Verizon Business has released its 2025 Data Breach Investigations Report. The report assesses more than 22,000 security events (including 12,195 confirmed data breaches), finding that the leading initial attack vectors continue to be credential abuse (22%) and vulnerability exploitation (20%).

Key findings from the report include:

• Third-party involvement in breaches has doubled, reaching 30%.
• Vulnerability exploitation increased by 34%, with a focus on zero-day exploits against perimeter devices and VPNs. 
• Ransomware attacks rose by 34% from the previous year and are seen in 44% of breaches. Yet, median ransom amounts paid decreased. 
• There’s an overlap between social engineering and credential abuse, emphasizing the role of human error in breaches. 

Below, security leaders offer a deeper analysis into the report’s results, including discussions of mitigating human error, dealing with ransomware threats, and more. 

Analyzing Verizon Business’s 2025 Data Breach Investigations Report

Mr. Saeed Abbasi, Manager, Vulnerability Research at Qualys Threat Research Unit:

The 2025 DBIR findings demonstrate that the exploitation of vulnerabilities as the initial access vector for breaches has seen another year of growth — reaching 20%. Edge device vulnerabilities grew nearly eight-fold, while ransomware presence increased by 37%. Third-party involvement in breaches doubled to 30%, and espionage-motivated breaches rose significantly to 17%. Additionally, 46% of compromised systems with corporate credentials were non-managed devices, highlighting BYOD risks and the importance of robust asset management.

Exploiting vulnerabilities as an initial access vector has grown significantly, reaching 20% of breaches analyzed in the 2025 DBIR across 12,195 confirmed data breaches. This represents a 34% increase from the previous year and approaches the frequency of credential abuse (22%). This trend demands immediate attention from security teams, particularly as Edge devices and VPNs now represent 22% of vulnerability exploitation targets, an almost eight-fold increase from just 3% in 2024. Organizations must leverage a risk-based approach and prioritize vulnerability scanning and patching for internet-facing systems. The data clearly shows that attackers follow the path of least resistance, targeting vulnerable edge devices that provide direct access to internal networks.

According to the report, the median time for organizations to fully remediate edge device vulnerabilities was 32 days, while the median time for these vulnerabilities to be mass exploited was zero days — meaning the analyzed vulnerabilities were added to the CISA KEV catalog on or before their CVE publication. This timing gap represents a critical window of exposure that organizations must work to close.

Security teams should:

• Implement asset management for internal and external assets to gather a complete inventory of their hosts, including EOLs
• Deploy broad vulnerability detection capabilities
• Leverage risk-based prioritization for findings
• Implement automated patch management workflows
• Prioritize edge device vulnerabilities
• Consider compensating controls and alternative mitigation strategies when immediate patching isn’t possible

Ransomware presence in analyzed breaches grew by 37%, appearing in 44% of all breaches reviewed (up from 32%). However, the median ransom payment decreased to $115,000 from $150,000 the previous year, with 64% of victims refusing to pay (up from 50% two years ago). Small organizations are disproportionately affected by ransomware. While larger organizations experience ransomware in 39% of breaches, SMBs face ransomware in a staggering 88% of breach incidents.

Organizations should implement a comprehensive vulnerability management approach that:

• Integrates threat intelligence feeds to identify emerging ransomware variants and tactics
• Deploys advanced detection mechanisms that specifically flag the association of a vulnerability with known ransomware groups
• Utilizes risk-based prioritization to remediate vulnerabilities that ransomware operators actively exploit
• Deploys next-generation endpoint detection and response (EDR) solutions capable of detecting ransomware-specific behaviors
• Develops incident response playbooks that address data exfiltration and extortion scenarios common in modern ransomware attacks

Third-party involvement in breaches doubled from 15% to 30%, with credential reuse in third-party environments becoming increasingly common. Research found the median time to remediate leaked secrets discovered in GitHub repositories was 94 days. Espionage-motivated breaches grew significantly to 17%, with these attackers leveraging vulnerability exploitation as an initial access vector 70% of the time. Interestingly, approximately 28% of incidents involving state-sponsored actors had a financial motive.

Cloud and application security programs must evolve to:

• Implement automated secret scanning, 24-hour credential rotation processes, and multi-factor authentication to secure credentials in third-party environments
• Establish comprehensive third-party security assessments and reduce critical vulnerability remediation timeframes
• Implement continuous monitoring of third-party security postures
• Utilize solutions for unified risk visibility across cloud infrastructure and implement continuous scanning with prioritized remediation based on business criticality

The 2025 DBIR findings emphasize the need for a holistic security approach that prioritizes vulnerability management while addressing third-party risks and evolving ransomware tactics. Security teams can build more resilient programs that protect their organizations against the most prevalent attack vectors by focusing on these key areas.

Mitigating human error

Mr. Agnidipta Sarkar, Vice President CISO Advisory at ColorTokens:

Awareness is a battle that organizations can never truly win. This is because humans generally don’t retain information that doesn’t directly impact them personally or professionally. Therefore, to improve retention, awareness efforts should be customized to each employee, relevant to the specific digital activities being performed, and involve employees in sharing the awareness with others. Unfortunately, many security and risk leaders today use awareness as a way to deflect blame if something goes wrong. Stronger technical controls must be implemented that eliminate the ability to allow adversary-in-the-middle (AiTM) attack. Apart from the usual security awareness, which must focus on how the actual technology does not provide multiple error messages the users must restart their authentication, trigger a password reset, and change account security questions, when flooded with requests, no matter how bothersome they are.

James Scobey, Chief Information Security Officer at Keeper Security: 

Humans are always the weakest link in ‘abuse of trust’ attacks. Generative AI will play a dual role in the identity threat landscape this year. On one side, it will empower attackers to create more sophisticated deepfakes — whether through text, voice or visual manipulation — that can convincingly mimic real individuals. These AI-driven impersonations are poised to undermine traditional security measures, such as voice biometrics or facial recognition, which have long been staples in identity verification. Employees will, more and more frequently, get video and voice calls from senior leaders in their organization, telling them to grant access to protected resources rapidly. As these deepfakes become harder to distinguish from reality, they will be used to bypass even the most advanced security systems.

On the other hand, generative AI offers significant potential for bolstering defenses. Security teams can harness AI’s ability to analyze massive datasets and detect patterns in real-time, identifying anomalies that could be indicative of identity fraud. AI-driven tools can enhance behavioral biometrics and continuous authentication by examining user actions over time, flagging deviations that might indicate impersonation. However, as powerful as AI is, it still requires significant human oversight. AI models, while adept at processing vast amounts of data, can miss nuanced context or make incorrect conclusions based on incomplete information. Skilled security professionals will remain essential in guiding these AI systems, fine-tuning their analysis and intervening when automated responses are insufficient.

Dealing with ransomware threats

Trey Ford, Chief Information Security Officer at Bugcrowd:

Ransomware teams, like every other criminal organization, are businesses. Ransoms are usually paid via cryptocurrency, and those values have been back on the rise since Q4 2023 — rising aggressively in the past couple of quarters.

Regardless of the ransomware actor, the foundational controls still matter. Knowing your total attack surface, testing your environment — with an eye toward efficient remediation is key. Enterprise controls including visibility (logging, EDR), hardening (privileged account management, careful inventory of service accounts), and MFA for domain admin and remote access are paramount. There is a strong correlational reason cyber insurance underwriters care about those key controls and coverage in the application process. If those controls are not effective, cyber insurance underwriters might have to pay out. Be open with management about which of those controls are effective and lacking — and secure funding to get them online as fast as possible.

Brandon Williams, Chief Technology Officer at Conversant Group:

Attackers will continue demanding ransoms not only to decrypt but also to avoid the publishing of stolen data. Some threat actors have moved to deleting data as part of their normal motions. If this gains traction this year, organizations will not have a method to recover by simply paying a ransom and hoping to get a working decryption tool. The only method of recovery will be backups, however data shows that backups do not typically survive these breaches.

According to our own research, 93% of cyber events involve targeting of backup repositories, and 80% of data thought to be immutable does not survive. Being able to recover, but having no place to recover, will result in longer outages and increased business interruption costs. This will require strategic breach recovery plans that integrate real-time threat detection, adaptive defenses and incident response protocols. The most effective component of breach recovery plans is immutable backups, which are essential for fast recovery from breaches. The tamper-proof design of immutable backups guarantees the integrity of stored data and reduces recovery time while allowing for rapid restoration without the risk of reintroducing infected or corrupted files. 

Managing vulnerabilities 

Jason Soroko, Senior Fellow at Sectigo:

Organizations should embrace a proactive, dynamic security posture that leverages real-time risk analytics to bolster their defenses against vulnerability exploits. Beyond patching, deploying automated orchestration tied to live threat feeds can prioritize remediation on the fly. The most effective controls combine microsegmentation with strong authentication and adaptive access and behavioral analytics. The term zero trust is often used, but it’s the principles behind it that are important.

Techniques like chaos engineering for security testing, which stress-test defenses in unpredictable ways, and machine learning–driven anomaly detection offer fresh layers of defense. These measures limit lateral movement and flag subtle shifts in network behavior, tightening security even when patching lags behind threat emergence.

Static defenses won’t suffice. Integrating diverse data sources — including CISA’s KEV — into a unified, predictive vulnerability management framework can shift organizations from reactive patching to anticipatory risk management. This fresh, intelligence-driven approach is essential in a landscape where every day counts.