 that was deployed in 2018. Liquid-cooled ML servers have nearly half the geometrical volume of their air-cooled counterparts because they replace bulky heatsinks with compact cold plates. This allowed us to double chip density and quadruple the size of our liquid-cooled TPU v3 supercomputer compared to the air-cooled TPU v2 generation.

We’ve continued to refine this technology generation over generation, from TPU v3 and TPU v4, through TPU v5, and most recently, Ironwood. Our implementation utilizes in-row coolant distribution units (CDUs) with redundant components and uninterruptible power supplies (UPS) for high availability. These CDUs isolate the rack’s liquid loop from the facility loop, providing a controlled, high-performance cooling system delivered via manifolds, flexible hoses, and cold plates that are directly attached to the high-power chips. In our CDU architecture, named Project Deschutes, the pump and heat exchanger unit is redundant, which is what has enabled us to consistently achieve the above-mentioned fleet-wide CDU availability of ~99.999% since 2020.

We will contribute the fifth-generation Project Deschutes CDU, currently in development, to OCP later this year. This contribution, including system details, specifications, and best practices, is intended to help accelerate the industry’s adoption of liquid cooling at scale. Our insights are drawn from nearly a decade of designing and deploying liquid cooling across four generations of TPUs, and encompass:

• Design for high cooling performance

• Manufacturing quality

• Reliability and uptime

• Deployment velocity

• Serviceability and operational excellence

• Supply ecosystem advancements

Get ready for the next generation of AI

We’re encouraged by the significant strides the industry has made in power delivery and liquid cooling. However, with the accelerating pace of AI hardware development, it’s clear that we must collectively quicken our pace to prepare data centers for what’s next. We’re particularly excited about the potential for rapid industry adoption of +/-400 VDC, facilitated by the upcoming Mt Diablo specification. We also strongly encourage the industry to adopt the Project Deschutes CDU design and leverage our extensive liquid cooling learnings. Together, by embracing these advancements and fostering deeper collaboration, we believe the most impactful innovations are still ahead.

The rise of AI is revolutionizing data management platforms, where advanced automation, built-in data intelligence, and AI-powered data management are changing how organizations manage traditional tasks like data ingestion, data processing and governance.

We’re excited to announce that Google was named a Leader in The Forrester Wave™: Data Management for Analytics Platforms, Q2 2025 report. In the report, Google received 5 out of 5, the highest score possible, across 13 different criteria. We believe this is a testament to our strengths in several key areas, particularly in delivering agentic experiences that automate manual tasks and accelerate gen AI use cases, built-in intelligence to unlock new insights from structured and unstructured data, real-time capabilities driving insights to action, and a secure and governed multimodal data foundation with governance across the data-to-AI lifecycle. 

According to the report:

Google’s distinctive and forward-thinking vision is to provide a unified, agentic, intelligent, and seamlessly integrated data platform that blends data management, advanced analytics, and AI capabilities at scale. The platform continues to evolve rapidly, focusing on advanced automation, open standards, global scale, self-service, and deeper integration with other Google services. The vendor’s roadmap is exceptionally well-defined, delivering a powerful strategic direction and alignment with AI positioned at its core.

Google placed furthest on Strength of Strategy and received above-average customer feedback in the evaluation, denoted by the halo around Google’s circle. Customers such as Dun & Bradstreet, Shopify, General Mills and many more choose BigQuery for its autonomous data and AI capabilities when building their data management platforms.  Let’s take a closer look at the capabilities that differentiate Google Cloud’s data platform.

Agentic and AI-assisted capabilities to power your analytics 

Data management isn’t just about storing and querying data; it’s also about intelligent automation and assistance. As highlighted in our recent announcements from Google Cloud Next 25, BigQuery has evolved into an autonomous data-to-AI platform, where specialized data agents, advanced engines, and business users can all operate on a self-managing multimodal data foundation built for processing and activating all types of data. With assistive capabilities powered by gen AI and integrations with Vertex AI for model building and deployment, you can reduce the complexities of data management and smooth the path from raw data to actionable AI-driven insights.

BigQuery’s AI-powered data management capabilities are designed for users of all skill levels. Data analysts can use natural language to query data, generate SQL, and summarize results. Data engineers can automate manual tasks like data preparation, building data pipelines, and performing anomaly detection to accelerate analytics workflows. Data scientists can use AI-driven notebook experiences and new engines to process complex data and support advanced analyses in real time. 

A multimodal data foundation with unified governance

BigQuery helps unify analytics across diverse data types by allowing data teams to build on an open lakehouse foundation. It combines highly performant native data management capabilities with support for open formats like Apache Iceberg, Delta, and Hudi. Multimodal support lets you store and analyze structured and unstructured data within the same table, streamlining complex analytics workflows. Finally, BigQuery’s universal catalog lets you work across SQL, Spark, AI, BI, and third-party engines, all with a flexible and open data lakehouse architecture, supporting interoperability.

Beyond the universal catalog, BigQuery data governance (powered by Dataplex) provides a unified experience for discovering, managing, monitoring, and governing data across data lakes, warehouses, and AI models. It also enables consistent policy enforcement, automated data quality checks, and comprehensive lineage tracking. Combined with a robust security infrastructure and fine-grained access controls, it helps you manage your data and AI assets with confidence, supporting compliance and building trust. Features like managed disaster recovery, enhanced workload management for aligning budget with performance needs, and flexible pricing with spend-based commitments further reinforce enterprise readiness. 

Built-in intelligence for real-time insights

BigQuery enables your teams to build and deploy machine learning models using their existing SQL skills. This helps to eliminate complexity and accelerates the adoption of AI across the organization. BigQuery’s integration with advanced AI models helps to extract insights from multimodal data in documents, videos, and images. Scalable vector search supports intelligent recommendations, while the new BigQuery AI query engine allows analysts to use familiar SQL and LLMs for real-world context when analyzing unstructured data. 

Real-time data capabilities are important for bringing fresh data to your AI models. BigQuery is designed from the ground up to support high-throughput streaming ingestion, allowing data to be analyzed as soon as it arrives. Real-time data combined with built-in machine learning and AI enables use cases like real-time fraud detection, dynamic personalization, operational monitoring, and immediate response to changing market conditions. Combining real-time data pipelines with the Vertex AI allows you to build and deploy models that react instantly, turning real-time data into real-time intelligent action.

Google is your partner for data to AI transformation

Google’s recognition as a Leader in The Forrester Wave™: Data Management For Analytics Platforms, validates our strategy and execution in delivering a comprehensive, AI-powered platform. Our focus on AI-driven assistance, a multimodal data foundation, and real-time intelligence helps to reduce manual data management tasks, so you can accelerate insights, and innovate faster.

As we evolve BigQuery into an autonomous data-to-AI platform, we are committed to helping you navigate the complexities of the modern data landscape and lead with data and AI. Thank you, our customers and partners, for choosing BigQuery to power your data management and analytics. Learn more about BigQuery today by visiting our website. Read the full Forrester Wave™: Data Management For Analytics Platforms, Q2 2025 report here.

^{Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. For more information, read about Forrester’s objectivity here .}

The traditional drug discovery process involves massive capital investments, prolonged timelines, and is plagued with daunting failure rates. From initial research to obtaining regulatory approval, bringing a new drug to market can take decades. During this time, many drug candidates that had seemed very promising fail to deliver, either due to inefficacy or safety concerns. Only a small fraction of candidates successfully make it through clinical trials and regulatory hurdles. 

Enter SandboxAQ, which is helping researchers explore vast chemical spaces, gain deep insights into molecular interactions, and predict biological outcomes with precision. It does so with cutting-edge computational approaches such as active learning, absolute free energy perturbation solution (AQFEP), generative AI, structural analysis, and predictive data analytics, ultimately reducing drug discovery and development timelines. And it does all this on a cloud-native foundation. 

Drug design involves an iterative cycle of designing, synthesizing, and testing molecules referred to as the Design-Make-Test cycle. Many customers approach SandboxAQ during the design phase, often when their computational methods are falling short. By improving and accelerating this part of the cycle, SandboxAQ helps medicinal chemists bring innovative and effective molecules to market. For example, in a project related to neurodegenerative disease, SandboxAQ’s approach expanded chemical space from 250,000 to 5.6 million molecules, achieving a 30-fold increase in hit rate and dramatically accelerating the discovery of candidate molecules.

Cloud-native development for scientific insight

SandboxAQ’s software relies on large-scale computation and to maximize flexibility and scale, they use a cloud strategy,  which includes Google Cloud infrastructure and tools. 

The technologies in large-scale virtual screening campaigns need to be agile and scale cost-effectively. Specifically, SandboxAQ engineers need to be able to quickly iterate on scientific code, immediately run that code at scale cost-effectively, and store and organize all of the data it produces. 

SandboxAQ achieved a significant boost in efficiency and scalability with Google Cloud infrastructure. They scaled their computational throughput by 100X to leverage tens of thousands of virtual machines (VMs) in parallel. They also improved utilization by reducing idle time by 90%. By consolidating development and deployment on Google Cloud, SandboxAQ streamlined its workflows, from code development and testing to large-scale batch processing and machine-learning model training.

All of SandboxAQ’s development and deployment takes place in the cloud. Code and data live in cloud-based services, and development is done on a cloud-based platform that provides scientists and engineers with self-service VMs with standardized and centrally maintained environments and tools. This is important, because scientific code often requires heavy-duty computing hardware. Scientists have access to hefty 96-core machines, or instances with large GPUs. They can also create new machines with alternate configurations or CPU types as depicted below, enabling low-friction testing and development processes across heterogeneous resources.

SanboxAQ scientists and developers manage and access their Bench machines (see above) using the company’s `bench` client. They can connect to machines via SSH or use any number of managed tools, for example a browser-based VNC service for instant remote desktop, or JupyterLab for a familiar notebook development flow.

As code is ready to be run at a larger scale, researchers can dispatch SandboxAQ parameterized sets of computations as jobs on an internal tool powered by Batch, a fully managed service to schedule, queue, and execute batch jobs on Google infrastructure. With development and batch runtime environments closely synced, changes can be quickly run at scale. Code developed on bench machines is pushed to GitHub and immediately available for batch execution. Then, as tools are reviewed and merged into `main` of the company’s monorepo, the new tools become automatically available on SandboxAQ scientists’ bench machines, who can launch parallel jobs processing millions of molecules on any kind of Google Cloud VM resource in any global zone, utilizing either on-demand or Spot VMs.

SandboxAQ’s implementation of a globally resolved transitive dependency tree, enables simple package and dependency management. With this practice, Google Batch can seamlessly integrate with individual tools developed by engineers to train many instances of a model in parallel.

Machine learning is a core component of SandoxAQ’s strategy, making easy data access especially important. At the same time, SandboxAQ’s Drug Discovery team also works with clients who have sensitive data. To secure customers’ data, bench and batch workloads read and write data from a unified interface that’s managed via IAM, allowing granular control of different data sources within the organization.

Meanwhile, Google Cloud services like Cloud Logging, Cloud Monitoring, Compute Engine and Cloud Run make it simple to develop tools to monitor these workloads, easily surface logs to SandboxAQ scientists, and comb through huge amounts of output data. As new features are tested or bugs show up, changes are made immediately available to the scientific team, without having to wrangle infrastructure. Then, as code becomes stable, they can incorporate it into downstream production applications, all in a centrally secured, unified way on Google Cloud.

In short, having a unified development, batch compute, and production environment on Google Cloud reduces the friction SandboxAQ faces to develop new workloads and run them at scale. With shared environments for scientific workload development and engineering, SandboxAQ makes it quick and easy for customers to move from experimentation to production, delivering the results customers want, fast.

SandboxAQ solution in the real world

SandboxAQ is already having a profound impact on drug discovery programs targeting a range of hard-to-treat diseases. For example, there are advanced collaborations with Professor Stanley Pruisner’s lab at University of California San Francisco (UCSF), Riboscience, Sanofi, and with the Michael J Fox Foundation, to name a few. With this approach built on Google CloudSandboxAQ has achieved a superior hit rate compared to other methods like high throughput screening, demonstrating the transformative potential of SandboxAQ on drug discovery and bringing cures to patients faster. 

Visit the Google Cloud AI Hypercomputer web page to  learn about Google Cloud AI infrastructure.

At Google Cloud Next 25, we expanded the availability of Gemini in Looker, including Conversational Analytics, to all Looker platform users, redefining how line-of-business employees can rapidly gain access to trusted data-driven insights through natural language. Due to the complexity inherent in traditional business intelligence products, which require steep learning curves or advanced SQL knowledge, many potential users who could benefit from BI tools simply don’t. But with the convergence of AI and BI, the opportunity to ask questions and chat with your data using natural language breaks down the barriers that have long stood in the way. 

Conversational Analytics from Looker is designed to make BI more simple and approachable, democratizing data access, enabling users to ask data-related queries in plain, everyday language, and go beyond static dashboards that often don’t answer all potential questions. In response, users receive accurate and relevant answers derived from Looker Explores or BigQuery tables, without needing to know SQL or specific data tools.

For data analysts, this means fewer support tickets and interruptions, so they can focus on higher priority work, Business users can now take on their own data queries themselves and get answers, empowering trusted self-service by , putting the controls in the hands of users who need the answers most. Now, instead of struggling with field names and date formats, users can simply ask questions like: “What were our top-performing products last quarter?” or say “Show me the trend of website traffic over the past six months.” Additionally, when using Conversational Analytics with Looker Explores, users can be sure tables are consistently joined and metrics are calculated the same way every time.

Conversational Analytics in Looker is designed to be simple, helpful, and easy to use, offering:

• Trusted, consistent results: Conversational Analytics only uses fields defined by your data experts in LookML. Once the fields are selected, they are deterministically translated to SQL by Looker, the same way every time.

• Transparency with “How was this calculated?”: This feature provides a clear, natural language explanation of the underlying query that generated the results, presented in easy-to-understand bullet points.

• A deeper dive with follow-up questions: Just like a natural conversation, users can ask follow-up questions to explore the data further. For example, users can ask to filter a result to a specific region, to change the timeframe of the date filter, or to switch from bar graph to an area chart. Conversational Analytics allows for seamless iteration and deeper exploration of the data.

• Hidden insights with Gemini: Once the initial query results are displayed, users can click the “Insights” button to ask Gemini to analyze the data results and generate additional insights about patterns and trends they might have otherwise missed.

Empowering data analysts and developers

With the release of Conversational Analytics, our goal is for it to benefit data analysts and developers on top of line-of–business teams. The Conversational Analytics agent lets data analysts provide crucial context and instructions to Gemini, enhancing its ability to answer business user questions effectively, and empowering analysts to map business jargon to specific fields, specify the best fields for filtering, and define custom calculations.

Analysts can further curate the experience by creating agents for specific use cases. When business users select an agent, they can feel confident that they are interacting with the right data source.

As announced at Next 25, the Conversational Analytics API will power Conversational Analytics across multiple first-party Google Cloud experiences and third-party products, including customer applications, chat apps, Agentspace, and BigQuery, bringing the benefits of natural language queries to your data to the applications where you work every day. Later this year we’ll also bring Conversational Analytics into Looker Dashboards, allowing users to chat with their data in that familiar interface, whether inside Looker or embedded in other applications.Also, if you’re interested in solving even more complex problems while chatting with your data, you can try our new Code Interpreter (available in preview), which uses Python rather than SQL to perform advanced analysis like cohort analysis and forecasting. With the Conversational Analytics Code Interpreter, you can tackle data science tasks without learning advanced coding or statistical methods. Sign up for access here.

Expanding the reach of AI for BI

Looker Conversational Analytics is a step forward in making BI accessible to a wider audience. By removing the technical barriers and providing an intuitive, conversational interface, Looker is empowering more business users to leverage data in their daily routines. With Conversational Analytics available directly in Looker, organizations can now make data-driven insights a reality for everyone. Start using Conversational Analytics today in your Looker instance.

Written by: Casey Charrier, James Sadowski, Clement Lecigne, Vlad Stolyarov

Executive Summary

Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). We divided the reviewed vulnerabilities into two main categories: end-user platforms and products (e.g., mobile devices, operating systems, and browsers) and enterprise-focused technologies, such as security software and appliances. 

Vendors continue to drive improvements that make some zero-day exploitation harder, demonstrated by both dwindling numbers across multiple categories and reduced observed attacks against previously popular targets. At the same time, commercial surveillance vendors (CSVs) appear to be increasing their operational security practices, potentially leading to decreased attribution and detection.

We see zero-day exploitation targeting a greater number and wider variety of enterprise-specific technologies, although these technologies still remain a smaller proportion of overall exploitation when compared to end-user technologies. While the historic focus on the exploitation of popular end-user technologies and their users continues, the shift toward increased targeting of enterprise-focused products will require a wider and more diverse set of vendors to increase proactive security measures in order to reduce future zero-day exploitation attempts.

Scope 

This report describes what Google Threat Intelligence Group (GTIG) knows about zero-day exploitation in 2024. We discuss how targeted vendors and exploited products drive trends that reflect threat actor goals and shifting exploitation approaches, and then closely examine several examples of zero-day exploitation from 2024 that demonstrate how actors use both historic and novel techniques to exploit vulnerabilities in targeted products. The following content leverages original research conducted by GTIG, combined with breach investigation findings and reporting from reliable open sources, though we cannot independently confirm the reports of every source. Research in this space is dynamic and the numbers may adjust due to the ongoing discovery of past incidents through digital forensic investigations. The numbers presented here reflect our best understanding of current data.

GTIG defines a zero-day as a vulnerability that was maliciously exploited in the wild before a patch was made publicly available. GTIG acknowledges that the trends observed and discussed in this report are based on detected and disclosed zero-days. Our analysis represents exploitation tracked by GTIG but may not reflect all zero-day exploitation.

Key Takeaways

• Zero-day exploitation continues to grow gradually. The 75 zero-day vulnerabilities exploited in 2024 follow a pattern that has emerged over the past four years. While individual year counts have fluctuated, the average trendline indicates that the rate of zero-day exploitation continues to grow at a slow but steady pace.

• Enterprise-focused technology targeting continues to expand. GTIG continued to observe an increase in adversary exploitation of enterprise-specific technologies throughout 2024. In 2023, 37% of zero-day vulnerabilities targeted enterprise products. This jumped to 44% in 2024, primarily fueled by the increased exploitation of security and networking software and appliances.

• Attackers are increasing their focus on security and networking products. Zero-day vulnerabilities in security software and appliances were a high-value target in 2024. We identified 20 security and networking vulnerabilities, which was over 60% of all zero-day exploitation of enterprise technologies. Exploitation of these products, compared to end-user technologies, can more effectively and efficiently lead to extensive system and network compromises, and we anticipate adversaries will continue to increase their focus on these technologies.

• Vendors are changing the game. Vendor investments in exploit mitigations are having a clear impact on where threat actors are able to find success. We are seeing notable decreases in zero-day exploitation of some historically popular targets such as browsers and mobile operating systems.

• Actors conducting cyber espionage still lead attributed zero-day exploitation. Between government-backed groups and customers of commercial surveillance vendors (CSVs), actors conducting cyber espionage operations accounted for over 50% of the vulnerabilities we could attribute in 2024. People’s Republic of China (PRC)-backed groups exploited five zero-days, and customers of CSVs exploited eight, continuing their collective leading role in zero-day exploitation. For the first year ever, we also attributed the exploitation of the same volume of 2024 zero-days (five) to North Korean actors mixing espionage and financially motivated operations as we did to PRC-backed groups.

Looking at the Numbers 

GTIG tracked 75 exploited-in-the-wild zero-day vulnerabilities that were disclosed in 2024. This number appears to be consistent with a consolidating upward trend that we have observed over the last four years. After an initial spike in 2021, yearly counts have fluctuated but not returned to the lower numbers we saw in 2021 and prior.

While there are multiple factors involved in discovery of zero-day exploitation, we note that continued improvement and ubiquity of detection capabilities along with more frequent public disclosures have both resulted in larger numbers of detected zero-day exploitation compared to what was observed prior to 2021.

Higher than any previous year, 44% (33 vulnerabilities) of tracked 2024 zero-days affected enterprise technologies, continuing the growth and trends we observed last year. The remaining 42 zero-day vulnerabilities targeted end-user technologies.

Enterprise Exploitation Expands in 2024 as Browser and Mobile Exploitation Drops

End-User Platforms and Products

In 2024, 56% (42) of the tracked zero-days targeted end-user platforms and products, which we define as devices and software that individuals use in their day-to-day life, although we acknowledge that enterprises also often use these. All of the vulnerabilities in this category were used to exploit browsers, mobile devices, and desktop operating systems.

• Zero-day exploitation of browsers and mobile devices fell drastically, decreasing by about a third for browsers and by about half for mobile devices compared to what we observed last year (17 to 11 for browsers, and 17 to 9 for mobile).

• Chrome was the primary focus of browser zero-day exploitation in 2024, likely reflecting the browser’s popularity among billions of users.

• Exploit chains made up of multiple zero-day vulnerabilities continue to be almost exclusively (~90%) used to target mobile devices.

• Third-party components continue to be exploited in Android devices, a trend we discussed in last year’s analysis. In 2023, five of the seven zero-days exploited in Android devices were flaws in third-party components. In 2024, three of the seven zero-days exploited in Android were found in third-party components. Third-party components are likely perceived as lucrative targets for exploit development since they can enable attackers to compromise many different makes and models of devices across the Android ecosystem.

• 2024 saw an increase in the total number of zero-day vulnerabilities affecting desktop operating systems (OSs) (22 in 2024 vs. 17 in 2023), indicating that OSs continue to be a strikingly large target. The proportional increase was even greater, with OS vulnerabilities making up just 17% of total zero-day exploitation in 2023, compared to nearly 30% in 2024. 

• Microsoft Windows exploitation continued to increase, climbing from 13 zero-days in 2022, to 16 in 2023, to 22 in 2024. As long as Windows remains a popular choice both in homes and professional settings, we expect that it will remain a popular target for both zero-day and n-day (i.e. a vulnerability exploited after its patch has been released) exploitation by threat actors.

Enterprise Technologies

In 2024, GTIG identified the exploitation of 33 zero-days in enterprise software and appliances. We consider enterprise products to include those mainly utilized by businesses or in a business environment. While the absolute number is slightly lower than what we saw in 2023 (36 vulnerabilities), the proportion of enterprise-focused vulnerabilities has risen from 37% in 2023 to 44% in 2024. Twenty of the 33 enterprise-focused zero-days targeted security and network products, a slight increase from the 18 observed in this category for 2023, but a 9% bump when compared proportionally to total zero-days for the year.

The variety of targeted enterprise products continues to expand across security and networking products, with notable targets in 2024 including Ivanti Cloud Services Appliance, Palo Alto Networks PAN-OS, Cisco Adaptive Security Appliance, and Ivanti Connect Secure VPN. Security and network tools and devices are designed to connect widespread systems and devices with high permissions required to manage the products and their services, making them highly valuable targets for threat actors seeking efficient access into enterprise networks. Endpoint detection and response (EDR) tools are not usually equipped to work on these products, limiting available capabilities to monitor them. Additionally, exploit chains are not generally required to exploit these systems, giving extensive power to individual vulnerabilities that can single-handedly achieve remote code execution or privilege escalation.

Over the last several years, we have also tracked a general increase of enterprise vendors targeted. In 2024, we identified 18 unique enterprise vendors targeted by zero-days. While this number is slightly less than the 22 observed in 2023, it remains higher than all prior years’ counts. It is also a stark increase in the proportion of enterprise vendors for the year, given that the 18 unique enterprise vendors were out of 20 total vendors for 2024. 2024’s count is still a significant proportional increase compared to the 22 unique enterprise vendors targeted out of a total of 23 in 2023.

The proportion of zero-days exploited in enterprise devices in 2024 reinforces a trend that suggests that attackers are intentionally targeting products that can provide expansive access and fewer opportunities for detection.

Exploitation by Vendor

The vendors affected by multiple 2024 zero-day vulnerabilities generally fell into two categories: big tech (Microsoft, Google, and Apple) and vendors who supply security and network-focused products. As expected, big tech took the top two spots, with Microsoft at 26 and Google at 11. Apple slid to the fourth most frequently exploited vendor this year, with detected exploitation of only five zero-days. Ivanti was third most frequently targeted with seven zero-days, reflecting increased threat actor focus on networking and security products. Ivanti’s placement in the top three reflects a new and crucial change, where a security vendor was targeted more frequently than a popular end-user technology-focused vendor. We discuss in a following section how PRC-backed exploitation has focused heavily on security and network technologies, one of the contributing factors to the rise in Ivanti targeting.

We note that exploitation is not necessarily reflective of a vendor’s security posture or software development processes, as targeted vendors and products depend on threat actor objectives and capabilities.

Types of Exploited Vulnerabilities

Threat actors continued to utilize zero-day vulnerabilities primarily for the purposes of gaining remote code execution and elevating privileges. In 2024, these consequences accounted for over half (42) of total tracked zero-day exploitation.

Three vulnerability types were most frequently exploited. Use-after-free vulnerabilities have maintained their prevalence over many years, with eight in 2024, and are found in a variety of targets including hardware, low-level software, operating systems, and browsers. Command injection (also at eight, including OS command injection) and cross-site scripting (XSS) (six) vulnerabilities were also frequently exploited in 2024. Both code injection and command injection vulnerabilities were observed almost entirely targeting networking and security software and appliances, displaying the intent to use these vulnerabilities in order to gain control over larger systems and networks. The XSS vulnerabilities were used to target a variety of products, including mail servers, enterprise software, browsers, and an OS.

All three of these vulnerability types stem from software development errors and require meeting higher programming standards in order to prevent them from occurring. Safe and preventative coding practices, including, but not limited to code reviews, updating legacy codebases, and utilizing up-to-date libraries, can appear to hinder production timelines. However, patches prove the potential for these security exposures to be prevented in the first place with proper intention and effort and ultimately reduce the overall effort to properly maintain a product or codebase.

Who Is Driving Exploitation

Due to the stealthy access zero-day vulnerabilities can provide into victim systems and networks, they continue to be a highly sought after capability for threat actors. GTIG tracked a variety of threat actors exploiting zero-days in a variety of products in 2024, which is consistent with our previous observations that zero-day exploitation has diversified in both platforms targeted and actors exploiting them. We attributed the exploitation of 34 zero-day vulnerabilities in 2024, just under half of the total 75 we identified in 2024. While the proportion of exploitation that we could attribute to a threat actor dipped slightly from our analysis of zero-days in 2023, it is still significantly higher than the ~30% we attributed in 2022. While this reinforces our previous observation that platforms’ investment in exploit mitigations are making zero-days harder to exploit, the security community is also slowly improving our ability to identify that activity and attribute it to threat actors.

Consistent with trends observed in previous years, we attributed the highest volume of zero-day exploitation to traditional espionage actors, nearly 53% (18 vulnerabilities) of total attributed exploitation. Of these 18, we attributed the exploitation of 10 zero-days to likely nation-state-sponsored threat groups and eight to CSVs.

CSVs Continue to Increase Access to Zero-Day Exploitation

While we still expect government-backed actors to continue their historic role as major players in zero-day exploitation, CSVs now contribute a significant volume of zero-day exploitation. Although the total count and proportion of zero-days attributed to CSVs declined from 2023 to 2024, likely in part due to their increased emphasis on operational security practices, the 2024 count is still substantially higher than the count from 2022 and years prior. Their role further demonstrates the expansion of the landscape and the increased access to zero-day exploitation that these vendors now provide other actors.

In 2024, we observed multiple exploitation chains using zero-days developed by forensic vendors that required physical access to a device (CVE-2024-53104, CVE-2024-32896, CVE-2024-29745, CVE-2024-29748). These bugs allow attackers to unlock the targeted mobile device with custom malicious USB devices. For instance, GTIG and Amnesty International’s Security Lab discovered and reported on CVE-2024-53104 in exploit chains developed by forensic company Cellebrite and used against the Android phone of a Serbian student and activist by Serbian security services. GTIG worked with Android to patch these vulnerabilities in the February 2025 Android security bulletin. 

PRC-Backed Exploitation Remains Persistent

PRC threat groups remained the most consistent government-backed espionage developer and user of zero-days in 2024. We attributed nearly 30% (five vulnerabilities) of traditional espionage zero-day exploitation to PRC groups, including the exploitation of zero-day vulnerabilities in Ivanti appliances by UNC5221 (CVE-2023-46805 and CVE-2024-21887), which GTIG reported on extensively. During this campaign, UNC5221 chained multiple zero-day vulnerabilities together, highlighting these actors’ willingness to expend resources to achieve their apparent objectives. The exploitation of five vulnerabilities that we attributed to PRC groups exclusively focused on security and networking technologies. This continues a trend that we have observed from PRC groups for several years across all their operations, not just in zero-day exploitation.

North Korean Actors Mix Financially Motivated and Espionage Zero-Day Exploitation

For the first time since we began tracking zero-day exploitation in 2012, in 2024, North Korean state actors tied for the highest total number of attributed zero-days exploited (five vulnerabilities) with PRC-backed groups. North Korean groups are notorious for their overlaps in targeting scope; tactics, techniques, and procedures (TTPs); and tooling that demonstrate how various intrusion sets support the operations of other activity clusters and mix traditional espionage operations with attempts to fund the regime. This focus on zero-day exploitation in 2024 marks a significant increase in these actors’ focus on this capability. North Korean threat actors exploited two zero-day vulnerabilities in Chrome as well as three vulnerabilities in Windows products.

• In October 2024, it was publicly reported that APT37 exploited a zero-day vulnerability in Microsoft products. The threat actors reportedly compromised an advertiser to serve malicious advertisements to South Korean users that would trigger zero-click execution of CVE-2024-38178 to deliver malware. Although we have not yet corroborated the group’s exploitation of CVE-2024-38178 as reported, we have observed APT37 previously exploit Internet Explorer zero-days to enable malware distribution.

• North Korean threat actors also reportedly exploited a zero-day vulnerability in the Windows AppLocker driver (CVE-2024-21338) in order to gain kernel-level access and turn off security tools. This technique abuses legitimate and trusted but vulnerable already-installed drivers to bypass kernel-level protections and provides threat actors an effective means to bypass and mitigate EDR systems.

Non-State Exploitation

In 2024, we linked almost 15% (five vulnerabilities) of attributed zero-days to non-state financially motivated groups, including a suspected FIN11 cluster’s exploitation of a zero-day vulnerability in multiple Cleo managed file transfer products (CVE-2024-55956) to conduct data theft extortion. This marks the third year of the last four (2021, 2023, and 2024) in which FIN11 or an associated cluster has exploited a zero-day vulnerability in its operations, almost exclusively in file transfer products. Despite the otherwise varied cast of financially motivated threat actors exploiting zero-days, FIN11 has consistently dedicated the resources and demonstrated the expertise to identify, or acquire, and exploit these vulnerabilities from multiple different vendors.

We attributed an additional two zero-days in 2024 to non-state groups with mixed motivations, conducting financially motivated activity in some operations but espionage in others. Two vulnerabilities (CVE-2024-9680 and CVE-2024-49039, detailed in the next section) were exploited as zero-days by CIGAR (also tracked as UNC4895 or publicly reported as RomCom), a group that has conducted financially motivated operations alongside espionage likely on behalf of the Russian government, based partly on observed highly specific targeting focused on Ukrainian and European government and defense organizations.

A Zero-Day Spotlight on CVE-2024-44308, CVE-2024-44309, and CVE-2024-49039: A look into zero-days discovered by GTIG researchers

Spotlight #1: Stealing Cookies with Webkit

On Nov. 12, 2024, GTIG detected a potentially malicious piece of JavaScript code injected on https://online.da.mfa.gov[.]ua/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.4. The JavaScript was loaded directly from the main page of the website of the Diplomatic Academy of Ukraine, online.da.mfa.gov.ua. Upon further analysis, we discovered that the JavaScript code was a WebKit exploit chain specifically targeting MacOS users running on Intel hardware.

The exploit consisted of a WebKit remote code execution (RCE) vulnerability (CVE-2024-44308), leveraging a logical Just-In-Time (JIT) error, succeeded by a data isolation bypass (CVE-2024-44309). The RCE vulnerability employed simple and old JavaScriptCore exploitation techniques that are publicly documented, namely:

• Setting up addrof/fakeobj primitives using the vulnerability

• Leaking StructureID

• Building a fake TypedArray to gain arbitrary read/write

• JIT compiling a function to get a RWX memory mapping where a shellcode can be written and executed

The shellcode traversed a set of pointers and vtables to find and call WebCookieJar::cookieRequestHeaderFieldValue with an empty firstPartyForCookies parameter, allowing the threat actor to access cookies of any arbitrary website passed as the third parameter to cookieRequestHeaderFieldValue.

The end goal of the exploit is to collect users’ cookies in order to access login.microsoftonline.com. The cookie values were directly appended in a GET request sent to https://online.da.mfa.gov.ua/gotcookie?.

This is not the first time we have seen threat actors stay within the browser to collect users’ credentials. In March 2021, a targeted campaign used a zero-day against WebKit on iOS to turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites. In August 2024, a watering hole on various Mongolian websites used Chrome and Safari n-day exploits to exfiltrate users’ credentials.

While it is unclear why this abbreviated approach was taken as opposed to deploying full-chain exploits, we identified several possibilities, including:

• The threat actor was not able to get all the pieces to have a full chain exploit. In this case, the exploit likely targeted only the MacIntel platform because they did not have a Pointer Authentication Code (PAC) bypass to target users using Apple Silicon devices. A PAC bypass is required to make arbitrary calls for their data isolation bypass.

• The price for a full chain exploit was too expensive, especially when the chain is meant to be used at a relatively large scale. This especially includes watering hole attacks, where the chances of being detected are high and subsequently might quickly burn the zero-day vulnerability and exploit.

• Stealing credentials is sufficient for their operations and the information they want to collect.

This trend is also observed beyond the browser environment, wherein third-party mobile applications (e.g., messaging applications) are targeted, and threat actors are stealing the information only accessible within the targeted application.

Spotlight #2: CIGAR Local Privilege Escalations

CIGAR’s Browser Exploit Chain

In early October 2024, GTIG independently discovered a fully weaponized exploit chain for Firefox and Tor browsers employed by CIGAR. CIGAR is a dual financial- and espionage-motivated threat group assessed to be running both types of campaigns in parallel, often simultaneously. In 2023, we observed CIGAR utilizing an exploit chain in Microsoft Office (CVE-2023-36884) as part of an espionage campaign targeting attendees of the Ukrainian World Congress and NATO Summit; however, in an October 2024 campaign, the usage of the Firefox exploit appears to be more in line with the group’s financial motives.

Our analysis, which broadly matched ESET’s findings, indicated that the browser RCE used is a use-after-free vulnerability in the Animation timeline. The vulnerability, known as CVE-2024-9680, was an n-day at the time of discovery by GTIG.

Upon further analysis, we identified that the embedded sandbox escape, which was also used as a local privilege escalation to NT/SYSTEM, was exploiting a newfound vulnerability. We reported this vulnerability to Mozilla and Microsoft, and it was later assigned CVE-2024-49039.

Double-Down on Privilege Escalation: from Low Integrity to SYSTEM

Firefox uses security sandboxing to introduce an additional security boundary and mitigate the effects of malicious code achieving code execution in content processes. Therefore, to achieve code execution on the host, an additional sandbox escape is required.

The in-the-wild CVE-2024-49039 exploit, which contained the PDB string C:etalonPocLowIL@OutputPocLowIL.pdb, could achieve both a sandbox escape and privilege escalation. The exploit abused two distinct issues to escalate privileges from Low Integrity Level (IL) to SYSTEM: the first allowed it to access the WPTaskScheduler RPC Interface (UUID: {33d84484-3626-47ee-8c6f-e7e98b113be1}), normally not accessible from a sandbox Firefox content process via the “less-secure endpoint” ubpmtaskhostchannel created in ubpm.dll; the second stems from insufficient Access Control List (ACL) checks in WPTaskScheduler.dll RPC server, which allowed an unprivileged user to create and execute scheduled tasks as SYSTEM.

As detailed in “How to secure a Windows RPC Server, and how not to.,” there are three ways to secure an RPC server, and all three were utilized in WPTaskScheduler:

1. Securing the endpoint: In WPTaskScheduler::TsiRegisterRPCInterface, the third argument to RpcServerUseProtseq is a non-NULL security descriptor (SD).

• This SD should prevent the Firefox “Content” process from accessing the WPTaskScheduler RPC endpoint. However, a lesser known “feature” of RPC is that RPC endpoints are multiplexed, meaning that if there is a less secure endpoint in the same process, it is possible to access an interface indirectly from another endpoint (with a more permissive ACL). This is what the exploit does: instead of accessing RPC using the ALPC port that the WPTaskScheduler.dll sets up, it resolves the interface indirectly via upbmtaskhostchannel. ubpm.dll uses a NULL security descriptor when initializing the interface, instead relying on the UbpmpTaskHostChannelInterfaceSecurityCb callback for ACL checks:

2. Securing the interface: In the same WPTaskScheduler::TsiRegisterRPCInterface function, an overly permissive security descriptor was used as an argument to RpcServerRegisterIf3. As we can see on the listing below, the CVE-2024-49039 patch addressed this by introducing a more locked-down SD.

3. Ad-hoc Security: Implemented in WPTaskScheduler.dll::CallerHasAccess and called prior to enabling or executing any scheduled task. The function performs checks on whether the calling user is attempting to execute a task created by them or one they should be able to access but does not perform any additional checks to prevent calls originating from an unprivileged user.

CVE-2024-49039 addresses the issue by applying a more restrictive ACL to the interface; however, the issue with the less secure endpoint described in “1. Securing the endpoint” remains, and a restricted token process is still able to access the endpoint.

Unidentified Actor Using the Same Exploits

In addition to CIGAR, we discovered another, likely financially motivated, group using the exact same exploits (albeit with a different payload) while CVE-2024-49039 was still a zero-day. This actor utilized a watering hole on a legitimate, compromised cryptocurrency news website redirecting to an attacker-controlled domain hosting the same CVE-2024-9680 and CVE-2024-49039 exploit.

Outlook and Implications

Defending against zero-day exploitation continues to be a race of strategy and prioritization. Not only are zero-day vulnerabilities becoming easier to procure, but attackers finding use in new types of technology may strain less experienced vendors. While organizations have historically been left to prioritize patching processes based on personal or organizational threats and attack surfaces, broader trends can inform a more specific approach alongside lessons learned from major vendors’ mitigation efforts.

We expect zero-day vulnerabilities to maintain their allure to threat actors as opportunities for stealth, persistence, and detection evasion. While we observed trends regarding improved vendor security posture and decreasing numbers around certain historically popular products—particularly mobile and browsers—we anticipate that zero-day exploitation will continue to rise steadily. Given the ubiquity of operating systems and browsers in daily use, big tech vendors are consistently high-interest targets, and we expect this to continue. Phones and browsers will almost certainly remain popular targets, although enterprise software and appliances will likely see a continued rise in zero-day exploitation. Big tech companies have been victims of zero-day exploitation before and will continue to be targeted. This experience, in addition to the resources required to build more secure products and detect vulnerabilities in responsible manners, permits larger companies to approach zero-days as a more manageable problem.

For newly targeted vendors and those with products in the growing prevalence of targeted enterprise products, security practices and procedures should evolve to consider how successful exploitation of these products could bypass typical protection mechanisms. Preventing successful exploitation will rely heavily on these vendors’ abilities to enforce proper and safe coding practices. We continue to see the same types of vulnerabilities exploited over time, indicating patterns in what weaknesses attackers seek out and find most beneficial to exploit. Continued existence and exploitation of similar issues makes zero-days easier; threat actors know what to look for and where exploitable weaknesses are most pervasive.

Vendors should account for this shift in threat activity and address gaps in configurations and architectural decisions that could permit exploitation of a single product to cause irreparable damage. This is especially true for highly valuable tools with administrator access and/or widespread reach across systems and networks. Best practices continue to represent a minimum threshold of what security standards an architecture should demonstrate, including zero-trust fundamentals such as least-privilege access and network segmentation. Continuous monitoring should occur where possible in order to restrict and end unauthorized access as swiftly as possible, and vendors will need to account for EDR capabilities for technologies that currently lack them (e.g., many security and networking products). GTIG recommends acute threat surface awareness and respective due diligence in order to defend against today’s zero-day threat landscape. Zero-day exploitation will ultimately be dictated by vendors’ decisions and ability to counter threat actors’ objectives and pursuits.

At Google, we believe in empowering people and founders to use AI to tackle humanity’s biggest challenges. That’s why we’re supporting the next generation of AI leaders through our Google for Startups Accelerator: AI First programs. We announced the program in January and today, we’re proud to welcome 16 UK-based startups into our accelerator community that are using AI to drive real-world impact.

Out of hundreds of applicants, we’ve carefully selected these 16 high-potential startups to receive 1:1 guidance and support from Google, each demonstrating a unique vision for leveraging AI to address critical challenges and opportunities. This diverse cohort showcases how AI is being applied across sectors — from early cancer detection and climate resilience, to smarter supply chains and creative content generation. By joining the Google for Startups Accelerator: AI First UK program, these startups gain access to technical expertise, mentorship, and a global network to help them scale responsibly and sustainably.

“Google for Startups Accelerator: AI First provides an exceptional opportunity for us to enhance our AI expertise, accelerate the development of our data-driven products, and engage meaningfully with potential investors.” – Denise, Williams, Managing Director, Dysplasia Diagnostics.

Read more about the selected startups and the founders shaping the future of AI:

• Bindbridge (London) is a generative AI platform that discovers and designs molecular glues for targeted protein degradation in plants.

• Building Atlas (Edinburgh) uses data and AI to support the decarbonisation of non-domestic buildings by modelling the best retrofit plans for any portfolio size.

• Comply Stream (London) helps to streamline financial crime compliance operations for businesses and consumers.

• Datawhisper (London) provides safe and compliant AI Agentic solutions tailored for the fintech and payments industry.

• Deducta (London) is a data intelligence platform that supports global procurement teams with supply chain insights and efficiencies.

• Dysplasia Diagnostics (London) develops AI-based, non-invasive, and affordable solutions for early cancer detection and treatment monitoring.

• Flow.bio (London) is an end-to-end cloud platform for running large sequencing pipelines and auto-structuring bio-data for machine learning workflows.

• Humble (London) enables non-technical users to build and share AI-powered apps and workflows, allowing them to automate without writing code.

• Immersive Fox (London)  is an AI studio for creating presenter-led marketing and communication videos directly from text.

• Kestrix (London) uses thermal drones and advanced software to map and quantify heat loss from buildings and generate retrofit plans.

• Measmerize (Birmingham) provides sizing advice for fashion e-commerce retailers, enabling brands to increase sales and decrease return rates.

• PSi (London) uses AI to host large-scale online deliberations, enabling local governments to harness collective intelligence for effective policymaking.

• Shareback (London) is an AI platform that allows employees to securely interact with GPT-based assistants trained on company, department, or project-specific data.

• Sikoia (London) streamlines customer verification for financial services by consolidating data, automating tasks, and delivering actionable insights.

• SmallSpark (Cardiff) enables low power AI at the edge, simplifying the deployment, management, and optimization of ML models on embedded devices.

• Source.dev (London) simplifies the software development lifecycle for smart devices, to help accelerate innovation and streamline software updates.

“Through the program, we aim to leverage Google’s expertise and cutting-edge AI infrastructure to supercharge our growth on all fronts.” Lauren Ladd, Founder, Shareback

These 16 startups reflect the diversity and depth of AI innovation happening across the UK.  Each company will receive  technical mentorship, strategic guidance, and access to strategic connections from Google, and will continue to receive hands-on support via our alumni network after the program wraps in July. 

Congratulations to this latest cohort! To learn more about applying for an upcoming Google for Startups program , visit the program page here.

In 2023, the Waze platform engineering team transitioned to Infrastructure as Code (IaC) using Google Cloud’s Config Connector (KCC) — and we haven’t looked back since. We embraced Config Connector, an open-source Kubernetes add-on, to manage Google Cloud resources through Kubernetes. To streamline management, we also leverage Config Controller, a hosted version of Config Connector on Google Kubernetes Engine (GKE), incorporating Policy Controller and Config Sync. This shift has significantly improved our infrastructure management and is shaping our future infrastructure.

The shift to Config Connector

Previously, Waze relied on Terraform to manage resources, particularly during our dual-cloud, VM-based phase. However, maintaining state and ensuring reconciliation proved challenging, leading to inconsistent configurations and increased management overhead.

In 2023, we adopted Config Connector, transforming our Google Cloud infrastructure into Kubernetes Resource Modules (KRMs) within a GKE cluster. This approach addresses the reconciliation issues encountered with Terraform. Config Sync, paired with Config Connector, automates KRM synchronization from source repositories to our live GKE cluster. This managed solution eliminates the need for us to build and maintain custom reconciliation systems.

The shift helped us meet the needs of three key roles within Waze’s infrastructure team: 

1. Infrastructure consumers: Application developers who want to easily deploy infrastructure without worrying about the maintenance and complexity of underlying resources.

2. Infrastructure owners: Experts in specific resource types (e.g., Spanner, Google Cloud Storage, Load Balancers, etc.), who want to define and standardize best practices in how resources are created across Waze on Google Cloud.

3. Platform engineers: Engineers who build the system that enables infrastructure owners to codify and define best practices, while also providing a seamless API for infrastructure consumers.

First stop: Config Connector

It may seem circular to define all of our Google Cloud infrastructure as KRMs within a Google Cloud service, however, KRM is actually a great representation for our infrastructure as opposed to existing IaC tooling.

Terraform’s reconciliation issues – state drift, version management, out of band changes – are a significant pain. Config Connector, through Config Sync, offers out-of-the-box reconciliation, a managed solution we prefer. Both KRM and Terraform offer templating, but KCC’s managed nature aligns with our shift to Google Cloud-native solutions and reduces our maintenance burden. 

Infrastructure complexity requires generalization regardless of the tool. We can see this when we look at the Spanner requirements at Waze:

• Consistent backups for all Spanner databases

• Each Spanner database utilizes a dedicated Cloud Storage bucket and Service Account to automate the execution of DDL jobs.

• All IAM policies for Spanner instances, databases, and Cloud Storage buckets are defined in code to ensure consistent and auditable access control.

To define these resources, we evaluated various templating and rendering tools and selected Helm, a robust CNCF package manager for Kubernetes. Its strong open-source community, rich templating capabilities, and native rendering features made it a natural fit. We can now refer to our bundled infrastructure configurations as ‘Charts.’ While KRO has since emerged that achieves a similar purpose, our selection process predated its availability.

Under the hood

Let’s open the hood and dive into how the system works and is driving value for Waze.

1. Waze infrastructure owners generically define Waze-flavored infrastructure in Helm Charts. 

2. Infrastructure consumers use these Charts with simplified inputs to generate infrastructure (demo).

3. Infrastructure code is stored in repositories, enabling validation and presubmit checks.

Code is uploaded to a Artifact Registry where Config Sync and Config Connector align Google Cloud infrastructure with the code definitions.

Approaching our destination

So why does all of this matter? Adopting this approach allowed us to move from Infrastructure as Code to Infrastructure as Software. By treating each Chart as a software component, our infrastructure management goes beyond simple code declaration. Now, versioned Charts and configurations enable us to leverage a rich ecosystem of software practices, including sophisticated release management, automated rollbacks, and granular change tracking.

Here’s where we apply this in practice: our configuration inheritance model minimizes redundancy. Resource Charts inherit settings from Projects, which inherit from Bootstraps. All three are defined as Charts. Consequently, Bootstrap configurations apply to all Projects, and Project configurations apply to all Resources.

Every change to our infrastructure – from changes on existing infrastructure to rolling out new resource types – can be treated like a software rollout.

Now that all of our infrastructure is treated like software, we can see what this does for us system-wide:

Reaching our destination

In summary, Config Connector and Config Controller have enabled Waze to achieve true Infrastructure as Software, providing a robust and scalable platform for our infrastructure needs, along with many other benefits including: 

• Infrastructure consumers receive the latest best practices through versioned updates.

• Infrastructure owners can iterate and improve infrastructure safely.

• Platform Engineers and Security teams are confident our resources are auditable and compliant

• Config Connector leverages Google’s managed services, reducing operational overhead.

For data scientists and ML engineers, building analysis and models in Python is almost second nature, and Python’s popularity in the data science community has only skyrocketed with the recent generative AI boom. We believe that the future of data science is no longer just about neatly organized rows and columns. For decades, many valuable insights have been locked in images, audio, text, and other unstructured formats. And now, with the advances in gen AI, data science workloads must evolve to handle multi-modality and use new gen AI and agentic techniques. 

To prepare you for the data science of tomorrow, we announced BigQuery DataFrames 2.0 last week at Google Cloud Next 25, bringing multimodal data processing and AI directly into your BigQuery Python workflows.

In BigQuery, data scientists frequently look to use Python to process large data sets for analysis and machine learning. However, this almost always involves learning a different Python framework and rewriting the code that worked on smaller data sets. You can hardly take Pandas code that worked on 10 GB of data and get it working for a terabyte of data without expending significant time and effort. 

Version 2.0 also strengthens the core foundation for larger-scale, Python data science. And then it builds on this foundation, adding groundbreaking new capabilities that unlock the full potential of your data, both structured and unstructured.

BigQuery DataFrames adoption

We launched BigQuery DataFrames last year as an open-source Python library that scales Python data processing without having to add any new infrastructure or APIs, transpiling common Python data science APIs from Pandas and scikit-learn to various BigQuery SQL operators. Since its launch, there’s been over 30X growth in how much data it processes and, today, thousands of customers use it to process more than 100 PB every month. 

During the last year we evolved our library significantly across 50+ releases and worked closely with thousands of users. Here’s how a couple of early BigQuery DataFrames customers use this library in production.

Deutsche Telekom has standardized on BigQuery DataFrames for its ML platform.

“With BigQuery DataFrames, we can offer a scalable and managed ML platform to our data scientists with minimal upskilling.” – Ashutosh Mishra, Vice President – Data Architecture & Governance, Deutsche Telekom

Trivago, meanwhile, migrated its PySpark transformations to BigQuery DataFrames.

“With BigQuery DataFrames, data science teams focus on business logic and not on tuning infrastructure.” – Andrés Sopeña Pérez, Head of Data Infrastructure, Trivago 

What’s new in BigQuery Dataframes 2.0?

This release is packed with features designed to streamline your AI and machine learning pipelines:

Working with multimodal data and generative AI techniques 

• Multimodal DataFrames (Preview): BigQuery Dataframes 2.0 introduces a unified dataframe that can handle text, images, audio, and more, alongside traditional structured data, breaking down the barriers between structured and unstructured data. This is powered by BigQuery’s multimodal capabilities enabled by ObjectRef, helping to ensure scalability and governance for even the largest datasets.

  When working with multimodal data, BigQuery DataFrames also abstracts many details for working with multimodal tables and processing multimodal data, leveraging BigQuery features behind the scene like embedding generation, vector search, Python UDFs, and others.

• Pythonic operators for BigQuery AI Query Engine (experimental): BigQuery AI Query Engine makes it trivial to generate insights from multimodal data: Now, you can analyze unstructured data simply by including natural language instructions in your SQL queries. Imagine writing SQL queries where you can rank call transcripts in a table by ‘quality of support’ or generate a list of products with ‘high satisfaction’ based on reviews in a column. BigQuery AI Query Engine makes that possible with simple, stackable SQL.

  BigQuery DataFrames offers a DataFrame interface to work with AI Query Engine. Here’s a sample:

• Gemini Code Assist for DataFrames (Preview): To keep up with the evolving user expectations around code generation, we’re also making it easier to develop BigQuery DataFrames code, using natural language prompts directly within BigQuery Studio. Together, Gemini’s contextual understanding and DataFrames-specific training help ensure smart, efficient code generation. This feature is released as part of Gemini in BigQuery.

Strengthening the core 

To make the core Python data science workflow richer and faster to use,  we added the following features. 

• Partial ordering (GA): By default, BigQuery DataFrames maintains strict ordering (as does Pandas). With 2.0, we’re introducing a relaxed ordering mode that significantly improves performance, especially for large-scale feature engineering. This “spin” on traditional Pandas ordering is tailored for the massive datasets common in BigQuery. Read more about partial ordering here. 

Here’s some example code that uses partial ordering :

• Work with Python UDF (Preview): BigQuery Python user-defined functions are now available in preview [see the documentation].

  Within BigQuery DataFrames you can now auto-scale Python function execution to millions of rows, with serverless, scale-out execution. All you need to do is put a “@udf” decorator on top of a function that needs to be pushed to the server-side.   

  Here is an example code that tokenizes comments from stackoverflow data stored in a  BigQuery public table with ~90 million rows using a Python UDF: 

• dbt Integration (Preview): For all the dbt users out there, you can now integrate BigQuery DataFrames Python into your existing dbt workflows. The new dbt Python model allows you to run BigQuery DataFrames code alongside your BigQuery SQL, unifying billing, and simplifying infrastructure management. No new APIs or infrastructure to learn — just the power of Python and BigQuery DataFrames within your familiar dbt environment. [Try now ]

Why this matters now

For years, unstructured data has largely resided in silos, separate from the structured data in data warehouses. This separation restricted the ability to perform comprehensive analysis and build truly powerful AI models. BigQuery’s multimodal capabilities and BigQuery Dataframes 2.0 eliminates this divide, bringing the capabilities traditionally associated with data lakes directly into the data warehouse, enabling:

• Unified data analysis: Analyze all your data – structured and unstructured – in one place, using a single, consistent Pandas-like API.

• LLM-powered insights: Unlock deeper insights by combining the power of LLMs with the rich context of your structured data.

• Simplified workflows: Streamline your data pipelines and reduce the need for complex data movement and transformation.

• Scalability and governance: Leverage BigQuery’s serverless architecture and robust governance features for all your data, regardless of format.

See BigQuery Dataframes 2.0 in Action

You can see all of these features in action in this video from Google Cloud Next ’25 

Get started today!

BigQuery Dataframes 2.0 is a game-changer for anyone working with data and AI. It’s time to unlock the full potential of your data, regardless of its structure. Start experimenting with the new features today!

• Dive into the documentation.

• For multimodal use cases – fill out this intake form to get your project number allowlisted for ObjectRef.

• Try out DBT Python model with BigQuery DataFrames via this Quickstart

• Join the Community – Stay connected with the BigQuery DataFrames team by signing up for an email group here.