In its 17th edition, Verizon's 2025 Data Breach Investigations Report (DBIR) continues to deliver one of the most comprehensive analyses of cyber incidents worldwide. Based on data from more than 30,000 security incidents and more than 10,000 confirmed breaches, this year's report reveals a threat landscape where speed, simplicity, and stolen credentials dominate.
As the report starkly states: "The three primary ways in which attackers access an organization are stolen credentials, phishing and exploitation of vulnerabilities—across every single industry."
Stolen credentials played a role in more than 60% of breaches, making them the top vector once again. Threat actors aren't brute-forcing their way in—they're logging in through the front door. From the report: "Credential theft continues to be the key to the kingdom in the majority of breaches. And it's not slowing down."
This reinforces the urgency of robust identity and access management strategies—especially for protecting cloud and SaaS applications.
Phishing accounted for nearly 25% of all breaches. More concerning: Verizon found that 50% of users who open phishing emails do so within the first hour. "The median time to click was just 21 minutes. That's how fast your detection and response needs to be."
It emphasizes the need for advanced phishing detection, real-time user training, and behavioral monitoring that can detect post-click lateral movement.
While not as common as phishing or credential theft, vulnerability exploitation remains a key method in high-impact breaches—especially in critical infrastructure and supply chain attacks. Verizon highlights the "zero-day-to-exploitation" window is shrinking. "Speed matters. Delays in patching are now measured in exposure, not just uptime."
Automation, SBOM analysis, and prioritized patching based on real-world exploitability—not just CVSS—are key.
Verizon continues to stress the role of non-malicious human behavior:
19% of breaches involved internal actors.
Errors and misconfigurations made up more than 25% of all incidents, particularly in cloud environments. "The cloud makes it easy to scale—but also easy to misconfigure. And attackers are counting on that."
The DBIR breaks down breach trends across industries:
Financial and Insurance: Heavily targeted by credential stuffing and phishing; fastest detection rates.
Healthcare: Insider threats and error-related breaches dominate.
Public Sector: DoS attacks and ransomware remain major concerns.
Manufacturing: IP theft and ransomware are top risks; OT/ICS systems still lag in basic controls.
Verizon concludes that prevention alone is no longer enough: "The breach timeline is compressing—what used to take days now happens in minutes. Your response must be equally fast."
The 2025 DBIR is a call to arms for CISOs and security leaders to rethink how they detect, respond to, and recover from breaches. As the report suggests, controls must be user-centric, intelligence-driven, and built to scale—because the attackers already are.
We asked experts at cybersecurity vendors for their comments and additional insights.
Mike McGuire, Sr. Security Solutions Manager at Black Duck:
"Third-party services, products or software components in the software supply chain should be thoroughly assessed for security. The biggest challenge here is visibility. The average commercial code base depends on 911 open source components. More than half of these dependencies are transitive, meaning there are numerous dependencies being introduced into applications inadvertently. Depending on how these dependencies are introduced, it can be difficult to identify and track them, and complete tasks like providing accurate SBOMs to consumers.
"Another challenge is the rapid nature of software development. Dependencies can be very frequently updated, introducing new security vulnerabilities, which requires continuous monitoring and an efficient prioritization approach to stay on top of.
"Security teams also must grapple with limited access to source code. Most third-party components are closed source, meaning manual code audits are out of the question. Security teams then have to rely on some sort of binary analysis, or trust their vendor's SBOMs and security attestations, which can be inaccurate themselves because they too face these same challenges.
"Automation is recommended to reduce the occurrence of human error and improve consistency. These tasks can replace some of the more manual, repetitive tasks that security teams usually perform, however, security professionals are still needed to tune this automation and define policy based on risk tolerance. For example, automation can be used for dependency management, by analyzing source code and files to detect open source or third-party components. These tools can also be used to automatically generate resulting SBOMs.
"Security team members need to help define which dependencies should be excluded based on risk factors, and define vulnerability prioritization guidelines. As another example, automation can be used to sign and verify artifacts, and continuously monitor artifact repositories for tampered to outdated artifacts. Security teams would be responsible for identifying these weak links to be secured, and setting security thresholds.
Nicole Carignan, Sr. Vice President, Security & AI Strategy, and Field CISO at Darktrace:
"While GenAI was the talk of 2024, Agentic AI will be a significant focus for organizations in the year ahead. Agentic AI refers to autonomous artificial intelligence systems capable of complex tasks, decision-making and interacting with external systems with minimal human intervention. Unlike traditional AI models, AI agents mimic human decision-making processes and can adapt to new challenges, making them ideal for cybersecurity applications. Agentic systems use a combination of various AI or machine learning techniques to ingest data from a variety of sources, analyze the data, prepare a plan of action (autonomous or recommended), and take action. Most think of agentic systems as comprising of LLM-based agents, but many different machine learning techniques can be used to optimize accuracy or function for specific use cases.
"In cybersecurity, these systems can be used to autonomously monitor network traffic, identify unusual patterns that might indicate potential threats, and take autonomous actions to respond to possible attacks. Agentic systems can also handle incident response tasks, such as isolating affected systems, patching vulnerabilities, as well as triaging alerts in a SOC. They can also help with incident summarization and visualization as well as report generation to keep stakeholders informed during an ongoing incident. Another innovative use case will be the use of multi-agent systems for application testing and vulnerability discovery. With agentic systems able to take on many manual, time-consuming tasks in the SOC, skilled analysts can focus on more strategic tasks. This is critical for enabling security teams to move from a reactive to proactive state.
"However, these advantages also come with challenges. Agentic AI systems can inherit biases from their training data, potentially making flawed or unfair decisions. Without proper oversight, they may misinterpret their tasks, leading to unintended behaviors that could introduce new security risks. Building and maintaining such systems also demands deep technical expertise—something many organizations currently lack. Generative and LLM-based agentic systems have additional concerns, including hallucinations, poor reasoning, and susceptibility to attacks like prompt injection. These vulnerabilities introduce new attack surfaces that traditional defenses may not cover. Additionally, some agent-based systems are self-discoverable and have excessive permissions. Proper safeguards to control communication boundaries, accesses, permissions, and robust data security are necessary to protect organizations.
"Agentic AI holds great promise in cybersecurity, but it must be implemented safely, securely and responsibly, with robust safeguards to truly strengthen defense.
Jason Soroko, Sr. Fellow at Sectigo:
"Organizations should embrace a proactive, dynamic security posture that leverages real-time risk analytics to bolster their defenses against vulnerability exploits. Beyond patching, deploying automated orchestration tied to live threat feeds can prioritize remediation on the fly. The most effective controls combine microsegmentation with strong authentication and adaptive access and behavioral analytics. The term zero trust is often used, but it’s the principles behind it that are important.
"Techniques like chaos engineering for security testing, which stress-test defenses in unpredictable ways, and machine learning–driven anomaly detection offer fresh layers of defense. These measures limit lateral movement and flag subtle shifts in network behavior, tightening security even when patching lags behind threat emergence.
"Static defenses won't suffice. Integrating diverse data sources—including CISA's KEV—into a unified, predictive vulnerability management framework can shift organizations from reactive patching to anticipatory risk management. This fresh, intelligence-driven approach is essential in a landscape where every day counts.
Agnidipta Sarkar, Vice President, CISO Advisory, at ColorTokens:
"Awareness is a battle that organizations can never truly win. This is because humans generally don't retain information that doesn't directly impact them personally or professionally. Therefore, to improve retention, awareness efforts should be customized to each employee, relevant to the specific digital activities being performed, and involve employees in sharing the awareness with others. Unfortunately, many security and risk leaders today use awareness as a way to deflect blame if something goes wrong.
"Stronger technical controls must be implemented that eliminate the ability to allow adversary-in-the-middle (AiTM) attack. Apart from the usual security awareness, which must focus on how the actual technology does not provide multiple error messages the users must restart their authentication, trigger a password reset, and change account security questions, when flooded with requests, no matter how bothersome they are.
James Scobey, CISO at Keeper Security:
"Humans are always the weakest link in 'abuse of trust' attacks. Generative AI will play a dual role in the identity threat landscape this year. On one side, it will empower attackers to create more sophisticated deepfakes—whether through text, voice or visual manipulation—that can convincingly mimic real individuals. These AI-driven impersonations are poised to undermine traditional security measures, such as voice biometrics or facial recognition, which have long been staples in identity verification. Employees will, more and more frequently, get video and voice calls from senior leaders in their organization, telling them to grant access to protected resources rapidly. As these deepfakes become harder to distinguish from reality, they will be used to bypass even the most advanced security systems.
"On the other hand, generative AI offers significant potential for bolstering defenses. Security teams can harness AI's ability to analyze massive datasets and detect patterns in real-time, identifying anomalies that could be indicative of identity fraud. AI-driven tools can enhance behavioral biometrics and continuous authentication by examining user actions over time, flagging deviations that might indicate impersonation. However, as powerful as AI is, it still requires significant human oversight. AI models, while adept at processing vast amounts of data, can miss nuanced context or make incorrect conclusions based on incomplete information. Skilled security professionals will remain essential in guiding these AI systems, fine-tuning their analysis and intervening when automated responses are insufficient.
Trey Ford, CISO at Bugcrowd:
"Ransomware teams, like every other criminal organization, are businesses. Ransoms are usually paid via cryptocurrency, and those values have been back on the rise since Q4 2023—rising aggressively in the past couple of quarters.
"Regardless of the ransomware actor, the foundational controls still matter. Knowing your total attack surface, testing your environment—with an eye toward efficient remediation—is key. Enterprise controls including visibility (logging, EDR), hardening (privileged account management, careful inventory of service accounts), and MFA for domain admin and remote access are paramount. There is a strong correlational reason cyber insurance underwriters care about those key controls and coverage in the application process. If those controls are not effective, cyber insurance underwriters might have to pay out. Be open with management about which of those controls are effective and lacking, and secure funding to get them online as fast as possible.
Brandon Williams, CTO at Conversant Group:
"Attackers will continue demanding ransoms not only to decrypt but also to avoid the publishing of stolen data. Some threat actors have moved to deleting data as part of their normal motions. If this gains traction this year, organizations will not have a method to recover by simply paying a ransom and hoping to get a working decryption tool. The only method of recovery will be backups, however data shows that backups do not typically survive these breaches.
"According to our own research, 93% of cyber events involve targeting of backup repositories, and 80% of data thought to be immutable does not survive. Being able to recover, but having no place to recover, will result in longer outages and increased business interruption costs. This will require strategic breach recovery plans that integrate real-time threat detection, adaptive defenses and incident response protocols. The most effective component of breach recovery plans is immutable backups, which are essential for fast recovery from breaches. The tamper-proof design of immutable backups guarantees the integrity of stored data and reduces recovery time while allowing for rapid restoration without the risk of reintroducing infected or corrupted files.
Saeed Abbasi, Manager, Vulnerability Research, at Qualys Threat Research Unit:
"The 2025 DBIR findings demonstrate that the exploitation of vulnerabilities as the initial access vector for breaches has seen another year of growth—reaching 20%. Edge device vulnerabilities grew nearly eight-fold, while ransomware presence increased by 37%. Third-party involvement in breaches doubled to 30%, and espionage-motivated breaches rose significantly to 17%. Additionally, 46% of compromised systems with corporate credentials were non-managed devices, highlighting BYOD risks and the importance of robust asset management.
"Exploiting vulnerabilities as an initial access vector has grown significantly, reaching 20% of breaches analyzed in the 2025 DBIR across 12,195 confirmed data breaches. This represents a 34% increase from the previous year and approaches the frequency of credential abuse (22%). This trend demands immediate attention from security teams, particularly as Edge devices and VPNs now represent 22% of vulnerability exploitation targets, an almost eight-fold increase from just 3% in 2024. Organizations must leverage a risk-based approach and prioritize vulnerability scanning and patching for internet-facing systems. The data clearly shows that attackers follow the path of least resistance, targeting vulnerable edge devices that provide direct access to internal networks.
"According to the report, the median time for organizations to fully remediate edge device vulnerabilities was 32 days, while the median time for these vulnerabilities to be mass exploited was zero days—meaning the analyzed vulnerabilities were added to the CISA KEV catalog on or before their CVE publication. This timing gap represents a critical window of exposure that organizations must work to close.
"Security teams should:
"Ransomware presence in analyzed breaches grew by 37%, appearing in 44% of all breaches reviewed (up from 32%). However, the median ransom payment decreased to $115,000 from $150,000 the previous year, with 64% of victims refusing to pay (up from 50% two years ago). Small organizations are disproportionately affected by ransomware. While larger organizations experience ransomware in 39% of breaches, SMBs face ransomware in a staggering 88% of breach incidents.
"Organizations should implement a comprehensive vulnerability management approach that:
"Third-party involvement in breaches doubled from 15% to 30%, with credential reuse in third-party environments becoming increasingly common. Research found the median time to remediate leaked secrets discovered in GitHub repositories was 94 days. Espionage-motivated breaches grew significantly to 17%, with these attackers leveraging vulnerability exploitation as an initial access vector 70% of the time. Interestingly, approximately 28% of incidents involving state-sponsored actors had a financial motive.
"Cloud and application security programs must evolve to:
"The 2025 DBIR findings emphasize the need for a holistic security approach that prioritizes vulnerability management while addressing third-party risks and evolving ransomware tactics. Security teams can build more resilient programs that protect their organizations against the most prevalent attack vectors by focusing on these key areas.