Google Cloud

At Google Cloud Next 25, we expanded the availability of Gemini in Looker, including Conversational Analytics, to all Looker platform users, redefining how line-of-business employees can rapidly gain access to trusted data-driven insights through natural language. Due to the complexity inherent in traditional business intelligence products, which require steep learning curves or advanced SQL knowledge, many potential users who could benefit from BI tools simply don’t. But with the convergence of AI and BI, the opportunity to ask questions and chat with your data using natural language breaks down the barriers that have long stood in the way. 

Conversational Analytics from Looker is designed to make BI more simple and approachable, democratizing data access, enabling users to ask data-related queries in plain, everyday language, and go beyond static dashboards that often don’t answer all potential questions. In response, users receive accurate and relevant answers derived from Looker Explores or BigQuery tables, without needing to know SQL or specific data tools.

For data analysts, this means fewer support tickets and interruptions, so they can focus on higher priority work, Business users can now take on their own data queries themselves and get answers, empowering trusted self-service by , putting the controls in the hands of users who need the answers most. Now, instead of struggling with field names and date formats, users can simply ask questions like: “What were our top-performing products last quarter?” or say “Show me the trend of website traffic over the past six months.” Additionally, when using Conversational Analytics with Looker Explores, users can be sure tables are consistently joined and metrics are calculated the same way every time.

Conversational Analytics in Looker is designed to be simple, helpful, and easy to use, offering:

• Trusted, consistent results: Conversational Analytics only uses fields defined by your data experts in LookML. Once the fields are selected, they are deterministically translated to SQL by Looker, the same way every time.

• Transparency with “How was this calculated?”: This feature provides a clear, natural language explanation of the underlying query that generated the results, presented in easy-to-understand bullet points.

• A deeper dive with follow-up questions: Just like a natural conversation, users can ask follow-up questions to explore the data further. For example, users can ask to filter a result to a specific region, to change the timeframe of the date filter, or to switch from bar graph to an area chart. Conversational Analytics allows for seamless iteration and deeper exploration of the data.

• Hidden insights with Gemini: Once the initial query results are displayed, users can click the “Insights” button to ask Gemini to analyze the data results and generate additional insights about patterns and trends they might have otherwise missed.

Empowering data analysts and developers

With the release of Conversational Analytics, our goal is for it to benefit data analysts and developers on top of line-of–business teams. The Conversational Analytics agent lets data analysts provide crucial context and instructions to Gemini, enhancing its ability to answer business user questions effectively, and empowering analysts to map business jargon to specific fields, specify the best fields for filtering, and define custom calculations.

Analysts can further curate the experience by creating agents for specific use cases. When business users select an agent, they can feel confident that they are interacting with the right data source.

As announced at Next 25, the Conversational Analytics API will power Conversational Analytics across multiple first-party Google Cloud experiences and third-party products, including customer applications, chat apps, Agentspace, and BigQuery, bringing the benefits of natural language queries to your data to the applications where you work every day. Later this year we’ll also bring Conversational Analytics into Looker Dashboards, allowing users to chat with their data in that familiar interface, whether inside Looker or embedded in other applications.Also, if you’re interested in solving even more complex problems while chatting with your data, you can try our new Code Interpreter (available in preview), which uses Python rather than SQL to perform advanced analysis like cohort analysis and forecasting. With the Conversational Analytics Code Interpreter, you can tackle data science tasks without learning advanced coding or statistical methods. Sign up for access here.

Expanding the reach of AI for BI

Looker Conversational Analytics is a step forward in making BI accessible to a wider audience. By removing the technical barriers and providing an intuitive, conversational interface, Looker is empowering more business users to leverage data in their daily routines. With Conversational Analytics available directly in Looker, organizations can now make data-driven insights a reality for everyone. Start using Conversational Analytics today in your Looker instance.

Written by: Casey Charrier, James Sadowski, Clement Lecigne, Vlad Stolyarov

Executive Summary

Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). We divided the reviewed vulnerabilities into two main categories: end-user platforms and products (e.g., mobile devices, operating systems, and browsers) and enterprise-focused technologies, such as security software and appliances. 

Vendors continue to drive improvements that make some zero-day exploitation harder, demonstrated by both dwindling numbers across multiple categories and reduced observed attacks against previously popular targets. At the same time, commercial surveillance vendors (CSVs) appear to be increasing their operational security practices, potentially leading to decreased attribution and detection.

We see zero-day exploitation targeting a greater number and wider variety of enterprise-specific technologies, although these technologies still remain a smaller proportion of overall exploitation when compared to end-user technologies. While the historic focus on the exploitation of popular end-user technologies and their users continues, the shift toward increased targeting of enterprise-focused products will require a wider and more diverse set of vendors to increase proactive security measures in order to reduce future zero-day exploitation attempts.

Scope 

This report describes what Google Threat Intelligence Group (GTIG) knows about zero-day exploitation in 2024. We discuss how targeted vendors and exploited products drive trends that reflect threat actor goals and shifting exploitation approaches, and then closely examine several examples of zero-day exploitation from 2024 that demonstrate how actors use both historic and novel techniques to exploit vulnerabilities in targeted products. The following content leverages original research conducted by GTIG, combined with breach investigation findings and reporting from reliable open sources, though we cannot independently confirm the reports of every source. Research in this space is dynamic and the numbers may adjust due to the ongoing discovery of past incidents through digital forensic investigations. The numbers presented here reflect our best understanding of current data.

GTIG defines a zero-day as a vulnerability that was maliciously exploited in the wild before a patch was made publicly available. GTIG acknowledges that the trends observed and discussed in this report are based on detected and disclosed zero-days. Our analysis represents exploitation tracked by GTIG but may not reflect all zero-day exploitation.

Key Takeaways

• Zero-day exploitation continues to grow gradually. The 75 zero-day vulnerabilities exploited in 2024 follow a pattern that has emerged over the past four years. While individual year counts have fluctuated, the average trendline indicates that the rate of zero-day exploitation continues to grow at a slow but steady pace.

• Enterprise-focused technology targeting continues to expand. GTIG continued to observe an increase in adversary exploitation of enterprise-specific technologies throughout 2024. In 2023, 37% of zero-day vulnerabilities targeted enterprise products. This jumped to 44% in 2024, primarily fueled by the increased exploitation of security and networking software and appliances.

• Attackers are increasing their focus on security and networking products. Zero-day vulnerabilities in security software and appliances were a high-value target in 2024. We identified 20 security and networking vulnerabilities, which was over 60% of all zero-day exploitation of enterprise technologies. Exploitation of these products, compared to end-user technologies, can more effectively and efficiently lead to extensive system and network compromises, and we anticipate adversaries will continue to increase their focus on these technologies.

• Vendors are changing the game. Vendor investments in exploit mitigations are having a clear impact on where threat actors are able to find success. We are seeing notable decreases in zero-day exploitation of some historically popular targets such as browsers and mobile operating systems.

• Actors conducting cyber espionage still lead attributed zero-day exploitation. Between government-backed groups and customers of commercial surveillance vendors (CSVs), actors conducting cyber espionage operations accounted for over 50% of the vulnerabilities we could attribute in 2024. People’s Republic of China (PRC)-backed groups exploited five zero-days, and customers of CSVs exploited eight, continuing their collective leading role in zero-day exploitation. For the first year ever, we also attributed the exploitation of the same volume of 2024 zero-days (five) to North Korean actors mixing espionage and financially motivated operations as we did to PRC-backed groups.

Looking at the Numbers 

GTIG tracked 75 exploited-in-the-wild zero-day vulnerabilities that were disclosed in 2024. This number appears to be consistent with a consolidating upward trend that we have observed over the last four years. After an initial spike in 2021, yearly counts have fluctuated but not returned to the lower numbers we saw in 2021 and prior.

While there are multiple factors involved in discovery of zero-day exploitation, we note that continued improvement and ubiquity of detection capabilities along with more frequent public disclosures have both resulted in larger numbers of detected zero-day exploitation compared to what was observed prior to 2021.

Higher than any previous year, 44% (33 vulnerabilities) of tracked 2024 zero-days affected enterprise technologies, continuing the growth and trends we observed last year. The remaining 42 zero-day vulnerabilities targeted end-user technologies.

Enterprise Exploitation Expands in 2024 as Browser and Mobile Exploitation Drops

End-User Platforms and Products

In 2024, 56% (42) of the tracked zero-days targeted end-user platforms and products, which we define as devices and software that individuals use in their day-to-day life, although we acknowledge that enterprises also often use these. All of the vulnerabilities in this category were used to exploit browsers, mobile devices, and desktop operating systems.

• Zero-day exploitation of browsers and mobile devices fell drastically, decreasing by about a third for browsers and by about half for mobile devices compared to what we observed last year (17 to 11 for browsers, and 17 to 9 for mobile).

• Chrome was the primary focus of browser zero-day exploitation in 2024, likely reflecting the browser’s popularity among billions of users.

• Exploit chains made up of multiple zero-day vulnerabilities continue to be almost exclusively (~90%) used to target mobile devices.

• Third-party components continue to be exploited in Android devices, a trend we discussed in last year’s analysis. In 2023, five of the seven zero-days exploited in Android devices were flaws in third-party components. In 2024, three of the seven zero-days exploited in Android were found in third-party components. Third-party components are likely perceived as lucrative targets for exploit development since they can enable attackers to compromise many different makes and models of devices across the Android ecosystem.

• 2024 saw an increase in the total number of zero-day vulnerabilities affecting desktop operating systems (OSs) (22 in 2024 vs. 17 in 2023), indicating that OSs continue to be a strikingly large target. The proportional increase was even greater, with OS vulnerabilities making up just 17% of total zero-day exploitation in 2023, compared to nearly 30% in 2024. 

• Microsoft Windows exploitation continued to increase, climbing from 13 zero-days in 2022, to 16 in 2023, to 22 in 2024. As long as Windows remains a popular choice both in homes and professional settings, we expect that it will remain a popular target for both zero-day and n-day (i.e. a vulnerability exploited after its patch has been released) exploitation by threat actors.

Enterprise Technologies

In 2024, GTIG identified the exploitation of 33 zero-days in enterprise software and appliances. We consider enterprise products to include those mainly utilized by businesses or in a business environment. While the absolute number is slightly lower than what we saw in 2023 (36 vulnerabilities), the proportion of enterprise-focused vulnerabilities has risen from 37% in 2023 to 44% in 2024. Twenty of the 33 enterprise-focused zero-days targeted security and network products, a slight increase from the 18 observed in this category for 2023, but a 9% bump when compared proportionally to total zero-days for the year.

The variety of targeted enterprise products continues to expand across security and networking products, with notable targets in 2024 including Ivanti Cloud Services Appliance, Palo Alto Networks PAN-OS, Cisco Adaptive Security Appliance, and Ivanti Connect Secure VPN. Security and network tools and devices are designed to connect widespread systems and devices with high permissions required to manage the products and their services, making them highly valuable targets for threat actors seeking efficient access into enterprise networks. Endpoint detection and response (EDR) tools are not usually equipped to work on these products, limiting available capabilities to monitor them. Additionally, exploit chains are not generally required to exploit these systems, giving extensive power to individual vulnerabilities that can single-handedly achieve remote code execution or privilege escalation.

Over the last several years, we have also tracked a general increase of enterprise vendors targeted. In 2024, we identified 18 unique enterprise vendors targeted by zero-days. While this number is slightly less than the 22 observed in 2023, it remains higher than all prior years’ counts. It is also a stark increase in the proportion of enterprise vendors for the year, given that the 18 unique enterprise vendors were out of 20 total vendors for 2024. 2024’s count is still a significant proportional increase compared to the 22 unique enterprise vendors targeted out of a total of 23 in 2023.

The proportion of zero-days exploited in enterprise devices in 2024 reinforces a trend that suggests that attackers are intentionally targeting products that can provide expansive access and fewer opportunities for detection.

Exploitation by Vendor

The vendors affected by multiple 2024 zero-day vulnerabilities generally fell into two categories: big tech (Microsoft, Google, and Apple) and vendors who supply security and network-focused products. As expected, big tech took the top two spots, with Microsoft at 26 and Google at 11. Apple slid to the fourth most frequently exploited vendor this year, with detected exploitation of only five zero-days. Ivanti was third most frequently targeted with seven zero-days, reflecting increased threat actor focus on networking and security products. Ivanti’s placement in the top three reflects a new and crucial change, where a security vendor was targeted more frequently than a popular end-user technology-focused vendor. We discuss in a following section how PRC-backed exploitation has focused heavily on security and network technologies, one of the contributing factors to the rise in Ivanti targeting.

We note that exploitation is not necessarily reflective of a vendor’s security posture or software development processes, as targeted vendors and products depend on threat actor objectives and capabilities.

Types of Exploited Vulnerabilities

Threat actors continued to utilize zero-day vulnerabilities primarily for the purposes of gaining remote code execution and elevating privileges. In 2024, these consequences accounted for over half (42) of total tracked zero-day exploitation.

Three vulnerability types were most frequently exploited. Use-after-free vulnerabilities have maintained their prevalence over many years, with eight in 2024, and are found in a variety of targets including hardware, low-level software, operating systems, and browsers. Command injection (also at eight, including OS command injection) and cross-site scripting (XSS) (six) vulnerabilities were also frequently exploited in 2024. Both code injection and command injection vulnerabilities were observed almost entirely targeting networking and security software and appliances, displaying the intent to use these vulnerabilities in order to gain control over larger systems and networks. The XSS vulnerabilities were used to target a variety of products, including mail servers, enterprise software, browsers, and an OS.

All three of these vulnerability types stem from software development errors and require meeting higher programming standards in order to prevent them from occurring. Safe and preventative coding practices, including, but not limited to code reviews, updating legacy codebases, and utilizing up-to-date libraries, can appear to hinder production timelines. However, patches prove the potential for these security exposures to be prevented in the first place with proper intention and effort and ultimately reduce the overall effort to properly maintain a product or codebase.

Who Is Driving Exploitation

Due to the stealthy access zero-day vulnerabilities can provide into victim systems and networks, they continue to be a highly sought after capability for threat actors. GTIG tracked a variety of threat actors exploiting zero-days in a variety of products in 2024, which is consistent with our previous observations that zero-day exploitation has diversified in both platforms targeted and actors exploiting them. We attributed the exploitation of 34 zero-day vulnerabilities in 2024, just under half of the total 75 we identified in 2024. While the proportion of exploitation that we could attribute to a threat actor dipped slightly from our analysis of zero-days in 2023, it is still significantly higher than the ~30% we attributed in 2022. While this reinforces our previous observation that platforms’ investment in exploit mitigations are making zero-days harder to exploit, the security community is also slowly improving our ability to identify that activity and attribute it to threat actors.

Consistent with trends observed in previous years, we attributed the highest volume of zero-day exploitation to traditional espionage actors, nearly 53% (18 vulnerabilities) of total attributed exploitation. Of these 18, we attributed the exploitation of 10 zero-days to likely nation-state-sponsored threat groups and eight to CSVs.

CSVs Continue to Increase Access to Zero-Day Exploitation

While we still expect government-backed actors to continue their historic role as major players in zero-day exploitation, CSVs now contribute a significant volume of zero-day exploitation. Although the total count and proportion of zero-days attributed to CSVs declined from 2023 to 2024, likely in part due to their increased emphasis on operational security practices, the 2024 count is still substantially higher than the count from 2022 and years prior. Their role further demonstrates the expansion of the landscape and the increased access to zero-day exploitation that these vendors now provide other actors.

In 2024, we observed multiple exploitation chains using zero-days developed by forensic vendors that required physical access to a device (CVE-2024-53104, CVE-2024-32896, CVE-2024-29745, CVE-2024-29748). These bugs allow attackers to unlock the targeted mobile device with custom malicious USB devices. For instance, GTIG and Amnesty International’s Security Lab discovered and reported on CVE-2024-53104 in exploit chains developed by forensic company Cellebrite and used against the Android phone of a Serbian student and activist by Serbian security services. GTIG worked with Android to patch these vulnerabilities in the February 2025 Android security bulletin. 

PRC-Backed Exploitation Remains Persistent

PRC threat groups remained the most consistent government-backed espionage developer and user of zero-days in 2024. We attributed nearly 30% (five vulnerabilities) of traditional espionage zero-day exploitation to PRC groups, including the exploitation of zero-day vulnerabilities in Ivanti appliances by UNC5221 (CVE-2023-46805 and CVE-2024-21887), which GTIG reported on extensively. During this campaign, UNC5221 chained multiple zero-day vulnerabilities together, highlighting these actors’ willingness to expend resources to achieve their apparent objectives. The exploitation of five vulnerabilities that we attributed to PRC groups exclusively focused on security and networking technologies. This continues a trend that we have observed from PRC groups for several years across all their operations, not just in zero-day exploitation.

North Korean Actors Mix Financially Motivated and Espionage Zero-Day Exploitation

For the first time since we began tracking zero-day exploitation in 2012, in 2024, North Korean state actors tied for the highest total number of attributed zero-days exploited (five vulnerabilities) with PRC-backed groups. North Korean groups are notorious for their overlaps in targeting scope; tactics, techniques, and procedures (TTPs); and tooling that demonstrate how various intrusion sets support the operations of other activity clusters and mix traditional espionage operations with attempts to fund the regime. This focus on zero-day exploitation in 2024 marks a significant increase in these actors’ focus on this capability. North Korean threat actors exploited two zero-day vulnerabilities in Chrome as well as three vulnerabilities in Windows products.

• In October 2024, it was publicly reported that APT37 exploited a zero-day vulnerability in Microsoft products. The threat actors reportedly compromised an advertiser to serve malicious advertisements to South Korean users that would trigger zero-click execution of CVE-2024-38178 to deliver malware. Although we have not yet corroborated the group’s exploitation of CVE-2024-38178 as reported, we have observed APT37 previously exploit Internet Explorer zero-days to enable malware distribution.

• North Korean threat actors also reportedly exploited a zero-day vulnerability in the Windows AppLocker driver (CVE-2024-21338) in order to gain kernel-level access and turn off security tools. This technique abuses legitimate and trusted but vulnerable already-installed drivers to bypass kernel-level protections and provides threat actors an effective means to bypass and mitigate EDR systems.

Non-State Exploitation

In 2024, we linked almost 15% (five vulnerabilities) of attributed zero-days to non-state financially motivated groups, including a suspected FIN11 cluster’s exploitation of a zero-day vulnerability in multiple Cleo managed file transfer products (CVE-2024-55956) to conduct data theft extortion. This marks the third year of the last four (2021, 2023, and 2024) in which FIN11 or an associated cluster has exploited a zero-day vulnerability in its operations, almost exclusively in file transfer products. Despite the otherwise varied cast of financially motivated threat actors exploiting zero-days, FIN11 has consistently dedicated the resources and demonstrated the expertise to identify, or acquire, and exploit these vulnerabilities from multiple different vendors.

We attributed an additional two zero-days in 2024 to non-state groups with mixed motivations, conducting financially motivated activity in some operations but espionage in others. Two vulnerabilities (CVE-2024-9680 and CVE-2024-49039, detailed in the next section) were exploited as zero-days by CIGAR (also tracked as UNC4895 or publicly reported as RomCom), a group that has conducted financially motivated operations alongside espionage likely on behalf of the Russian government, based partly on observed highly specific targeting focused on Ukrainian and European government and defense organizations.

A Zero-Day Spotlight on CVE-2024-44308, CVE-2024-44309, and CVE-2024-49039: A look into zero-days discovered by GTIG researchers

Spotlight #1: Stealing Cookies with Webkit

On Nov. 12, 2024, GTIG detected a potentially malicious piece of JavaScript code injected on https://online.da.mfa.gov[.]ua/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.4. The JavaScript was loaded directly from the main page of the website of the Diplomatic Academy of Ukraine, online.da.mfa.gov.ua. Upon further analysis, we discovered that the JavaScript code was a WebKit exploit chain specifically targeting MacOS users running on Intel hardware.

The exploit consisted of a WebKit remote code execution (RCE) vulnerability (CVE-2024-44308), leveraging a logical Just-In-Time (JIT) error, succeeded by a data isolation bypass (CVE-2024-44309). The RCE vulnerability employed simple and old JavaScriptCore exploitation techniques that are publicly documented, namely:

• Setting up addrof/fakeobj primitives using the vulnerability

• Leaking StructureID

• Building a fake TypedArray to gain arbitrary read/write

• JIT compiling a function to get a RWX memory mapping where a shellcode can be written and executed

The shellcode traversed a set of pointers and vtables to find and call WebCookieJar::cookieRequestHeaderFieldValue with an empty firstPartyForCookies parameter, allowing the threat actor to access cookies of any arbitrary website passed as the third parameter to cookieRequestHeaderFieldValue.

The end goal of the exploit is to collect users’ cookies in order to access login.microsoftonline.com. The cookie values were directly appended in a GET request sent to https://online.da.mfa.gov.ua/gotcookie?.

This is not the first time we have seen threat actors stay within the browser to collect users’ credentials. In March 2021, a targeted campaign used a zero-day against WebKit on iOS to turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites. In August 2024, a watering hole on various Mongolian websites used Chrome and Safari n-day exploits to exfiltrate users’ credentials.

While it is unclear why this abbreviated approach was taken as opposed to deploying full-chain exploits, we identified several possibilities, including:

• The threat actor was not able to get all the pieces to have a full chain exploit. In this case, the exploit likely targeted only the MacIntel platform because they did not have a Pointer Authentication Code (PAC) bypass to target users using Apple Silicon devices. A PAC bypass is required to make arbitrary calls for their data isolation bypass.

• The price for a full chain exploit was too expensive, especially when the chain is meant to be used at a relatively large scale. This especially includes watering hole attacks, where the chances of being detected are high and subsequently might quickly burn the zero-day vulnerability and exploit.

• Stealing credentials is sufficient for their operations and the information they want to collect.

This trend is also observed beyond the browser environment, wherein third-party mobile applications (e.g., messaging applications) are targeted, and threat actors are stealing the information only accessible within the targeted application.

Spotlight #2: CIGAR Local Privilege Escalations

CIGAR’s Browser Exploit Chain

In early October 2024, GTIG independently discovered a fully weaponized exploit chain for Firefox and Tor browsers employed by CIGAR. CIGAR is a dual financial- and espionage-motivated threat group assessed to be running both types of campaigns in parallel, often simultaneously. In 2023, we observed CIGAR utilizing an exploit chain in Microsoft Office (CVE-2023-36884) as part of an espionage campaign targeting attendees of the Ukrainian World Congress and NATO Summit; however, in an October 2024 campaign, the usage of the Firefox exploit appears to be more in line with the group’s financial motives.

Our analysis, which broadly matched ESET’s findings, indicated that the browser RCE used is a use-after-free vulnerability in the Animation timeline. The vulnerability, known as CVE-2024-9680, was an n-day at the time of discovery by GTIG.

Upon further analysis, we identified that the embedded sandbox escape, which was also used as a local privilege escalation to NT/SYSTEM, was exploiting a newfound vulnerability. We reported this vulnerability to Mozilla and Microsoft, and it was later assigned CVE-2024-49039.

Double-Down on Privilege Escalation: from Low Integrity to SYSTEM

Firefox uses security sandboxing to introduce an additional security boundary and mitigate the effects of malicious code achieving code execution in content processes. Therefore, to achieve code execution on the host, an additional sandbox escape is required.

The in-the-wild CVE-2024-49039 exploit, which contained the PDB string C:etalonPocLowIL@OutputPocLowIL.pdb, could achieve both a sandbox escape and privilege escalation. The exploit abused two distinct issues to escalate privileges from Low Integrity Level (IL) to SYSTEM: the first allowed it to access the WPTaskScheduler RPC Interface (UUID: {33d84484-3626-47ee-8c6f-e7e98b113be1}), normally not accessible from a sandbox Firefox content process via the “less-secure endpoint” ubpmtaskhostchannel created in ubpm.dll; the second stems from insufficient Access Control List (ACL) checks in WPTaskScheduler.dll RPC server, which allowed an unprivileged user to create and execute scheduled tasks as SYSTEM.

As detailed in “How to secure a Windows RPC Server, and how not to.,” there are three ways to secure an RPC server, and all three were utilized in WPTaskScheduler:

1. Securing the endpoint: In WPTaskScheduler::TsiRegisterRPCInterface, the third argument to RpcServerUseProtseq is a non-NULL security descriptor (SD).

• This SD should prevent the Firefox “Content” process from accessing the WPTaskScheduler RPC endpoint. However, a lesser known “feature” of RPC is that RPC endpoints are multiplexed, meaning that if there is a less secure endpoint in the same process, it is possible to access an interface indirectly from another endpoint (with a more permissive ACL). This is what the exploit does: instead of accessing RPC using the ALPC port that the WPTaskScheduler.dll sets up, it resolves the interface indirectly via upbmtaskhostchannel. ubpm.dll uses a NULL security descriptor when initializing the interface, instead relying on the UbpmpTaskHostChannelInterfaceSecurityCb callback for ACL checks:

2. Securing the interface: In the same WPTaskScheduler::TsiRegisterRPCInterface function, an overly permissive security descriptor was used as an argument to RpcServerRegisterIf3. As we can see on the listing below, the CVE-2024-49039 patch addressed this by introducing a more locked-down SD.

3. Ad-hoc Security: Implemented in WPTaskScheduler.dll::CallerHasAccess and called prior to enabling or executing any scheduled task. The function performs checks on whether the calling user is attempting to execute a task created by them or one they should be able to access but does not perform any additional checks to prevent calls originating from an unprivileged user.

CVE-2024-49039 addresses the issue by applying a more restrictive ACL to the interface; however, the issue with the less secure endpoint described in “1. Securing the endpoint” remains, and a restricted token process is still able to access the endpoint.

Unidentified Actor Using the Same Exploits

In addition to CIGAR, we discovered another, likely financially motivated, group using the exact same exploits (albeit with a different payload) while CVE-2024-49039 was still a zero-day. This actor utilized a watering hole on a legitimate, compromised cryptocurrency news website redirecting to an attacker-controlled domain hosting the same CVE-2024-9680 and CVE-2024-49039 exploit.

Outlook and Implications

Defending against zero-day exploitation continues to be a race of strategy and prioritization. Not only are zero-day vulnerabilities becoming easier to procure, but attackers finding use in new types of technology may strain less experienced vendors. While organizations have historically been left to prioritize patching processes based on personal or organizational threats and attack surfaces, broader trends can inform a more specific approach alongside lessons learned from major vendors’ mitigation efforts.

We expect zero-day vulnerabilities to maintain their allure to threat actors as opportunities for stealth, persistence, and detection evasion. While we observed trends regarding improved vendor security posture and decreasing numbers around certain historically popular products—particularly mobile and browsers—we anticipate that zero-day exploitation will continue to rise steadily. Given the ubiquity of operating systems and browsers in daily use, big tech vendors are consistently high-interest targets, and we expect this to continue. Phones and browsers will almost certainly remain popular targets, although enterprise software and appliances will likely see a continued rise in zero-day exploitation. Big tech companies have been victims of zero-day exploitation before and will continue to be targeted. This experience, in addition to the resources required to build more secure products and detect vulnerabilities in responsible manners, permits larger companies to approach zero-days as a more manageable problem.

For newly targeted vendors and those with products in the growing prevalence of targeted enterprise products, security practices and procedures should evolve to consider how successful exploitation of these products could bypass typical protection mechanisms. Preventing successful exploitation will rely heavily on these vendors’ abilities to enforce proper and safe coding practices. We continue to see the same types of vulnerabilities exploited over time, indicating patterns in what weaknesses attackers seek out and find most beneficial to exploit. Continued existence and exploitation of similar issues makes zero-days easier; threat actors know what to look for and where exploitable weaknesses are most pervasive.

Vendors should account for this shift in threat activity and address gaps in configurations and architectural decisions that could permit exploitation of a single product to cause irreparable damage. This is especially true for highly valuable tools with administrator access and/or widespread reach across systems and networks. Best practices continue to represent a minimum threshold of what security standards an architecture should demonstrate, including zero-trust fundamentals such as least-privilege access and network segmentation. Continuous monitoring should occur where possible in order to restrict and end unauthorized access as swiftly as possible, and vendors will need to account for EDR capabilities for technologies that currently lack them (e.g., many security and networking products). GTIG recommends acute threat surface awareness and respective due diligence in order to defend against today’s zero-day threat landscape. Zero-day exploitation will ultimately be dictated by vendors’ decisions and ability to counter threat actors’ objectives and pursuits.

At Google, we believe in empowering people and founders to use AI to tackle humanity’s biggest challenges. That’s why we’re supporting the next generation of AI leaders through our Google for Startups Accelerator: AI First programs. We announced the program in January and today, we’re proud to welcome 16 UK-based startups into our accelerator community that are using AI to drive real-world impact.

Out of hundreds of applicants, we’ve carefully selected these 16 high-potential startups to receive 1:1 guidance and support from Google, each demonstrating a unique vision for leveraging AI to address critical challenges and opportunities. This diverse cohort showcases how AI is being applied across sectors — from early cancer detection and climate resilience, to smarter supply chains and creative content generation. By joining the Google for Startups Accelerator: AI First UK program, these startups gain access to technical expertise, mentorship, and a global network to help them scale responsibly and sustainably.

“Google for Startups Accelerator: AI First provides an exceptional opportunity for us to enhance our AI expertise, accelerate the development of our data-driven products, and engage meaningfully with potential investors.” – Denise, Williams, Managing Director, Dysplasia Diagnostics.

Read more about the selected startups and the founders shaping the future of AI:

• Bindbridge (London) is a generative AI platform that discovers and designs molecular glues for targeted protein degradation in plants.

• Building Atlas (Edinburgh) uses data and AI to support the decarbonisation of non-domestic buildings by modelling the best retrofit plans for any portfolio size.

• Comply Stream (London) helps to streamline financial crime compliance operations for businesses and consumers.

• Datawhisper (London) provides safe and compliant AI Agentic solutions tailored for the fintech and payments industry.

• Deducta (London) is a data intelligence platform that supports global procurement teams with supply chain insights and efficiencies.

• Dysplasia Diagnostics (London) develops AI-based, non-invasive, and affordable solutions for early cancer detection and treatment monitoring.

• Flow.bio (London) is an end-to-end cloud platform for running large sequencing pipelines and auto-structuring bio-data for machine learning workflows.

• Humble (London) enables non-technical users to build and share AI-powered apps and workflows, allowing them to automate without writing code.

• Immersive Fox (London)  is an AI studio for creating presenter-led marketing and communication videos directly from text.

• Kestrix (London) uses thermal drones and advanced software to map and quantify heat loss from buildings and generate retrofit plans.

• Measmerize (Birmingham) provides sizing advice for fashion e-commerce retailers, enabling brands to increase sales and decrease return rates.

• PSi (London) uses AI to host large-scale online deliberations, enabling local governments to harness collective intelligence for effective policymaking.

• Shareback (London) is an AI platform that allows employees to securely interact with GPT-based assistants trained on company, department, or project-specific data.

• Sikoia (London) streamlines customer verification for financial services by consolidating data, automating tasks, and delivering actionable insights.

• SmallSpark (Cardiff) enables low power AI at the edge, simplifying the deployment, management, and optimization of ML models on embedded devices.

• Source.dev (London) simplifies the software development lifecycle for smart devices, to help accelerate innovation and streamline software updates.

“Through the program, we aim to leverage Google’s expertise and cutting-edge AI infrastructure to supercharge our growth on all fronts.” Lauren Ladd, Founder, Shareback

These 16 startups reflect the diversity and depth of AI innovation happening across the UK.  Each company will receive  technical mentorship, strategic guidance, and access to strategic connections from Google, and will continue to receive hands-on support via our alumni network after the program wraps in July. 

Congratulations to this latest cohort! To learn more about applying for an upcoming Google for Startups program , visit the program page here.

In 2023, the Waze platform engineering team transitioned to Infrastructure as Code (IaC) using Google Cloud’s Config Connector (KCC) — and we haven’t looked back since. We embraced Config Connector, an open-source Kubernetes add-on, to manage Google Cloud resources through Kubernetes. To streamline management, we also leverage Config Controller, a hosted version of Config Connector on Google Kubernetes Engine (GKE), incorporating Policy Controller and Config Sync. This shift has significantly improved our infrastructure management and is shaping our future infrastructure.

The shift to Config Connector

Previously, Waze relied on Terraform to manage resources, particularly during our dual-cloud, VM-based phase. However, maintaining state and ensuring reconciliation proved challenging, leading to inconsistent configurations and increased management overhead.

In 2023, we adopted Config Connector, transforming our Google Cloud infrastructure into Kubernetes Resource Modules (KRMs) within a GKE cluster. This approach addresses the reconciliation issues encountered with Terraform. Config Sync, paired with Config Connector, automates KRM synchronization from source repositories to our live GKE cluster. This managed solution eliminates the need for us to build and maintain custom reconciliation systems.

The shift helped us meet the needs of three key roles within Waze’s infrastructure team: 

1. Infrastructure consumers: Application developers who want to easily deploy infrastructure without worrying about the maintenance and complexity of underlying resources.

2. Infrastructure owners: Experts in specific resource types (e.g., Spanner, Google Cloud Storage, Load Balancers, etc.), who want to define and standardize best practices in how resources are created across Waze on Google Cloud.

3. Platform engineers: Engineers who build the system that enables infrastructure owners to codify and define best practices, while also providing a seamless API for infrastructure consumers.

First stop: Config Connector

It may seem circular to define all of our Google Cloud infrastructure as KRMs within a Google Cloud service, however, KRM is actually a great representation for our infrastructure as opposed to existing IaC tooling.

Terraform’s reconciliation issues – state drift, version management, out of band changes – are a significant pain. Config Connector, through Config Sync, offers out-of-the-box reconciliation, a managed solution we prefer. Both KRM and Terraform offer templating, but KCC’s managed nature aligns with our shift to Google Cloud-native solutions and reduces our maintenance burden. 

Infrastructure complexity requires generalization regardless of the tool. We can see this when we look at the Spanner requirements at Waze:

• Consistent backups for all Spanner databases

• Each Spanner database utilizes a dedicated Cloud Storage bucket and Service Account to automate the execution of DDL jobs.

• All IAM policies for Spanner instances, databases, and Cloud Storage buckets are defined in code to ensure consistent and auditable access control.

To define these resources, we evaluated various templating and rendering tools and selected Helm, a robust CNCF package manager for Kubernetes. Its strong open-source community, rich templating capabilities, and native rendering features made it a natural fit. We can now refer to our bundled infrastructure configurations as ‘Charts.’ While KRO has since emerged that achieves a similar purpose, our selection process predated its availability.

Under the hood

Let’s open the hood and dive into how the system works and is driving value for Waze.

1. Waze infrastructure owners generically define Waze-flavored infrastructure in Helm Charts. 

2. Infrastructure consumers use these Charts with simplified inputs to generate infrastructure (demo).

3. Infrastructure code is stored in repositories, enabling validation and presubmit checks.

Code is uploaded to a Artifact Registry where Config Sync and Config Connector align Google Cloud infrastructure with the code definitions.

Approaching our destination

So why does all of this matter? Adopting this approach allowed us to move from Infrastructure as Code to Infrastructure as Software. By treating each Chart as a software component, our infrastructure management goes beyond simple code declaration. Now, versioned Charts and configurations enable us to leverage a rich ecosystem of software practices, including sophisticated release management, automated rollbacks, and granular change tracking.

Here’s where we apply this in practice: our configuration inheritance model minimizes redundancy. Resource Charts inherit settings from Projects, which inherit from Bootstraps. All three are defined as Charts. Consequently, Bootstrap configurations apply to all Projects, and Project configurations apply to all Resources.

Every change to our infrastructure – from changes on existing infrastructure to rolling out new resource types – can be treated like a software rollout.

Now that all of our infrastructure is treated like software, we can see what this does for us system-wide:

Reaching our destination

In summary, Config Connector and Config Controller have enabled Waze to achieve true Infrastructure as Software, providing a robust and scalable platform for our infrastructure needs, along with many other benefits including: 

• Infrastructure consumers receive the latest best practices through versioned updates.

• Infrastructure owners can iterate and improve infrastructure safely.

• Platform Engineers and Security teams are confident our resources are auditable and compliant

• Config Connector leverages Google’s managed services, reducing operational overhead.

For data scientists and ML engineers, building analysis and models in Python is almost second nature, and Python’s popularity in the data science community has only skyrocketed with the recent generative AI boom. We believe that the future of data science is no longer just about neatly organized rows and columns. For decades, many valuable insights have been locked in images, audio, text, and other unstructured formats. And now, with the advances in gen AI, data science workloads must evolve to handle multi-modality and use new gen AI and agentic techniques. 

To prepare you for the data science of tomorrow, we announced BigQuery DataFrames 2.0 last week at Google Cloud Next 25, bringing multimodal data processing and AI directly into your BigQuery Python workflows.

In BigQuery, data scientists frequently look to use Python to process large data sets for analysis and machine learning. However, this almost always involves learning a different Python framework and rewriting the code that worked on smaller data sets. You can hardly take Pandas code that worked on 10 GB of data and get it working for a terabyte of data without expending significant time and effort. 

Version 2.0 also strengthens the core foundation for larger-scale, Python data science. And then it builds on this foundation, adding groundbreaking new capabilities that unlock the full potential of your data, both structured and unstructured.

BigQuery DataFrames adoption

We launched BigQuery DataFrames last year as an open-source Python library that scales Python data processing without having to add any new infrastructure or APIs, transpiling common Python data science APIs from Pandas and scikit-learn to various BigQuery SQL operators. Since its launch, there’s been over 30X growth in how much data it processes and, today, thousands of customers use it to process more than 100 PB every month. 

During the last year we evolved our library significantly across 50+ releases and worked closely with thousands of users. Here’s how a couple of early BigQuery DataFrames customers use this library in production.

Deutsche Telekom has standardized on BigQuery DataFrames for its ML platform.

“With BigQuery DataFrames, we can offer a scalable and managed ML platform to our data scientists with minimal upskilling.” – Ashutosh Mishra, Vice President – Data Architecture & Governance, Deutsche Telekom

Trivago, meanwhile, migrated its PySpark transformations to BigQuery DataFrames.

“With BigQuery DataFrames, data science teams focus on business logic and not on tuning infrastructure.” – Andrés Sopeña Pérez, Head of Data Infrastructure, Trivago 

What’s new in BigQuery Dataframes 2.0?

This release is packed with features designed to streamline your AI and machine learning pipelines:

Working with multimodal data and generative AI techniques 

• Multimodal DataFrames (Preview): BigQuery Dataframes 2.0 introduces a unified dataframe that can handle text, images, audio, and more, alongside traditional structured data, breaking down the barriers between structured and unstructured data. This is powered by BigQuery’s multimodal capabilities enabled by ObjectRef, helping to ensure scalability and governance for even the largest datasets.

  When working with multimodal data, BigQuery DataFrames also abstracts many details for working with multimodal tables and processing multimodal data, leveraging BigQuery features behind the scene like embedding generation, vector search, Python UDFs, and others.

• Pythonic operators for BigQuery AI Query Engine (experimental): BigQuery AI Query Engine makes it trivial to generate insights from multimodal data: Now, you can analyze unstructured data simply by including natural language instructions in your SQL queries. Imagine writing SQL queries where you can rank call transcripts in a table by ‘quality of support’ or generate a list of products with ‘high satisfaction’ based on reviews in a column. BigQuery AI Query Engine makes that possible with simple, stackable SQL.

  BigQuery DataFrames offers a DataFrame interface to work with AI Query Engine. Here’s a sample:

• Gemini Code Assist for DataFrames (Preview): To keep up with the evolving user expectations around code generation, we’re also making it easier to develop BigQuery DataFrames code, using natural language prompts directly within BigQuery Studio. Together, Gemini’s contextual understanding and DataFrames-specific training help ensure smart, efficient code generation. This feature is released as part of Gemini in BigQuery.

Strengthening the core 

To make the core Python data science workflow richer and faster to use,  we added the following features. 

• Partial ordering (GA): By default, BigQuery DataFrames maintains strict ordering (as does Pandas). With 2.0, we’re introducing a relaxed ordering mode that significantly improves performance, especially for large-scale feature engineering. This “spin” on traditional Pandas ordering is tailored for the massive datasets common in BigQuery. Read more about partial ordering here. 

Here’s some example code that uses partial ordering :

• Work with Python UDF (Preview): BigQuery Python user-defined functions are now available in preview [see the documentation].

  Within BigQuery DataFrames you can now auto-scale Python function execution to millions of rows, with serverless, scale-out execution. All you need to do is put a “@udf” decorator on top of a function that needs to be pushed to the server-side.   

  Here is an example code that tokenizes comments from stackoverflow data stored in a  BigQuery public table with ~90 million rows using a Python UDF: 

• dbt Integration (Preview): For all the dbt users out there, you can now integrate BigQuery DataFrames Python into your existing dbt workflows. The new dbt Python model allows you to run BigQuery DataFrames code alongside your BigQuery SQL, unifying billing, and simplifying infrastructure management. No new APIs or infrastructure to learn — just the power of Python and BigQuery DataFrames within your familiar dbt environment. [Try now ]

Why this matters now

For years, unstructured data has largely resided in silos, separate from the structured data in data warehouses. This separation restricted the ability to perform comprehensive analysis and build truly powerful AI models. BigQuery’s multimodal capabilities and BigQuery Dataframes 2.0 eliminates this divide, bringing the capabilities traditionally associated with data lakes directly into the data warehouse, enabling:

• Unified data analysis: Analyze all your data – structured and unstructured – in one place, using a single, consistent Pandas-like API.

• LLM-powered insights: Unlock deeper insights by combining the power of LLMs with the rich context of your structured data.

• Simplified workflows: Streamline your data pipelines and reduce the need for complex data movement and transformation.

• Scalability and governance: Leverage BigQuery’s serverless architecture and robust governance features for all your data, regardless of format.

See BigQuery Dataframes 2.0 in Action

You can see all of these features in action in this video from Google Cloud Next ’25 

Get started today!

BigQuery Dataframes 2.0 is a game-changer for anyone working with data and AI. It’s time to unlock the full potential of your data, regardless of its structure. Start experimenting with the new features today!

• Dive into the documentation.

• For multimodal use cases – fill out this intake form to get your project number allowlisted for ObjectRef.

• Try out DBT Python model with BigQuery DataFrames via this Quickstart

• Join the Community – Stay connected with the BigQuery DataFrames team by signing up for an email group here.

The daily grind of sifting through endless alerts and repetitive tasks is burdening security teams. Too often, defenders struggle to keep up with evolving threats, but the rapid pace of AI advancement means it doesn’t have to be that way.

Today at the RSA Conference, as we introduce M-Trends 2025 and discuss how we’re boosting defenders, we’re also detailing our vision for how AI agents can help security operations.

Agentic AI promises a fundamental, tectonic shift for security teams, where intelligent agents work alongside human analysts to autonomously take on routine tasks, augment human decision-making, automate workflows and empower them to focus on what matters most: the complex investigations and strategic challenges that truly demand human expertise. 

The agentic AI future

While assistive AI primarily aids human analyst actions, agentic AI goes further and can independently identify, reason through, and dynamically execute tasks to accomplish goals — all while keeping human analysts in the loop.

Our vision for this agentic future for security builds on the the tangible benefits our customers experience today with Gemini in Security Operations:

“No longer do we have our analysts having to write regular expressions that could take anywhere from 30 minutes to an hour. Gemini can do it within a matter of seconds,” said Hector Peña, senior information security director, Apex Fintech Solutions.

We believe that agentic AI will transform security operations. The agentic security operations center (SOC), powered by multiple connected and use-case driven agents, can execute semi-autonomous and autonomous security operations workflows on behalf of defenders.

The agentic SOC

We are rapidly building the tools for the agentic SOC with Gemini in Security. Earlier this month at Google Cloud Next, we introduced two new Gemini in Security agents:

In Google Security Operations, an alert triage agent performs dynamic investigations on behalf of users. Expected to preview for select customers in Q2 2025, this agent analyzes the context of each alert, gathers relevant information, and renders a verdict on the alert. 

It also provides a fully transparent audit log of the agent’s evidence, reasoning and decision making. This always-on investigation agent will vastly reduce the manual workload of Tier 1 and Tier 2 analysts who otherwise are triaging and investigating hundreds of alerts per day.

In Google Threat Intelligence, a malware analysis agent performs reverse engineering tasks to determine if a file is malicious. Expected to preview for select customers in Q2 2025, this agent analyzes potentially malicious code, including the ability to create and execute scripts for deobfuscation. The agent will summarize its work, and provide a final verdict.

Building on these investments, the agentic SOC is a connected, multi-agent system that works collaboratively with the human analyst to achieve exponential gains in efficiency. These intelligent agents are designed to fundamentally change security and threat management, working alongside analysts to automate common tasks and workflows, improve decision-making, and ultimately enable a greater focus on complex threats.

To illustrate this vision in action, consider the following examples of how agentic collaboration could transform everyday security tasks with agents. At Google Cloud, we believe many critical SOC functions can be automated and orchestrated: 

• Data management: Ensures data quality and optimizes data pipelines.

• Alert triage: Prioritizes and escalates alerts. 

• Investigation: Gathers evidence and provides verdicts on alerts, documents each analysis step, and determines the response mechanism. 

• Response: Remediates issues using hundreds of integrations,such as endpoint isolation.

• Threat research: Bridges silos by analyzing and disseminating intelligence to other agents, such as the threat hunt agent. 

• Threat hunt: Proactively hunts for unknown threats in your environment with data from Google Threat Intelligence. 

• Malware analyst: Analyzes files at scale for potentially malicious attributes.

• Exposure management: Proactively monitors internal and external sources for credential leaks, initial access brokers, and exploited vulnerabilities.

• Detection engineering: Continuously analyzes threat profiles and can create, test, and fine-tune detection rules.

How the Google advantage helps agentic AI

Developing dependable and impactful agents for real-world security applications requires three key ingredients, all of which Google excels in:

1. We harness our deep reservoir of security data and expertise to provide guiding principles for the agents.

2. We integrate our cutting-edge AI research, and use mature agent development tools and frameworks to enable the creation of a reusable and scalable agentic system architecture.

3. Our ownership of the complete AI technology stack, from highly scalable and secure infrastructure to state-of-the-art models, provides a robust foundation for agentic AI development.

These advantages allow us to establish a well-defined framework for security agents, empowering AI to emulate human-level planning and reasoning, leading to superior performance in security tasks compared to general-purpose large language models.

This approach ensures high-quality and consistent results across security tasks and also facilitates the development of new agents through the modular composition of existing security capabilities – building a diverse garden of reusable, task-focused security agents.

Furthermore, agent interoperability, regardless of developer, boosts autonomy, productivity, and reduces long-term costs. Our open Agent2Agent (A2A) protocol, announced at Google Cloud Next, facilitates this, complementing the model context protocol (MCP) for standardized AI interaction with security applications and platforms. 

To further advance interoperability, we are pleased to announce the open-sourcing of MCP servers for Google Unified Security, allowing users to build custom security workflows that use both Google Cloud and ecosystem tools. We are committed to an open ecosystem, envisioning a future where agents can collaborate dynamically across different products and vendors.

“We see an immediate opportunity to use MCP with Gemini to connect with our array of custom and commercial tools. It can help us make ad-hoc execution of data gathering, data enrichment, and communication easier for our analysts as they use the Google Security Operations platform,” said Grant Steiner, principal cyber-intelligence analyst, Enablement Operations, Emerson.

Introducing SecOps Labs for AI

To help defenders as our AI work rapidly advances, and to give the community an opportunity to offer direct feedback, we’re excited to introduce SecOps Labs. This initiative offers customers early access to cutting-edge AI pilots in Google Security Operations, and is designed to foster collaboration with defenders through firsthand experience, valuable feedback, and direct influence on future Google Security Operations technologies. 

Initial pilots showcase AI’s potential to address key security challenges, such as: 

• Detection engineering: This pilot autonomously converts threat reports into detection rules and generates synthetic data for testing their effectiveness. 

• Response playbooks: This pilot recommends and generates automation playbooks for new alerts based on analysis of past incidents.

• Data parsing: This pilot is a first step towards AI generated parsers starting with allowing users to update their parsers using natural language.

SecOps Labs is a collaborative space to refine AI capabilities, to ensure they address real-world security challenges and deliver tangible value, while enabling teams to experiment with the latest pre-production capabilities. Stay tuned for more in Q2 2025 to participate in shaping the future of agentic security operations with Google Cloud Security.

Meet us at RSAC to learn more

Excited about agentic AI and the impact it will have on security? Connect with our experts and see Google Cloud Security tech in action. Find us on the show floor at booth #N-6062 Moscone Center, North Hall, or at the Marriott Marquis to meet with our security experts and learn how you can make Google part of your security team. 

Not able to join us in person? Stream RSA Conference or catch up on-demand here, and connect with Google Cloud Security experts and fellow professionals in the Google Cloud Security Community to share knowledge, access resources, discover local events and elevate your security experience.

Cybersecurity is facing a unique moment, where AI-enhanced threat intelligence, products, and services are poised to give defenders an advantage over the threats they face that’s proven elusive — until now.  

To empower security teams and business leaders in the AI era, and to help organizations proactively combat evolving threats, today at RSA Conference we’re sharing Mandiant’s latest M-Trends report findings, and announcing enhancements across Google Unified Security, our product portfolio, and our AI capabilities. 

M-Trends 2025 

The 16th edition of M-Trends is now available. The report provides data, analysis, and learnings drawn from Mandiant’s threat intelligence findings and over 450,000 hours of incident investigations conducted in 2024. Providing actionable insights into current cyber threats and attacker tactics, this year’s report continues our efforts to help organizations understand the evolving threat landscape and improve their defenses based on real-world data.

We see that attackers are relentlessly seizing opportunities to further their objectives, from using infostealer malware, to targeting unsecured data repositories, to exploiting cloud migration risks. While exploits are still the most common way that attackers are breaching organizations, they’re using stolen credentials more than ever before. The financial sector remains the top target for threat actors.

M-Trends 2025 dives deep into adversarial activity, loaded with highly relevant threat data analysis, including insider risks from North Korean IT workers, blockchain-fueled cryptocurrency threats, and looming Iranian threat actor activity. Our unique frontline insight helps us illustrate how threat actors are conducting their operations, how they are achieving their goals, and what organizations need to be doing to prevent, detect, and respond to these threats. 

Google Unified Security

Throughout 2024, Google Cloud Security customers directly benefited from the threat intelligence and insights now publicly released in the M-Trends 2025 report. The proactive application of our ongoing findings included expert-crafted threat intelligence, enhanced detections in our security operations and cloud security solutions, and Mandiant security assessments, ensuring customers quickly received the latest insights and detections as threats were uncovered on the frontlines.

Now, with the launch of Google Unified Security, customers benefit from even greater visibility into threats and their environment’s attack surface, while Mandiant frontline intelligence is actioned directly through curated detections and playbooks in the converged solution.

By integrating Google’s leading threat intelligence, security operations, cloud security, secure enterprise browsing, and Mandiant expertise, Google Unified Security creates a single, scalable security data fabric across the entire attack surface. Gemini AI enhances threat detection with real-time insights; streamlines security operations; and fuels our new malware analysis and triage AI agents, empowering organizations to shift from reactive to preemptive security. 

In today’s threat landscape, one of the most critical choices you need to make is who will be your strategic security partner, and Google Unified Security is the best, easiest, and fastest way to make Google part of your security team. Today, we’re excited to share several enhancements across the product portfolio.

What’s new in Google Security Operations

Google Security Operations customers now benefit from Curated Detections and Applied Threat Intelligence Rule Packs released for specific M-Trends 2025 observations, which can help detect malicious activity, including infostealer malware, cloud compromise, and data theft. 

For example, the indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) from cloud compromise observations have been added to the Cloud Threats curated detections rule pack.

We’re also excited to announce several AI and product updates designed to simplify workflows, dramatically reduce toil, and empower analysts. 

We’ve already seen the transformative power of AI in security operations through the tangible benefits our customers experience today with Gemini in Google Security Operations. Our vision for the future is even more ambitious: an agentic security operations center (SOC), where security operations are fundamentally enhanced by a collaborative multi-agent system. 

As we bring this vision to life, we’re developing intelligent, use-case driven agents that are designed to work in concert with human analysts as they automate routine tasks and improve decision-making. Ultimately, the agentic SOC will enable a greater focus on complex threats, helping to deliver autonomous security operations workflows and exponential gains in efficiency.

To further accelerate the adoption and refinement of AI-powered security capabilities, we are launching SecOps Labs, a new space for customers to get early access to our latest AI pilots and provide feedback. Initial features include an Natural Language Parser Extension, a Detection Engineering Agent for automated rule creation and testing, and a Response Agent for generating automation playbooks. SecOps Labs will foster collaboration in shaping the future of AI-powered security operations.

Composite Detections, in preview, can connect the dots between seemingly isolated events to help defenders uncover a more complete attack story. Your SOC can use it to create sophisticated multi-stage detections and attacker activity correlation, simplify detection engineering, and minimize false positives and false negatives. 

Composite Detections can help teams build reusable detection logic to reveal hidden connections, stop advanced attackers that evade simple detection, and overcome the assumed precision and recall tradeoff inherent to most detection engineering.

The Content Hub, in preview, is your go-to for the resources you need to streamline security operations and maximize the platform’s potential. Security operations teams can access content packs for top product integrations and use cases, making data ingestion configuration and data onboarding more efficient. 

There’s also a library of certified integrations, pre-built dashboards, and ready-to-install search queries. Plus, you can gain deeper insights into your security posture with access to curated detections and insights into their underlying logic. Now you can discover, onboard, and manage all your security operations content in one place.

With Gemini in Google Security Operations, we’re also introducing a new way to get your product questions answered instantly, accessible from anywhere in the platform (in preview). You can now search documentation with Gemini, which will provide fast and high-quality answers for your security operations related questions, complete with reference links.

What’s new in Security Command Center

Rapidly building on AI Protection, which was announced in March, we are adding new multi-modal capabilities for detecting sensitive data in images used for training and inference.

To help security teams gain more visibility into AI environments, discover a wider range of sensitive data, and configure image-redaction rules if needed, AI Protection will be able to conduct object-based detection (such as barcodes) available in June.

In addition to detecting sensitive data in images, we’ve added new AI threat detectors to AI Protection to identify specific cloud-based threats against your AI workloads. Aligned with MITRE ATLAS tactics, AI Protection detects threats like Suspicious/Initial Access, Persistence, and Access Modifications for your Vertex workloads and associated resources, empowering your organization with the visibility and context needed to rapidly investigate and respond to threats against your AI environment.

AI Protection is currently in preview (sign up here), and provides full AI lifecycle security that discovers AI assets and prioritizes top risks, secures AI with guardrails and safety controls, and helps detect, investigate, and respond to AI threats.

We’re also excited to share our latest research on the intersection of security and AI, Secure AI Framework (SAIF) in the Real World. We provide key considerations for applying SAIF principles across the data, infrastructure, application, and model dimensions of your AI projects. 

What’s new in Mandiant Cybersecurity Consulting 

Google Unified Security integrates Mandiant’s expertise through the Mandiant Retainer, offering on-demand access to experts with rapid incident response and flexible pre-paid funds for consulting services and, through Mandiant Threat Defense, which provides AI-assisted threat detection, hunting, and response, extending customer security teams through expert collaboration and SOAR playbooks.

Mandiant’s new Essential Intelligence Access (EIA) subscription, available now, offers organizations direct and flexible access to our world-class threat intelligence experts. These experts serve as an extension of your security team, providing personalized research and analysis, delivering tailored insights to inform critical decisions, focus defenses, and strengthen cybersecurity strategies. 

EIA also helps customers maximize the value and efficiency of their Cyber Threat Intelligence (CTI) investments. Going beyond raw threat feeds, EIA analyzes data in the context of your specific environment to illuminate unique threats. Crucially, this includes personalized guidance from human experts deeply experienced in operationalizing threat intelligence, upskilling teams, prioritizing threats, and delivering continuous support to improve security posture and reduce organizational risk.

Evolve your security strategy with Google Cloud

The M-Trends 2025 report is a call to action. It highlights the urgency of adapting your defenses to meet increasingly sophisticated attacks. 

At RSA Conference, we’ll be sharing how these latest Google Cloud Security advancements and more can transform threat intelligence into proactive, AI-powered security. You can find us at booth #N-6062 Moscone Center, North Hall, and connect with security experts at our Customer Lounge in the Marriott Marquis. 

You can also stream the conference or catch up on-demand here, and join the Google Cloud Security Community to share knowledge, access resources, discover local events, and elevate your security experience. 

Feel more secure about your security, by making Google part of your security team today.

In today’s data-driven world, the ability to extract meaningful insights quickly is paramount. Yet, for many, the journey from raw data to actionable intelligence is fraught with challenges. Complex SQL queries, time-consuming iterative analyses, and the gap between technical and non-technical users often hinder progress. BigQuery data canvas is a visual workspace designed to democratize data analysis and empower everyone to unlock the power of their BigQuery data. At Google Cloud Next 25 earlier this month, we introduced a built-in AI-assistive chat experience in data canvas powered by Gemini that encapsulates a variety of workflow analysis processes, ranging from data exploration to visualization, all with a single prompt. 

Data canvas isn’t just another feature; it’s a fundamental change in how data practitioners interact with data. By seamlessly integrating visual workflows with BigQuery and Gemini, we’re bridging the gap between raw data and impactful insights.

Core features: A deep dive

Let’s take a look at what you can do with the data canvas assistant.

Gemini powers your AI data agent

We integrated Gemini, our powerful AI model, into data canvas to enhance your data exploration experience. With it, you can use natural language to generate and refine queries, ask questions about your data, and receive intelligent suggestions and insights. For example, if you type “Show me the top 10 customers by revenue” data canvas powered by Gemini generates the corresponding query as well as offers insights about the dataset. Gemini also assists in data discovery, suggesting datasets that may be relevant to your questions.

The Gemini-powered AI chat experience encapsulates workflow analysis processes, from data exploration to visualization — all with a single prompt. Don’t know where to start? Use the suggested prompts to start exploring your data. Based on your selected or most used tables, BigQuery Data Canvas uses Gemini to generate natural language questions about your data, along with the corresponding SQL queries to answer them. You can add multiple data sources to the chat context from which Gemini can answer your questions. You can also further ground the chat by passing system instructions to pass domain knowledge about your data, to increase the accuracy of the resulting answers. For example, perhaps your organization’s fiscal year does not run from January to December — you can inform Gemini of this using system instructions. You can also use the system instructions to mold the way your answers are formatted and returned to you, e.g., “always present findings with charts, use green colour for positive and red color for negative.” 

And coming soon, for complex problems like forecasting and anomaly detection, the chat experience will support advanced analysis using Python. Toggle this feature on in your chat’s settings bar, and based on the complexity of your prompt, Gemini chat assist will use a Python code interpreter to answer your question. 

“Data Canvas is a game-changer in BigQuery, allowing data professionals to interactively discover, query, transform, and visualize data using a seamless blend of natural language processing and graphical workflows, all powered by Gemini AI.” – Sameer Zubair, Principal Platform Tech Lead, Virgin Media O2

Visual query building: Explore multiple paths in one place

When sitting down to do data analysis, imagine a unified hub where you can filter, join, aggregate, or visualize data across multiple tables, each in its own container, all on the same page. Instead of forcing you down a linear path, data canvas uses a DAG (Directed Acyclic Graph) approach, allowing you to branch off at any point to explore alternative angles, circle back to earlier steps, or compare multiple outcomes simultaneously. Adding data is simple: just search for the tables you need, and add them to the canvas. You can start by asking questions of your data using natural language, and data canvas automatically generates the underlying SQL, which you can review or tweak whenever you like. This node-based method lowers the barrier to analysis for experienced SQL pros and newer analysts alike, allowing them to follow insights wherever they lead, without wrestling with complex query syntax.

Interactive visualizations: Uncover insights in real time

Data canvas offers a variety of interactive visualizations, from charts and graphs to tables. It’s easy to customize your visualizations, explore data interactively, and identify trends and anomalies. Want to see the distribution of sales across different regions? Add the “Region” and “Sales” fields onto the canvas, and let data canvas generate a chart for you automatically. Simply select the best visualization for the data, or select your own visualization, and watch as your data comes to life. Furthermore, you can export these visualizations as a PNG or to Looker Studio for further manipulation and sharing.

Putting data canvas to work in the real world

There’s no end of ways you can use new AI assistive capabilities in BigQuery data canvas. Here are a few industry-specific ideas to get your creative juices flowing. 

Telecom support and diagnostics: Speeding up service restoration

Imagine a telecom support team that’s troubleshooting customer issues. Support tickets get ingested into BigQuery every hour, and can be queried in data canvas to extract who (customer phone), where (postcode), what (the affected service), when (timestamp), and which (closest cell tower). Each of these data points is handled in its own node, all within a single canvas, so analysts don’t need to toggle across multiple query tabs to perform this analysis. This visual workflow lets them spot localized outages, route technicians to the right towers, and resolve service disruptions faster than ever.

E-commerce analytics: Boosting sales and customer engagement

Picture a marketing team analyzing customer purchase data to optimize campaigns. Using data canvas, they can visually join customer and product tables, filter by purchase history, and visualize sales trends across different demographics. They can quickly identify top-selling products, high-value customer segments, and the effectiveness of their marketing campaigns, to make data-driven decisions.

Supply chain optimization: Streamlining logistics

A logistics manager could use data canvas to track inventory levels, analyze delivery routes, and identify potential bottlenecks. By visualizing this supply chain data, they can optimize delivery schedules, reduce costs, and improve efficiency. They can also create interactive dashboards to monitor key performance indicators and make real-time adjustments.

The future of data exploration is visual and AI-powered

BigQuery data canvas is a significant leap forward in making data accessible and actionable for everyone. By combining visual workflows, the power of BigQuery, and the intelligence of Gemini, we’re empowering you to unlock the full potential of your data. Start your journey today and experience the future of data exploration.

Get started with BigQuery data canvas today with this course. It’s completely free to use.

How is generative AI actually impacting developers’ daily work, team dynamics, and organizational outcomes? We’ve moved beyond simply asking if organizations are using AI, and instead are focusing on how they’re using it.

That’s why we’re excited to share DORA’s Impact of Generative AI in Software Development report. Based on extensive data and developer interviews, the report moves beyond the hype to offer perspective on AI’s impact on individuals, teams, and organizations.

Let’s take a look at some of the highlights – research-backed ways organizations are already benefitting from AI in their software development, plus five actionable ways to maximize AI’s benefits while mitigating potential risks.

Understanding the real-world impact

Our research shows real productivity gains, organizational benefits, and grassroots adoption of AI.Here are just a few of the key highlights:

• The AI imperative is real: A staggering 89% of organizations are prioritizing the integration of AI into their applications, and 76% of technologists are already using AI in some part of their daily work. This signals both top-down and grassroots adoption solidifying the fact that this isn’t a future trend; it’s happening now.

• Productivity gains confirmed: Developers using gen AI report significant increases in flow, productivity, and job satisfaction. For instance, a 25% increase in AI adoption is associated with a 2.1% increase in individual productivity.

• Organizational benefits are tangible: Beyond individual gains, we found strong correlations between AI adoption and improvements in crucial organizational metrics. A 25% increase in AI adoption is associated with increases in document quality, code quality, code review speed and approval speed.

How to maximize AI adoption and impact

So how do you make the most of AI in your software development? The report explores five practical approaches for both leaders and practitioners:

1. Have transparent communications: Our research suggests that organizations that apply this strategy can gain an estimated 11.4% increase in team adoption of AI.

2. Empower developers with learning and experimentation: Our research shows that giving developers dedicated time during work hours to explore AI leads to a 131% increase in team AI adoption.

3. Establish clear policies: Our data suggest that organizations with clear AI acceptable-use policies see a 451% increase in AI adoption compared to those without.

4. Rethink performance metrics: Shift the focus from hours worked to outcomes and value delivered. Acknowledge the labor involved in effectively working with AI, including prompt engineering and refining AI-generated output.

5. Embrace fast feedback loops: Implement mechanisms that enable faster feedback for continuous integration, code reviews, and testing. These loops are becoming even more critical as we venture into workflows with AI agents.

The future of software development is here

Generative AI is poised to revolutionize software development. But realizing its full potential requires a strategic, thoughtful, and human-centered approach.

Download the full report, Impact of Generative AI in Software Development, today and learn how to effectively utilize AI for your team and your organization.

Consumer packaged goods brands invest significantly in advertising, driving brand affinity to boost sales now and in the future. Campaigns are often optimized as they run by monitoring media-in-progress metrics against strategies like targeting specific audiences cohorts. However, because most sales happen in physical stores, accurately linking media sales lift to target audiences while ads are running can be a challenge. 

Many solutions use “total ad sales” for measurement, but this metric doesn’t always correlate to incremental sales, which is Mars Wrigley’s gold standard key performance indicator (KPI) for media effectiveness. 

So how do you know if your current ad spend is paying off while it’s still possible to optimize your in-flight campaigns?

Mars Wrigley is working with EPAM, and using Google Cloud Cortex Framework, to make significant progress tackling this issue with an approach that introduces an agile way to accurately measure in-flight audience effectiveness based on incremental sales.

The Mars Wrigley approach: Connecting data for actionable audience insights

After exploring many solutions, Mars Wrigley decided to look inward and harness the power of its own data. However, this data was siloed in various media and retailer platforms. 

To solve this, the company adopted Cortex Framework, using its pre-built data connectors and standardized data models to quickly integrate media data from sources like YouTube with sales information from retailers, creating a unified view of ad impact within a central, AI-ready cloud data foundation in BigQuery.

By combining data in BigQuery and using built-in data science tools like BQML, Mars Wrigley can now better understand how specific audience targeting strategies in its media investments are driving incremental sales lift across key customer groups.

For example, by identifying stores with similar sales patterns, the company can create geo-targeted control and expose Designated Market Areas (DMAs) for running audience testing.

By dividing its audiences into distinct segments, each with a control group, Mars Wrigley can experiment and monitor live campaign performance to optimize its investments for maximum sales lift.

Google Cloud Cortex Framework: Accelerating insights and decisions

The accelerated access to a consolidated AI-enabled data core represents a valuable addition to Mars Wrigley’s portfolio of media effectiveness tools. Cortex Framework provides instant insights with its predefined and customizable analytics content as well as seamless integration with major media platforms like Google Ads, YouTube, TikTok, Meta, and more.

“Before, we were struggling to get an accurate in-flight view of our audiences’ performance. With Google Cloud Cortex Framework, we realized that the answer was within our internal data. We partnered with EPAM Systems to harness the synergy of our internal data sources, enabling us to run timely experimentation based on actual sales lift. This filled an important gap within our portfolio of measurement tools and allowed us to continue making data-driven decisions when it matters.”
– Lía Inoa Pimentel – Sr. Global Manager, Brand Experience & Media Measurement, Mars Wrigley.  

By embracing Cortex Framework, Mars Wrigley is not only gaining a clearer understanding of media impact on sales but also paving the way for a more data-driven and agile approach to marketing in the consumer packaged goods industry.

This approach includes some of the following key benefits:

• Agile hypothesis testing: Bringing insights in-house significantly accelerates the ability to test hypotheses and adapt strategies quickly.

• Scalability: The architecture allows for easy expansion to encompass more media investment insights and a broader range of retail customers.

• Versatility: Beyond audience testing, Mars Wrigley can also leverage Cortex Framework for other use cases, such as media formats, content variations, shopper media, and more. 

To learn more about solutions that can help accelerate your marketing journey in the cloud visit the EPAM and Google Cloud Cortex Framework websites.

Imagine this common scenario: you have a detailed product requirements document for your next project. Instead of reading the whole document and manually starting to code (or defining test cases or API specifications) to implement the required functions, you want to see how AI can shorten your path from the requirements document to a working application prototype.

In this article, we’ll show you an example of how you can use Gemini Code Assist to access a requirements doc without leaving your code editor through Google Docs integration, part of Gemini Code Assist tools, and get from requirements to a working application using a few natural language prompts.

Prerequisites

• A Google Cloud project with Gemini Code Assist enabled for your user account
• Gemini Code Assist integration with Google Docs enabled and  set up with your Google account.
• VS Code with Gemini Code Assist plugin installed

Preparation

Start from a requirement analysis doc to create your application. This can be any requirements analysis document. For this example, imagine you have an app to generate ideas for weekend plans. 

If you want to follow the same example, you can download this doc and open it with Google Docs in your Google Drive in order to save it as a Google Doc, otherwise you can use any other doc containing functional requirements for an application.

The document details the functional specifications for a weekend ideas application that lets users submit, browse, vote on, and comment on ideas for spending the weekend. It features category-based filtering, real-time voting updates, and dynamic ranking based on scores and votes.

Code your app 

1. Open VS Code

2. Create an empty folder and open it in a workspace in VS Code

3. Find the doc using the Gemini Code Assist GoogleDocs integration: open the Gemini Chat module in VSCode and type (in case you are using a copy of the above document):

4. Get the application requirements from the doc, use your doc name if using a different one:

5. Gemini will provide a summary of the application features and technical requirements as in the following screenshot:

6. We’re using Python, Flask and SQLAlchemy to get from requirements to a working prototype, you can choose different languages and frameworks, in that case your steps will be slightly different.  Now let’s ask Gemini Code Assist to generate code from your doc, try something as:

Gemini should propose you a project structure, and also include the content of each file in the response, this is the structure i got for the example application:

Check the structure proposed and have a look at the content of each file, check that main classes and attributes have been implemented as described in the requirements summary (as in case of this example application:  ideas, comments, votes, categories), check for things as macroscopic evidence of circular import issues or that the templates folder is in the same folder as your routes. 

If you notice something missing you can ask Gemini to regenerate code with the missing piece, as, for example:

Focus on important things that will probably require a schema change in the database. You will not be able to find any possible issue in this stage, if any will arise when you test the application you can fix it later. Things such as ui aspects can be easily fixed at a later stage.

7. Now try to automate the creation of the whole project structure:

8. Check the created script and the instructions provided, if you think the content is correct, follow the instructions and copy the bash script content in a new file in your empty folder, make the script executable and run the script.

9. In most cases the script has created a new folder inside the folder you created (as “weekend_ideas” in the picture above) , move inside that folder in your shell prompt. Check the folder structure, check if anything is missing.

10. Close the bash script because you shouldn’t need it anymore.

11. In case requirements.txt is missing, ask Gemini:

12. Typically, the output from the script execution or from the previous prompt should also give instructions on how to run the application locally using a virtual environment, check that and follow the instructions provided.

13. If Gemini didn’t provide instructions to create a virtual environment, ask:

14. Follow the instructions provided to create and activate a virtual environment, on Linux or Mac these typically will be:

15. Install dependencies:

16. Run the application as instructed by the script or in the response to the previous prompt when you asked to generate all the code, this typically would require to run the main application file as:

17. If everything works, flask will start a local server on your machine, you should get an output similar to the one below:

18. If you get any error, ask Gemini how to fix it, as, for example:

19. If the application runs correctly, check if the main features have been implemented, as, for the example app:

1. 1. create idea

   2. list ideas

   3. vote

   4. add comment

   5. sort by vote/score

   6. filter by category

20. If something is missing you can ask Gemini to fix it as, for example:

21. Building an application with the help of an AI assistant is typically an iterative process, not everything works exactly as expected at the first step all the time. If something doesn’t satisfy your requirements, ask Gemini to fix it providing details and context.

One thing I wanted to do in my experiment was to make the ui look better, here is a prompt you can try if your UI wasn’t satisfying from the beginning:

22. Gemini will propose updated files in the responses, you should be able to compare what is proposed to existing file using the <-> button, as in the example below:

23. If the changes seem working, accept them, repeat this for all the files for which Gemini propose changes.

24. After you have completed the changes stop and restart the application and check if they work as expected. UI can be subjective, you may need to reiterate to get to your desired result.

25. You have a running prototype of your application! 

Get started 

If you want to continue to test Gemini Code Assist, check the following resources:

• Set up Gemini Code Assist Standard and Enterprise

• Supercharge your development workflow with Gemini Code Assist Codelab

One of the ways threat actors keep up with the constantly evolving cyber defense landscape is by raising the level of sophistication of their attacks. This trend can be seen across many of our engagements, particularly when responding to China-nexus groups. These actors have demonstrated the ability to create custom malware ecosystems, identify and use zero-day vulnerabilities in security and other appliances, leverage proxy networks akin to botnets, target edge devices and platforms that traditionally lack endpoint detection and response, and employ custom obfuscators in their malware. They take these extra steps to evade detection, stifle analysis, and ultimately stay on systems for longer periods of time. 

However, not all successful attacks are highly complex and technical. Many times attackers will take advantage of the opportunities that are made available to them. This includes using credentials stolen in infostealer operations to gain initial access. Mandiant has seen such a rise in infostealer use that stolen credentials are now the second highest initial infection vector, making up 16% of our investigations. Other ways attackers are taking advantage of opportunities is by exploiting gaps and risks introduced in cloud migrations, and targeting unsecured data repositories to obtain credentials and other sensitive information. 

Today we released M-Trends 2025, the 16th edition of our annual report, to help organizations stay ahead of all types of attacks. We dive deep into several trends and share data and analysis from the frontlines of our incident response engagements to arm defenders with critical insights into the latest cyber threats.

Data and Trends

M-Trends 2025 data is based on more than 450,000 hours of Mandiant Consulting investigations. The metrics are based on investigations of targeted attack activity conducted between Jan. 1, 2024 and Dec. 31, 2024. Key findings in M-Trends 2025 include: 

• 55% of threat groups active in 2024 were financially motivated, which marks a steady increase, and 8% of threat groups were motivated by espionage.

• Exploits continue to be the most common initial infection vector (33%), and for the first time stolen credentials rose to the second most common in 2024 (16%).

• The top targeted industries include financial (17.4%), business and professional services (11.1%), high tech (10.6%), government (9.5%), and healthcare (9.3%).

• Global median dwell time rose to 11 days from 10 days in 2023. Global median dwell time was 26 days when external entities notified, 5 days when adversaries notified (notably in ransomware cases), and 10 days when organizations discovered malicious activity internally.

M-Trends 2025 dives deep into the aforementioned infostealer, cloud, and unsecured data repository trends, and several other topics, including:

• Democratic People’s Republic of Korea deploying citizens as remote IT contractors, using false identities to generate revenue and fund national interests.

• Iran-nexus threat actors ramping up cyber operations in 2024, notably targeting Israeli entities and using a variety of methods to improve intrusion success.

• Attackers targeting cloud-based stores of centralized authority, such as single sign-on portals, to gain broad access.

• Increased targeting of Web3 technologies such as cryptocurrencies and blockchains for theft, money laundering, and financing illicit activities.

Recommendations for Organizations

Each article in M-Trends 2025 offers critical recommendations for organizations to enhance their cybersecurity postures, with several of them being applicable to multiple trends. We advise that organizations:

• Implement a layered security approach that emphasizes sound fundamentals such as vulnerability management, least privilege, and hardening.

• Enforce FIDO2-compliant multi-factor authentication across all user accounts, especially privileged accounts.

• Invest in advanced detection technologies and develop robust incident response plans. 

• Improve logging and monitoring practices to identify suspicious activity and reduce dwell time. 

• Consider threat hunting exercises to proactively search for indicators of compromise.

• Implement strong security controls for cloud migrations and deployments. 

• Regularly assess and audit cloud environments for vulnerabilities and misconfigurations.

• Mitigate insider risk by practicing thorough vetting processes for employees (especially remote workers), monitoring for suspicious activity, and enforcing strict access controls.

• Keep up-to-date with the latest threat intelligence, adapt security strategies accordingly, and regularly review and update security policies and procedures to address evolving threats. 

Be Ready to Respond

The M-Trends mission has always been to equip security professionals with frontline insights into the latest evolving cyberattacks and to provide practical and actionable learnings for better organizational security.

Read the full M-Trends 2025 report today, and register for our M-Trends 2025 webinar series for a more in-depth look at the data, topics, and recommendations discussed in the report. The M-Trends 2025 Executive Edition is also available, featuring a high-level look at the data and trends, along with key recommendations.

Last year, Google Cloud and LangChain announced integrations that give generative AI developers access to a suite of LangChain Python packages. This allowed application developers to leverage Google Cloud’s database portfolio in their gen AI applications to drive the most value from their private data.

Today, we are expanding language support for our integrations to include Go, Java, and JavaScript.

Each package will have up to three LangChain integrations: 

1. Vector stores to enable semantic search for our databases 

2. Chat message history to enable chains to recall previous conversations

3. Document loader for loading documents from your enterprise data

Developers now have the flexibility to create intricate workflows and easily interchange underlying components (like a vector database) as needed to align with specific use cases. This technology unlocks a variety of applications, including personalized product recommendations, question answering, document search and synthesis, customer service automation, and more.

In this post, we’ll share more about the integrations – and code snippets to get started.

New language support

LangChain is known for its popular Python package; however, your team’s expertise and services may not be in Python. Java and Go are commonly used programming languages for production-grade and enterprise-scale applications. Developers may prefer Javascript and Typescript for the asynchronous programming support and compatibility with front-end frameworks like React and Vue.

In addition to Python developers, the LangChain developer community encompasses developers proficient in Java, JavaScript, and Go. It is an active and supportive community centered around the LangChain framework, which facilitates the development of applications powered by large language models (LLMs).

Google Cloud is dedicated to providing secure and easy to use database integrations for your Gen AI applications. Our integrations embed Google Cloud connectors that create secure connections, handle SSL certificates, and support IAM authorization and authentication. The integrations are optimized for PostgreSQL databases (AlloyDB for PostgreSQL, AlloyDB Omni, Cloud SQL for PostgreSQL) to ensure proper connection management, flexible tables schemas, and improved filtering. 

JavaScript Support

JavaScript developers can utilize LangChain.js, which provides tools and building blocks for developing applications leveraging LLMs. LangChain simplifies the process of connecting LLMs to external data sources and enables reasoning capabilities in applications. Other Google Cloud integrations, such as Gemini models, are available within LangChain.js, allowing seamless interaction with GCP resources.

Below are the integrations and their code snippets to get started.

Install the dependency:

Engine

Use this package with AlloyDB for PostgreSQL and AlloyDB Omni by customizing your Engine to connect your instance. You will need the AlloyDB Auth Proxy to make authorized, encrypted connections to AlloyDB instances.

Vector store

Chat message history

Loader

Java Support

For Java developers, there’s LangChain4j, a Java implementation of LangChain. This allows Java developers to build LLM-powered applications with a familiar ecosystem. In LangChain4j, you can also access the full array of VertexAI Gemini models.

*Note: Cloud SQL integrations will be released soon.

Below are the integrations and their code snippets to get started.

For Maven in pom.xml:

Engine

Embedding store

Document loader

Go support

LangchainGo is the Go programming language port of LangChain.

The LangChain framework was designed to support the development of sophisticated applications that connect language models to data sources and enable interaction with their environment. The most powerful and differentiated applications go beyond simply using a language model via an API; they are data-aware and agentic.

Last year Google’s SDKs were added as providers for LangChainGo; this makes it possible to use the capabilities of the LangChain framework with Google’s Gemini models as LLM providers.

We now have AlloyDB and Cloud SQL for PostgreSQL support in LangchainGo.

Below are the integrations and their code snippets to get started.

Install the dependency

Engine

Vector Store

Chat message history

*Note code is shown for AlloyDB. See links for Cloud SQL for Postgres examples.

Get started

The LangChain Vector stores integration is available for Google Cloud databases with vector support, including  AlloyDB, Cloud SQL for PostgreSQL, Firestore, Memorystore for Redis, and Spanner.

The Document loaders and Memory integrations are available for all Google Cloud databases including AlloyDB, Cloud SQL for MySQL, PostgreSQL and SQL Server, Firestore, Datastore, Bigtable, Memorystore for Redis, El Carro for Oracle databases, and Spanner. Below are a few resources to get started.

Resources:

• Github

• Build LLM applications in Go

• Codelabs

CodeRabbit, a rapidly growing AI code review tool, is leveraging Google Cloud Run to cut code review time and bugs in half by safely and efficiently executing untrusted code. 

CodeRabbit improves code quality and automates code reviews by analyzing changes against the entire codebase and generating scripts for deeper analysis. It integrates with code hosting platforms to provide automated feedback on pull requests.

To safely execute untrusted code, CodeRabbit needed an execution environment that was scalable, cost-effective, and secure enough to analyse and run their customers’ code.

In this post, we’ll share how CodeRabbit built an AI code review agent with Google Cloud Run to scale dynamically and handle high volumes efficiently and securely.

CodeRabbit integrates directly with platforms like GitHub and GitLab, providing automated code reviews triggered by pull requests. Its integration with the foundational models doesn’t just analyze the changed files; it assesses the impact of those changes on the entire codebase. This requires a sophisticated system that can:

1. Clone the user’s repository.

2. Set up a build environment with necessary dependencies (think npm install, go mod download, etc.).

3. Run static analysis tools including 20+ linters and security scanners.

4. Execute AI-generated scripts. This is where things get really interesting. CodeRabbit’s AI agent creates shell scripts to navigate the code, search for specific patterns (using tools like cat, grep, and even ast-grep), and extract relevant information. It can even generate Python code for analysis.

5. Interact with external services. CodeRabbit can also perform actions by generating and executing curl commands, for example to interfacing with services like Slack, Jira and Linear.

This solution needs to be scalable, cost-effective, and above all, secure. The code being analyzed and executed is, by definition, untrusted. It could be incomplete, buggy, or even contain malicious intent.

The solution: Cloud Run

CodeRabbit’s architecture cleverly combines several technologies to create a robust and isolated execution environment:

1. Cloud Run services: CodeRabbit uses Cloud Run services as the foundation. Incoming webhook events (from GitHub, GitLab, etc.) are first handled by a lightweight Cloud Run service that performs billing and subscription checks. This service then pushes a task to Google Cloud Tasks.

2. Google Cloud tasks: This acts as a queue, decoupling the webhook handling from the actual code execution. This allows CodeRabbit to handle bursts of pull requests without overwhelming the system.

3. Cloud Run execution service: This is the heart of the system. A separate Cloud Run service pulls tasks from the Cloud Tasks queue. Each task represents a code review request. This service is configured with a 3600 second long request timeout and a concurrency of 8 requests per instance, allowing it to scale based on CPU utilization. This setup is crucial because code reviews are long-running operations, often taking 10-20 minutes to complete. The Execution Service uses an in-memory volume mount where the entire repository, build artifacts, and temporary files are stored.

4. Sandboxing: All Cloud Run instances are sandboxed with two layers of sandboxing and can be configured to have minimal IAM permissions via dedicated service identity. In addition, CodeRabbit is leveraging Cloud Run’s second generation execution environment, a microVM providing full Linux cgroup functionality. Within each Cloud Run instance, CodeRabbit uses Jailkit to create isolated processes and cgroups to further restrict the privileges of the jailed process.

Sandboxing is especially critical for CodeRabbit in scenarios where untrusted code must be executed, such as:

• Static analyzers that support custom, untrusted plugins (e.g., ESLint, Rubocop)

• LLM-generated verification scripts for deeper analysis of the entire codebase

• LLM-generated CLI actions, such as opening GitHub or Jira issues

• Python-based advanced analyses

CodeRabbit’s use of Cloud Run allows it to scale dynamically. During peak hours, CodeRabbit’s Agentic PR Reviewer service receives up to 10 requests/second served by over 200 Cloud Run instances. Each Cloud Run instance is fairly bulky and utilizes 8vCPUs and 32GiB memory. CodeRabbit sees high CPU utilization, significant network traffic (downloading repositories and dependencies), and high memory usage when powering their PR reviewer service with Cloud Run.

Try this on your own

CodeRabbit’s use of Google Cloud Run is a compelling example of how to build a secure, scalable, and cost-effective platform for running AI-powered code analysis. Their architecture provides a blueprint for developers tackling similar challenges, and their experience highlights the evolving capabilities of serverless technologies. We’re excited to see how their platform advances as Cloud Run continues to add new features.

Learn more about developing, deploying and hosting AI agents on Cloud Run, watch the “Build AI Agents on Cloud Run” Cloud Next ’25 session featuring CodeRabbit, and give CodeRabbit a try.

For years, data teams have relied on the BigQuery platform to power their analytics and unlock critical business insights. But building, managing, and troubleshooting the data pipelines that feed those insights can be a complex, time-consuming process, requiring specialized expertise and a lot of manual effort. Today, we’re excited to announce our vision, a major step forward in simplifying and accelerating data engineering with BigQuery data engineering agent.

These agents aren’t just assistive tools, but agentic solutions, designed to act as intelligent partners in your data workflows. They automate daunting tasks, collaborate with your team, and continuously learn and adapt, freeing you to focus on what matters most: extracting value from your data.

Why a data engineering agent?

The world of data is changing. Organizations are generating more data than ever before, and that data is coming from a wider variety of sources, in a multitude of formats. At the same time, businesses need to move faster, making quick, data-driven decisions to stay competitive.

This creates a challenge. Traditional data engineering approaches often involve:

• Tedious manual coding: Building and modifying pipelines can require writing and updating complex SQL queries, which is time-consuming and error-prone.

• Schema struggles: Mapping data from different sources to the right format can be time-intensive, especially as schemas evolve.

• Difficult troubleshooting: Diagnosing and fixing pipeline issues can involve lengthy sifting through logs and code, delaying critical insights.

• Siloed expertise: Building and maintaining pipelines often requires specialized skills, creating bottlenecks and limiting who can contribute.

The BigQuery data engineering agent aims to address these pain points head-on and accelerate the way data pipelines are built and managed.

Meet your new AI-powered data engineering team

Imagine a team of expert data engineers, available 24/7, ready to jump in and tackle the toilsome pipeline development, maintenance, and troubleshooting tasks, enabling your data team to scale and focus on higher-value work. We are announcing the data engineering agent as experimental.  

Here are a few ways how BigQuery data engineering agent will change the game:

1. Autonomous pipeline building and modification

Do you need a new pipeline to ingest, transform, and validate data? Simply describe your needs in natural language – the agent handles the rest. For example:

“Create a pipeline to load data from the ‘customer_orders’ bucket, standardize the date formats, remove duplicate entries based on order ID, and load it into a BigQuery table named ‘clean_orders’.”

The agent, leveraging its understanding of data engineering best practices and your specific environment and context, generates the necessary SQL code, builds the pipeline, and even creates basic unit tests. It’s not just about automation; it’s about intelligent, context-aware automation.

Need to update an existing pipeline? Just tell the agent what you want to change. It analyzes the existing code, proposes modifications, and even highlights potential impacts on downstream processes. You remain in control, reviewing and approving changes, but the agent handles the heavy lifting.

2. Proactive troubleshooting and optimization

Pipeline issues? The agent monitors your pipelines, identifies issues such as schema and data drift, and proposes fixes. It’s like having a dedicated expert constantly watching over your data infrastructure.

3. Bulk draft pipelines

A powerful use of the data engineering agent is to scale pipeline generation or modification using previously acquired context and knowledge. This allows users to quickly scale pipelines for different departments or use cases, with customizations as needed, using the command line and API for automation at scale. In the example below, the agent takes instructions from the command line and leverages domain-specific agent instructions to create bulk pipelines.

How it works: Intelligence under the hood

To handle the complexity that most organizations have to deal with, the agents rely on several key concepts:

• Hierarchical context: The agents draw on multiple sources of knowledge:

• Universal understanding of common data formats, SQL best practices, etc.

• Vertical-specific knowledge of industry conventions (e.g., data formats in healthcare or finance)

• Organizational awareness of your company’s or department’s specific business context, data structures, naming conventions, and security policies

• Data pipeline-specific understanding the details of source and target schemas, transformations, and dependencies

A collaborative, multi-agent environment

BigQuery data engineering agent are a part of a multi-agent environment, where specialized agents collaborate to achieve complex goals, working together and delegating tasks, much like a real-world data engineering team:

• An ingestion agent expertly handles data intake from various sources.

• A transformation agent crafts efficient and reliable data pipelines.

• A validation agent helps ensures data quality and consistency.

• A troubleshooting agent proactively identifies and resolves issues.

• A data quality agent, powered by Dataplex metadata, monitors data and proactively alerts on anomalies.

Our initial focus is on ingestion, transformation and troubleshooting tasks, but we plan to expand these initial capabilities to other critical data engineering tasks. 

Your workflow, your way

Whether you prefer working in the BigQuery Studio UI, crafting code in your favorite IDE, or managing pipelines through the command line, we want to meet you where you are. We are initially making data engineering agent available in BigQuery Studio’s pipeline editor and API/CLI, but we plan to expose it in other contexts.

Data engineering agent and your data workers

The world is only beginning to see the full potential of AI-powered agents in revolutionizing how data workers interact with and derive value from their data. With BigQuery data engineering agent, the roles of data engineers, data analysts and data scientists are expanding beyond their traditional boundaries, empowering these teams to achieve more, faster, and with greater confidence. These agents act as intelligent collaborators, streamlining workflows, automating tedious tasks, and unlocking new levels of productivity. Initially we are focusing on core data engineering tasks of promoting data from Bronze to Silver in a data lake and expanding from there.

Coupled with products like Dataplex, BigQuery ML, and Vertex AI, BigQuery data engineering agent is poised to transform the way organizations manage, process, and derive value from their data. By automating complex tasks, promoting collaboration, and empowering data workers of all skill levels, these agents are paving the way for a new era of data-driven innovation.

Ready to get started?

This is just the beginning of our journey to build a truly intelligent, autonomous data platform. We’re committed to continuously expanding the capabilities of data engineering agent, making them even more powerful and intuitive partners for all your data needs.

BigQuery data engineering agent will be available soon. We’re excited to see how it fits into your data engineering workflows and help you unlock the full potential of your data. Show your interest in getting access here.

The unprecedented growth and unique challenges of AI applications are driving fundamental architectural changes to Google’s next-generation global network. 

The AI era brings an explosive surge in demand for network capacity, with novel traffic patterns characteristic of large-scale model training and inference. Simultaneously, the critical need for unwavering reliability has reached new heights; in an AI-driven world, outages are simply not an option. Furthermore, the requirement for enhanced security and fine-grained control, including data sovereignty considerations, is paramount. Finally, the operational cost and complexity associated with scaling traditional network architectures necessitate a more innovative approach, pushing us beyond basic automation towards true autonomy.

As we discussed in this blog, we are meeting these challenges head-on by building the next generation of Google’s global network upon four key architectural principles: (1) exponential scalability, (2) beyond-9s reliability, (3) intent-driven programmability, and (4) autonomous networking. 

In this blog, let’s peel back the layers and see how the underlying technology makes these four principles a reality.

Exponential scalability with a multi-shard network

We embrace elastic horizontal scaling as a core architectural principle for Google’s global network through our multi-shard network. Instead of one monolithic network, we’ve built multiple independent shards. This provides several benefits:

• Horizontal scaling: When more capacity is needed, we can scale up by growing a shard, and scale out by adding more shards, overcoming the limits and complexity of vertical scale. This is akin to adding more independent networks, rather than trying to make a single network bigger and bigger.

• Independent planes: The separation of control, data, and management planes within each shard significantly limits the impact radius of any potential issue. A software bug or operational error (such as an incorrect configuration push) in one shard is far less likely to impact others, enhancing the network’s overall stability.

In the AI era, the WAN is the new LAN and the continent is the data center. This horizontal scaling approach, inspired by the design of our massive data center fabrics, allows Google’s global network to handle the unprecedented bandwidth demands of today’s AI workloads. This multi-shard network has been a key enabler for us to accommodate the average 7X WAN traffic growth between 2020 and 2025, and more importantly, an order of magnitude growth in peak traffic due to the bursty nature of ML traffic over the same period. 

Beyond-9s reliability: Architecting for resilience

In a world of always-on services, reliability is paramount. Google’s global network incorporates several key innovations to achieve beyond-9s availability, emphasizing diversity and independence at every layer of the stack to avoid “shared fate” (cascading failures) and minimize impact during failures.

• Multi-shard isolation: Each network shard has independent data, control, and management planes. We control what can enter and leave these shards to a cluster or edge. This prevents a bad state from a cluster poisoning all the shards at the same time. The sharded architecture inherently provides a degree of isolation. Furthermore, we apply a multi-vendor paradigm when deploying our network shards, thanks to years of development of open API and models (discussed later) that allows us to operationalize any vendor platform under the same network function. This multi-vendor approach protects our network shards from vulnerabilities introduced by third-party software or hardware.

• Region isolation: With this approach, regional cores keep traffic within their domains, and regional gateways enforce policies for traffic that’s entering or leaving. This limits the impact of regional events, effectively shielding the rest of the network.

• Protective ReRoute: Google’s global network implements a unique transport technique for shortening user-visible outages that complements routing repair, and it marks a radical shift in how we think about network reliability. In the conventional network model, hosts send packets, and routers handle them. With Protective ReRoute, hosts actively shift traffic flows across network paths to improve reliability and performance, intelligently detecting network path anomalies and promptly, automatically rerouting traffic to a healthy, alternative path, which can be in the same or alternative shard. The host reroutes traffic in round-trip time scales, i.e., O(RTT), by changing a few bits in the packet header that are used to compute the hash function to select a specific path among many equally viable paths. This host-initiated re-routing protects customer traffic beyond what traditional routing and traffic engineering can achieve, and is independent of the type of network, scale of network, or type of failure, thereby providing robust and deterministic recovery and performance. With Protective ReRoute in our network, we have observed up to a 93% reduction in cumulative outage minutes.

For a conceptual overview of these scalability and resilience innovations, check out this video:

Also, be sure to check out this demo to see the combined value of our multi-shard network and Protective ReRoute in action. Here, we emulate a network shard failure and show how the host promptly detects a path failure and routes the traffic over an alternative path in a different, healthy shard, providing near-instant recovery.

Intent-driven programmability for fine-grained network controls

To cater to our customers’ diverse and evolving needs, network agility and fine-grained programmability is crucial. Google’s global network allows for network controls to be precisely tailored to specific business requirements, encompassing regulatory compliance, digital sovereignty mandates, and unique application performance needs, down to the most granular network attributes. This programmability is made possible by:

• Software-defined networking (SDN) controllers: Google’s global network is fully intent-driven, with SDN everywhere. We use SDN controllers to manage network behavior hierarchically. Orion, our hierarchical and federated SDN control plane platform, propagates top-level intent through layers of network control applications, which then react by updating their internal state and generating intermediate intent for each network switch. This hierarchical propagation results in changes to the programmed flow state in network switches.

• Universal network model: Our universal network model, Multi-Abstraction-Layer Topology representation, or MALT, allows us to specify generic intent and business policy. Our control and management planes can then use these representations to implement these policies coherently across the network.

• Standardized API: Because we rely on the OpenConfig software layer, we can use multiple routing vendors interchangeably, making the network more robust. With vendor diversity, a bug or an issue in one vendor’s software or hardware doesn’t impact the whole network, and we have options when scaling our network.

This programmability enables us to implement business policies directly into the network fabric, offering granularity and the ability to isolate bandwidth for critical applications. Customers with specific regulatory requirements can also leverage this programmability to enforce their desired network path controls for their data in motion. 

Autonomous networking for the network powering AI

The sheer scale and complexity of a global network of our scale demands a shift from traditional automation to a more intelligent, autonomous approach that requires minimal human intervention. This is especially critical to avoid the substantial increase in operational expenses that come with network growth, and to flatten the cost curves for network planning, design and operations. Below are some examples where we apply AI/ML techniques to help today. We see opportunities to expand into many more use cases:

• Network incident response with a Gemini and Vertex AI agentic framework: We are using an agentic AI approach to shorten outage times by identifying and mitigating failures faster, and to perform more effective root-cause analysis. This is helping us reduce the mean-time to detect and mean-time to resolve network issues.
• Demand forecasting and capacity planning: We are using AutoML for accurate demand forecasting, and employing graph optimization to optimize our network capacity planning.

• Reinforcement learning for routing optimization: We tune routing metrics for specific objectives, such as network performance, with reinforcement learning.

Autonomous networking has allowed us to slash failure mitigation times from hours to minutes, improving our network’s resilience and customer experience. Check out this demo to see an example of our autonomous network in action!

Putting it all together

Google’s next-generation global network represents a paradigm shift in network architecture designed to power the AI era, embracing horizontal scalability through multi-sharding, architecting for resilience at every layer with regional isolation and Protective ReRoute, enabling fine-grained programmability with SDN, and adopting autonomous network operation powered by AI/ML. This helps Google’s global network provide the scale, reliability, performance, and security that today’s mission-critical services and AI/ML applications demand. This transformation of Google’s software-defined global backbone not only meets the formidable challenges of the AI era, but empowers our customers to innovate and thrive in this new landscape. Our next-generation network is designed to be the invisible, yet indispensable, force driving the future of technology and connectivity.

This deep dive only scratches the surface, but hopefully, provides a glimpse into the innovative technologies that underpin Google’s global network. As we continue to navigate the exciting challenges and opportunities of the AI era, Google’s global network is the bedrock upon which we build and deliver transformative experiences for users and customers worldwide. Stay tuned for more updates as Google’s global network continues to evolve!

At Google Cloud Next 25, we announced incredible ways for enterprises to build multi-agent ecosystems with Vertex AI and Google Cloud Databases – including better ways for agents to communicate with each other using Agent2Agent Protocol and Model Context Protocol (MCP). With the growing excitement around MCP for developers, we’re making it easy for MCP Toolbox for Databases (formerly Gen AI Toolbox for Databases) to access your enterprise data in databases. This is another step forward in providing secure and standardized ways to innovate with agentic applications. Let’s take a look.

MCP Toolbox for Databases (formerly Gen AI Toolbox for Databases)

MCP Toolbox for Databases (Toolbox) is an open-source MCP (Model Context Protocol) server that allows developers to connect gen AI agents to enterprise data easily and securely. MCP is an emerging open standard created by Anthropic for connecting AI systems with data sources through a standardized protocol, replacing fragmented integrations that require custom integrations.

Currently, Toolbox can be used to build tools for a large number of databases: AlloyDB for PostgreSQL (including AlloyDB Omni), Spanner, Cloud SQL for PostgreSQL, Cloud SQL for MySQL, Cloud SQL for SQL Server, and self-managed MySQL and PostgreSQL. Because it’s fully open-source, it includes contributions from third-party databases such as Neo4j and Dgraph. Toolbox offers simplified development with reduced boilerplate code, enhanced security through OAuth2 and OIDC, and end-to-end observability with OpenTelemetry integration. This enables you to develop tools easier, faster, and more securely by handling the complexities such as connection pooling, authentication, and more.

As an MCP server, Toolbox provides the additional scaffolding for implementing production-quality database tools and making them accessible to any client in the growing MCP ecosystem. This compatibility allows developers building agentic applications to leverage Toolbox and securely query a wide range of databases through a single, standardized protocol, simplifying development and enhancing interoperability.

MCP Toolbox for Databases supports Agent Development Kit (ADK)

At Next, we launched the Agent Development Kit (ADK), an open-source framework that simplifies the process of building sophisticated multi-agent systems while maintaining precise control over agent behavior. With ADK, you can build an AI agent in under 100 lines of intuitive code. With ADK, you can:

• Shape how your agents think, reason, and collaborate through deterministic guardrails and orchestration controls. 
• Interact with your agents in human-like conversations with ADK’s unique bidirectional audio and video streaming capabilities enabled with just a few lines of code. Check out the demo of an interactive agent from the opening keynote at NEXT 2025 built on the ADK here.
• Choose the model or deployment that works best for your needs. ADK works with your stack of choice – whether that’s your preferred top-tier model, deployment target, or integration with remote agents built on other frameworks. ADK also supports the Model Context Protocol (MCP), enabling secure, two-way connections between your data sources and AI agents.
• Deploy to production using the direct integration to Vertex AI Agent Engine. This clear and reliable path from development to enterprise-grade deployment eliminates the typical overhead associated with moving agents into production.

To get started, go to Vertex AI Agent Garden to explore a curated set of agent samples for common use cases like data science and customer service agents. Discover tools that can be easily used to build agents with ADK such as connecting agents to databases with the integrated MCP Toolbox for Databases.  You can access source code in GitHub samples that you can clone and start using to develop your own agents.

Adding LangGraph support

LangGraph gives you essential built-in support for persistence layer, implemented through checkpointers. This helps you build resilient, stateful agents that can reliably manage long-running tasks or resume after interruptions. 

To leverage powerful managed databases for storing this state, Google Cloud offers dedicated integration libraries. Developers can choose the following:

• The highly scalable AlloyDB for PostgreSQL using the AlloyDBSaver class from the langchain-google-alloydb-pg-python library, or opt for

• Cloud SQL for PostgreSQL utilizing the corresponding checkpointer implementation, PostgresSaver, within the langchain-google-cloud-sql-pg-python library.

Both offer robust mechanisms to seamlessly save and load agent execution states, allowing workflows to be reliably paused, resumed, and audited, backed by the manageability and performance of Google Cloud’s PostgreSQL offerings.

When you compile graph with a checkpointer, the checkpointer saves a checkpoint of the graph state at every super-step. Those checkpoints are saved to a thread, which can be accessed after graph execution. Because threads allow access to graph’s state after execution, several powerful capabilities including human-in-the-loop, memory, time travel, and fault-tolerance are all possible. 

Install the packages:

Learn more about langgraph checkpoint usage for AlloyDB here and Cloud SQL PG here.

Get started 

This Colab demonstrates a complete workflow for building and deploying a LangGraph Hotel Agent which can search, book and cancel hotels. This sample shows how to build and deploy an agent (model, tools, and reasoning) using the Vertex AI SDK and MCP Toolbox for Databases.

The demonstration will begin with agent development, integrating the MCP Toolbox for Databases to Search, Book, and Cancel hotels. It will then walk you through deploying the agent to Agent Engine and the MCP Toolbox to Cloud Run, and conclude by demonstrating how to connect these services remotely.

Here are some more resources to get started with Toolbox and MCP.

• MCP Quick Start

• How to connect to Toolbox from MCP Client 

• MCP Introduction documentation 

• MCP github org

• MCP spec

Editor’s note: Ping Xie is a Valkey maintainer on the Valkey Technical Steering Committee (TSC).

Memorystore, Google Cloud’s fully managed in-memory service for Valkey, Redis and Memcached, plays an increasingly important role in our customers’ deployments — in fact, over 90% of the top 100 Google Cloud customers use Memorystore. Today, we’re excited that the Memorystore for Valkey service is now generally available, a significant step forward for open-source in-memory data management on the cloud. With the GA, you can now run your production workloads on Memorystore for Valkey backed by a 99.99% availability SLA along with features such as Private Service Connect, multi-VPC access, cross-region replication, persistence, and many more.

When we launched the preview of Memorystore for Valkey in August 2024, hundreds of Google Cloud customers like Major League Baseball (MLB) and Bandai Namco Studios Inc. jumped in and deployed the service. In the last few months, they’ve provided us with invaluable feedback that has shaped the service we’re announcing today:

“At Major League Baseball, our use of Memorystore has been a key part in optimizing how we bring data to our fans. We are excited about the general availability of Memorystore for Valkey, a truly open-source alternative. We believe its inherent flexibility and the power of community-driven development will further enhance our speed, scalability, and real-time data processing capabilities, allowing us to better serve our fans, players, and operations.” – Rob Engel, Vice President of Software Engineering, Major League Baseball

“Bandai Namco Studios uses Memorystore to power the low-latency and high-scale performance essential for many of our titles. We’re excited about the GA launch of Memorystore for Valkey. Its speed, features, and truly open-source nature will empower us to enhance real-time gameplay and scale for our global player base. We look forward to leveraging Memorystore for Valkey’s capabilities to continue pushing the boundaries of gaming innovation.” – Motoo Fukuda, Technical Director at Bandai Namco Studios Inc.

What’s new at GA

At GA, Memorystore for Valkey is backed by a 99.99% SLA powered by Google’s advanced high availability and zonal placement algorithms, and ships with a comprehensive suite of enterprise-grade features such as:

• Support for Private Service Connect: Memorystore for Valkey is built on top of Private Service Connect, which allows customers to connect to up to 250 shards using just two IP addresses. Memorystore’s discovery endpoint being highly available ensures no single point of failure for your cluster.

• Zero-downtime scaling: Memorystore for Valkey offers zero downtime scaling (in and out) so your cluster can grow with your application’s needs, and so it’s cost-optimized for your  workloads. It supports cluster sizes ranging from 1 to 250 nodes.

• Integrated Google-built vector similarity search: Memorystore for Valkey supports ultra-low latency, in-memory vector search, and can perform vector search at single-digit millisecond latency on over a billion vectors, with greater than 99% recall.

  This performance is powered by Google’s vector search module, the official search module for the Valkey OSS project, which is integrated into Memorystore for Valkey. The module enables modern AI applications for gen AI use cases such as retrieval-augmented generation (RAG), recommendation systems, and semantic search. With hybrid search support, users can achieve more accurate and contextually relevant search results, leading to improved application performance and a better user experience.

• Managed backups: Access to built-in managed backups enables both automated and on-demand backups for migrations, disaster recovery, and compliance.

• Cross-region replication (CRR): Using CRR, you can achieve disaster recovery prepared-ness and low-latency reads across regions. At this time, in addition to the primary region, we support up to two secondary regions with clusters that in turn can have varying numbers of replicas. Memorystore for Valkey ensures both the data plane and control plane remain in sync across regions.

• Multi-VPC access: Memorystore for Valkey supports multiple client-side VPCs to connect to one Private Service Connection endpoint on the Valkey cluster. Using this technology, you can securely connect clients across multiple projects and VPCs.

• Persistence: Memorystore for Valkey offers both RDB-snapshot and AOF-logging based persistence to meet varying data durability requirements.

Memorystore for Valkey supports both Valkey 7.2, and our engine of choice, Valkey 8.0, which offers many enhancements over its predecessors:

• Exceptional performance: With asynchronous I/O improvements, Memorystore for Valkey 8.0 delivers better throughput and achieves up to 2x Queries Per Second(QPS) of Memorystore for Redis Cluster at microseconds latency, helping applications handle demanding internet-scale workloads with ease.

  While priced in-line with Memorystore for Redis Cluster, Memorystore for Valkey’s performance optimizations can lead to substantial cost savings by potentially requiring fewer nodes to handle the same workload.

• Optimized memory efficiency: Valkey 8.0’s optimized memory management delivers improved memory savings, reducing operational costs across various workloads.

• Enhanced reliability: Valkey 8.0 offers significantly more reliable scaling with Google-contributed features like automatic failover for empty shards and highly available migration states. Additionally, we also introduced migration states auto-reparing to further strengthen system resilience.

In addition, Memorystore for Valkey also provides other capabilities, such as  maintenance windows, single zone clusters, single shard clusters, no-cost inter-zone replication, etc. 

Our commitment to open source and customer trust

Following licensing updates to Redis OSS by Redis Inc. in March 2024, the open-source community established Valkey OSS as an alternative that’s supported by organizations including Google, Amazon, Snap and others.

We deeply value the trust you place in us. To ensure you continue to have access to powerful, open technology, we launched Memorystore for Valkey on Google Cloud. Unlike Redis, the Valkey OSS project is under the BSD 3-clause license and backed by the Linux Foundation. The momentum behind Valkey has been exhilarating. 

In addition to Memorystore for Valkey, we are also committed to supporting and delivering new capabilities for Memorystore for Redis Cluster and Memorystore for Redis. And when Memorystore for Redis customers are ready to adopt Valkey — for its price-performance, reliability and open-source nature — we offer full migration support. Memorystore for Valkey is fully compatible with Redis OSS 7.2 APIs and your favorite clients, making it easy to switch to open source. Further, you can reuse your Memorystore for Redis and Memorystore for Redis cluster committed use discounts (CUDs), smoothing the transition.

Try Memorystore for Valkey today

The best way to experience the power of Memorystore for Valkey is to try it out. Get started with the documentation or deploy your first Valkey instance. Don’t let having to self-manage Redis hold you back. Experience the simplicity and speed of Memorystore for Valkey today and see how it can power your applications, so you can focus on what matters: innovating and creating impactful applications for your business!