2025 Verizon Data Breach Investigations Report

Explore the top insights from Verizon’s 2025 Data Breach Investigations Report. Learn about rising ransomware costs, user-targeted attacks, and what these trends mean for your cybersecurity strategy.

2025-04-08

2025 Verizon DBIR: Key Facts, Trends & Statistics

The 18th edition of Verizon’s Data Breach Investigations Report (DBIR) delivers the most extensive breach data yet, with the 2025 report analyzing over 22,000 incidents and setting new benchmarks for threat insights and attack trends.

Below is a narrative walk-through of the figures every CISO, security-awareness owner, and SOC lead should keep at hand.

Key findings from Verizon's 2025 Data Breach Investigations Report

The 2025 Verizon DBIR presents its largest dataset yet, analyzing over 22,000 security incidents and 12,000 confirmed breaches. Here are the key takeaways:

Ransomware was present in 44% of breaches. The median payout fell to $115K, and 64% of victims refused to pay.
Third-party breaches surged, now accounting for 30% of all cases.
Stolen credentials (22%) and exploited vulnerabilities (20%) were the primary entry points for breaches.
Edge and VPN flaws have increased eightfold; only 54% are patched, with a median fix time of 32 days.
Human error was a contributing factor in 60% of breaches. User reporting increased 4x after training.
Espionage-related breaches increased by 163%, now accounting for 17% of incidents.
Infostealers compromised 30% of corporate and 46% of unmanaged devices holding company credentials.
15% of staff accessed generative AI tools, with 72% using personal email accounts.
Business Email Compromise (BEC) losses hit $6.3B, with a median loss of $50K.

Detailed Breakdown of 2025 Verizon DBIR

The 2025 DBIR reveals a complex threat landscape, dominated by ransomware, exploited vulnerabilities, and persistent human risk.

Now, let's dive deeper into the detailed breakdown of the 2025 DBIR's findings.

Threat Landscape Overview: Scope, Scale, and Dominant Attack Patterns

The 2025 DBIR dataset comprises a record-breaking 22,052 security incidents and 12,195 confirmed data breaches, encompassing impacted entities across 139 countries. This expansion provides enhanced reporting and expanded coverage across multiple industries and regions.

Breach analysis shows 5 dominant attack patterns accounting for the vast majority of successful compromises:

Rank	Attack Pattern	Breach Involvement Rate
1	System Intrusion	53%
2	Social Engineering	17%
3	Basic Web Application Attacks	12%
4	Miscellaneous Errors	12%
5	Privilege Misuse	6%

Table 1: Top 5 Attack Patterns by Breach Involvement – DBIR 2025

System Intrusion—often involving malware, ransomware, or lateral movement—emerged as the leading breach pattern, up significantly from previous years. Social engineering and web application attacks continue to dominate as low-barrier, high-reward vectors.

Notably, third-party involvement surged to 30% of all breaches, a doubling from last year’s 15%, highlighting the growing systemic risk posed by partner ecosystems and supply chains.

Picture 1: Comparison of 2024 and 2025 on Scope, Scale, and Dominant Attack Patterns (Source: 2025 Verizon DBIR)

Ransomware Dynamics: Prevalence High, Profitability Under Pressure

Ransomware remains a dominant threat vector in 2025 report, featuring in 44% of all confirmed breaches—a notable increase from 32% in the previous year. This indicates both the sustained utility of ransomware for adversaries and its adaptability across diverse attack surfaces.

Check out our guide to learn more about Ransomware and how it works.

Asymmetric Impact Across Business Tiers

The operational and financial impact of ransomware falls most heavily on small and medium-sized businesses (SMBs). In 2025 report:

88% of breaches involving SMBs contained a ransomware component.
By contrast, only 39% of enterprise breaches included ransomware payloads.

This asymmetry suggests that attackers continue to prioritize victims with weaker incident response capabilities, slower patch cycles, and under-resourced security teams—factors often present in small to medium-sized businesses (SMBs).

Picture 2: The Presence of Ransomware Attacks increased by 37% From Last Year (Source: 2025 Verizon DBIR)

Ransom Payment Economics Shift

Ransomware payments are trending downward, signaling changing dynamics between attackers and victims:

The median ransom payment declined to US$ $115,000 in 2024, compared to US$ $150,000 in 2023. Additionally:
95% of ransom payments were under US$3 million, a stark contrast to US$ $9.9 million in 2023.

This decline in average payout values indicates attackers are lowering demands, while victims are getting better at negotiating or refusing to pay.

Payment Refusal on the Rise

Victim's refusal to engage with ransom demands has grown markedly:

In 2022, 50% of ransomware victims opted not to pay.
By 2024, this figure increased to 64%, signaling a shift toward resilience-driven strategies and reduced attacker leverage.

Picture 3: Yearly Percentage of Unpaid Ransoms in Ransomware Incidents (Source: 2025 Verizon DBIR)

The trend likely reflects improved incident response readiness, greater adoption of immutable backups, broader legal and insurance guidance discouraging payments, and increased collaboration with law enforcement agencies.

Strategic Insight:

Ransomware is still spreading, but it's becoming less profitable due to better recovery tools, stricter regulations, and changing industry responses.

In response, threat actors are expanding their attack surface, particularly toward small to medium-sized businesses (SMBs), to offset the diminishing returns from high-value targets. This reinforces the urgency for SMBs to invest in layered defense, rapid detection, and tested continuity protocols.

The Keepnet team has also discovered a resurgence of Ransomware in 2025. To learn more about the reasons behind this, read our blog post: Ransomware Attacks Are on the Rise Again in 2025.

Initial Access Vectors: Credential-Based Attacks Lead, But Exploit-Driven Intrusions Are Surging

Analysis of non-error and non-insider breaches in the 2025 DBIR highlights a dynamic shift in initial access techniques, with stolen credentials remaining the most prevalent vector but facing increasing competition from vulnerability exploitation.

Initial Access Vector	2025 Prevalence	Year-over-Year Change
Stolen credentials	22%	▼ (declining trend)
Exploited vulnerabilities	20%	▲ +34% YoY
Phishing	15%	≈ (relatively stable)

Table 2: Initial Access Vectors in 2025: Prevalence and Growth Trends

A 34% rise in exploit-based breaches shows that attackers are focusing more on outdated, unpatched systems, especially those exposed to the internet, as easy entry points into company networks.

Picture 4: Initial Access Vectors Trends (Source: 2025 Verizon DBIR)

Edge Infrastructure as a Breach Catalyst

A deeper analysis reveals that 22% of all vulnerability exploitation breaches targeted edge infrastructure, including firewalls, VPN concentrators, and remote access gateways. This represents an eightfold increase compared to the previous year, underscoring the growing risk posed by internet-exposed, perimeter-layer devices.

Remediation Gaps Persist

Despite the critical role of edge devices in breach chains, patch management remains insufficient:

Only 54% of vulnerable edge devices were fully remediated during the observation period.
The median time to remediate (MTTR) these vulnerabilities was 32 days, which is well above the best-practice thresholds for internet-facing systems.

This remediation lag provides adversaries with an extended attack window, particularly in cases involving known vulnerabilities (CVEs) with available public exploits.

Strategic Insight:

The data shows two main threat paths—credential reuse and phishing remain popular for their low cost and scale, while vulnerability exploitation, especially targeting edge infrastructure, is making a strong comeback as a primary attack method.

Organizations with hybrid or remote environments must urgently improve patching speed, enhance visibility of all assets, and shrink their exposed attack surface. To prevent breaches early, effective vulnerability management should be supported by advanced threat detection and rapid incident response.

Explore our guide to discover how to secure edge infrastructure, including firewalls.

The Human Element: Behavioral Exposure Plateaus, but Detection Signals Strengthen

Human behavior remains a critical factor in the exposure of organizational breaches. In the 2025 DBIR dataset, approximately 60% of all confirmed breaches involved a human action, whether it was a malicious click, a socially engineered phone call, or the misdelivery of sensitive data.

This proportion remains consistent year over year, underscoring the persistent susceptibility of users to deception and cognitive overload in digital environments.

Phishing Susceptibility Reaches Behavioral Floor

Simulation-based assessments indicate that, despite continuous awareness training, the median phishing simulation click-through rate has plateaued at ~1.5%, suggesting a behavioral floor below which further reductions are statistically and operationally challenging to achieve.

This remaining risk stems from human factors, such as distraction, mental overload, or phishing messages that are extremely convincing.

Picture 5: Phishing Simulation Campaign Report Rate by Click Status (Source: 2025 Verizon DBIR)

Training Frequency Drives Reporting Efficacy

A critical success metric for phishing mitigation is user-driven detection and escalation. The report finds that:

Employees who received phishing awareness training within the past 30 days were 4x more likely to report phishing attempts.
Reporting rate among recently trained users: 21%
Reporting rate among untrained or outdatedly trained users: 5%

This data supports the use of short-cycle, high-frequency training models that reinforce response behavior without inducing fatigue.

Discover our guide to learn more about why traditional security awareness fails to change employee behaviors and how organizations can address this issue.

Operational Takeaway:

While simulation click-rates have stabilized near a baseline threshold, the organizational focus should shift toward reducing dwell time by maximizing internal reporting velocity.

Embedding clear escalation paths, gamifying threat detection, and integrating phishing-report signals into automated Security Operations Center (SOC) playbooks can transform users from risk vectors into early detection sensors. Training cadence—not just content—is emerging as the primary lever to enhance security-aware behavior at scale.

Discover our guide to understand why establishing a robust security culture is crucial for shaping employee behavior and mitigating risk.

Credential-Theft Ecosystem: Infostealers Fueling Both Account Takeover and Ransomware Campaigns

Credential theft via infostealer malware remains a high-value enabler across the entire attack lifecycle, powering initial access, privilege escalation, and payload delivery in both account takeover (ATO) and ransomware operations. The 2025 DBIR highlights the growing systemic risk posed by credentials exfiltrated from unmanaged endpoints and consumer-grade devices.

BYOD and Enterprise Exposure

The rise of infostealer threats reveals major gaps in device management and endpoint security.

30% of devices identified in infostealer logs were running enterprise editions of Windows, suggesting direct corporate endpoint exposure.
Alarmingly, 46% of devices logging corporate credential artifacts were unmanaged endpoints—most likely BYOD, personally owned laptops, or work-from-home devices outside of endpoint detection and response (EDR) visibility.

This erosion of asset control significantly undermines traditional endpoint security models, highlighting the inadequacy of relying solely on corporate-managed tooling.

Threat Correlation with Ransomware Leak-Site Attribution

For organizations that were subsequently named on ransomware actor leak sites, forensic analysis revealed:

54% had domains appear in infostealer logs, suggesting that credentials were likely exfiltrated and sold or repurposed for access brokering.
Of these, 40% of the logs contained corporate email addresses, reinforcing the linkage between commodity credential marketplaces and targeted extortion operations.

This suggests that many ransomware attacks don’t start with complex hacks, but with stolen credentials gathered in bulk and sold on the dark web through infostealer networks.

Strategic Implications:

Endpoint security controls alone are insufficient in mitigating credential exfiltration from non-corporate assets. Organizations must adopt a credential hygiene strategy that includes:

Mandatory MFA enforcement (including phishing-resistant options)
Credential revocation monitoring
Off-network login detection and behavioral analytics
Password rotation policies for privileged and exposed accounts
Dark-web and stealer-log surveillance for exposed credentials

By treating credentials as volatile, high-risk assets rather than static identity tokens, enterprises can better defend against the commoditization of access in today’s ransomware supply chain.

Business Email Compromise (BEC): A Low-Noise, High-Impact Threat with $6.3 Billion in Reported Losses

Despite lacking the operational drama of ransomware or destructive malware, Business Email Compromise (BEC) remains one of the most financially devastating forms of cybercrime. According to FBI IC3 data cited in the 2025 DBIR:

Total reported BEC losses in 2024 reached US$ $6.3 billion.
The median loss per complaint remained steady at ~US$ 50,000, based on ~19,000 incident reports.

These figures highlight the sustained profitability of BEC schemes, which often evade traditional security detection due to their low malware signature profile and high reliance on social engineering.

Dive into our guide to learn more about Business Email Compromise (BEC) and how it works.

Payment Modality and Money Laundering Trends

Approximately 88% of BEC-related fraudulent fund transfers were executed via traditional wire transfers, maintaining their position as the preferred channel for laundering.
Cryptocurrency usage declined, likely due to increased scrutiny from law enforcement and regulatory compliance measures at major exchanges.

Wire-based transfers offer a reliable, globally accessible channel for cybercriminals to move large sums with minimal technical expertise, often utilizing mule networks and shell companies to obscure the origin trails.

Operational Insight:

BEC continues to thrive because it exploits process gaps rather than technology vulnerabilities. Security leaders must focus on:

Implementing segregation of duties in payment authorization workflows
Enforcing out-of-band verification for payment change requests
Deploying machine-learning-based email anomaly detection, tuned for domain lookalikes and social context
Training finance and HR staff on typical BEC narratives, such as urgent payment redirection or fake executive approvals

By operationalizing controls at the intersection of people, process, and communication, organizations can materially reduce their exposure to BEC-related financial losses.

AI-Driven Exposure: Generative AI Use Patterns and Threat Evolution

The integration of generative AI (Gen-AI) tools into daily workflows has introduced a new class of data exposure risks, particularly when accessed through unmanaged channels or insufficient identity governance controls.

Workforce Usage Patterns

According to the 2025 DBIR, 15% of employees access Gen-AI platforms, such as ChatGPT, Bard, or Claude, from corporate endpoints at least twice a week. However, identity assurance and access governance are highly inconsistent:

72% of AI-tool users sign in using personal email addresses.
17% use corporate emails without SSO enforcement, exposing organizational assets to unauthorized reuse risks.
Only 11% of Gen-AI users authenticate via corporate SSO, which enables logging, revocation, and risk-based access controls.

This fragmented identity layer undermines both DLP policies and visibility into outbound content, leaving the enterprise perimeter.

Synthetic Content in Threat Campaigns

From an adversarial perspective, AI-generated text content in phishing emails has doubled over the past two years, contributing to more linguistically convincing, grammatically accurate, and context-aware phishing lures.

These synthetically generated messages can bypass traditional rule-based content filters and exploit user trust with minimal effort on the part of the attacker.

Defensive Implications:

To manage AI-related data risk, organizations should:

Enforce SSO-based access policies for all sanctioned Gen-AI tools.
Use CASB or inline proxy controls to restrict sensitive content from being pasted into AI interfaces.
Tune outbound DLP systems to detect and intercept large text segments, code, or internal documents exfiltrated via browser-based AI tools.
Monitor AI usage patterns for anomalous behavior using UEBA (User and Entity Behavior Analytics).
Educate users on the acceptable use of Gen-AI and the regulatory and contractual implications of unauthorized data sharing.

With AI adoption rising, organizations must enforce strict usage policies and monitor device activity to safeguard proprietary data and prevent IP leaks through tools like ChatGPT or other consumer AI platforms.

Explore our guide to see how AI is supercharging phishing attacks—and what you need to know to stay ahead of them.

Espionage-Motivated Breaches: From Covert Operations to Operational Risk

The 2025 DBIR highlights a significant resurgence in cyber-espionage activity, signaling a shift in both volume and intent within state-sponsored campaigns.

In 2024, 17% of all confirmed breaches were attributed to espionage-motivated actors, representing a 163% year-over-year increase.

Notably, 28% of these state-linked breaches also displayed financial motivation, reflecting a dual-purpose strategy by advanced persistent threat (APT) groups — often described as “double-dipping,” where the same access is used for both intelligence collection and monetization activities.

Picture 6: Espionage was the motive behind 17% of all confirmed breaches in 2024

Implications of the Espionage Surge

The line between cybercrime and cyber-espionage is fading, as nation-state attackers increasingly use the same access for both spying and financial gain:

Strategic intelligence gathering (e.g., industrial, diplomatic, military)
Ransomware deployment or data extortion for financial gain
Access resale to affiliated criminal networks for further monetization

These mixed attacks make it harder to identify who’s behind them, stop the damage, and manage the response—especially for organizations in critical infrastructure, defense, or sensitive supply chains.

Strategic Response:

Security teams must evolve beyond traditional nation-state playbooks and prepare for the multifaceted behavior of threat actors. Key countermeasures include:

Enabling threat hunting with nation-state TTP mappings (e.g., MITRE ATT&CK for APTs)
Segmenting networks to restrict lateral movement post-compromise
Deploying zero-trust architectures to reduce the exploitability of long-term access
Enhancing cross-border incident escalation protocols, especially for entities in sectors targeted by geopolitical adversaries

The mix of espionage and financially driven tacticshighlights the need for collaborative intelligence partnerships and integrated threat detection frameworks that transcend industry boundaries.

Operational Priorities for 2025–2026: Metrics That Drive Resilience

In light of the evolving threat landscape presented in the 2025 DBIR, security leaders must recalibrate defensive investments based on empirical breach data. The following strategic priorities and performance metrics should anchor cybersecurity programs through 2026:

Priority Area	Key Metric to Track	Rationale / Threat Driver
1. Accelerate Edge Device Patching	Median 32 days time-to-remediate (TTR) → Target ≤ 7 days	The exploitation of edge-facing infrastructure, including VPNs and firewalls, increased eight times; these systems are prime targets for initial access vectors.
2. Eliminate Standing Credentials	Stolen credentials are involved in 22% of breaches	Infostealer malware, combined with unmanaged (BYOD) endpoints, is fueling credential reuse and access brokering. Rotate secrets and proactively monitor credential exposure.
3. Enforce MFA Ubiquitously	Audit MFA coverage; track bypass attempts (AiTM, SIM-swap, prompt fatigue)	MFA bypass techniques are now mainstream—MFA enforcement must evolve from checkbox compliance to context-aware, phishing-resistant methods.
4. Operationalize Ransomware Response Playbooks	64% of organizations now refuse to pay ransoms	As more firms withstand extortion demands, preparedness becomes leverage. Testing restoration workflows, negotiating readiness, and obtaining legal pre-authorization are critical.
5. Quantify and Harden Third-Party Security Posture	30% of breaches involve a third-party	Supply chain exposure is no longer hypothetical—Snowflake, MOVEit, and others prove that vendor identity hygiene (e.g., MFA, RBAC) is vital.
6. Convert Phishing Reports into Containment Triggers	4× increase in report rates after ≤ 30-day training	Rapid user escalation is a high-fidelity signal. Integrate phishing-report telemetry into automated SOC workflows to block malicious payloads in real-time.

Table 3: Key Security Priorities and Metrics for 2025–2026 Based on DBIR Insights

The 2025 DBIR shows that attackers are streamlining their methods—using stolen credentials to break in and ransomware to make money.

Yet the data also shows that defenders are winning some battles—fewer ransom payments, faster patching, and better user reporting.

The organisations that convert these gains into routine muscle memory will set the pace for cyber-resilience in 2026.

Keepnet’s Suggestions to the Issues Covered in Verizon Data Breach Report 2025

Keepnet offers the following strategic and technical solutions aligned with these findings to help organizations strengthen their human-centric security posture:

Mitigating the Human Element (Involved in ~60% of Breaches)

To effectively address human-related risks, organizations should implement a layered approach that includes adaptive training, realistic simulations, and nudge mechanisms:

Deploy localized, behaviorally adaptive Security Awareness Training (SAT): Keepnet provides modular, role-specific training security awareness training content in over 30 languages, using real-world attack narratives and gamification to maximize retention and behavior change.
Utilize advanced phishing simulations across multiple channels: Simulate attacks via email phishing, voice (vishing), SMS (smishing), QR codes, and MFA-bypass techniques—matching the complexity observed in real-world incidents.
Automate reinforcement through nudges: Enable Just-in-Time Training triggered by risky user actions (e.g., click, credential entry), supported by micro-learning formats and dynamic difficulty adjustment.

Combating Credential Abuse and Infostealer Risk

As credential-based attacks grow, these key actions help detect, respond to, and prevent identity compromise:

Activate continuous Credential Exposure Monitoring (CEM): Detect and alert on corporate credentials found in stealer logs, dark web marketplaces, and public dumps, including domain-level detection and email identity exposure scoring.
Enhance detection with Keepnet Threat Intelligence: Integrate Keepnet’s proprietary Threat Intelligence engine, which enriches CEM by correlating leaked credentials from external breaches (e.g., LinkedIn, third-party SaaS breaches) to internal user accounts. This ensures visibility even when the breach originates outside your organization.
Enforce secure authentication hygiene: Promote the use of phishing-resistant MFA (e.g., FIDO2, Passkeys) and implement credential lifecycle policies (rotation, revocation) triggered by CEM alerts.
Leverage anomaly detection for identity misuse: Integrate Identity Threat Protection layer to flag suspicious authentication attempts from unmanaged or non-corporate devices.
Use Threat Sharing for community-wide defense: Keepnet’s Threat Sharing platform allows organizations to exchange IOCs, TTPs, and leaked credential data with trusted partners, industry ISACs, or CERTs. Sharing can be configured as public or private based on organizational policy, enabling collaborative defense without compromising confidentiality.

Reducing Ransomware Risk and Enhancing Recovery Preparedness

To stay resilient against ransomware, organizations must combine technical simulations with strategic training and readiness metrics. The following steps help build both prevention and response capabilities:

Run ransomware tabletop simulations and response playbooks: Build muscle memory across IT, legal, and executive teams for negotiation, containment, legal/regulatory reporting, and recovery sequencing.
Deploy Keepnet’s Email Threat Simulator: Use Keepnet’s Email Threat Simulator to replicate real-world email-borne attack vectors in a safe, controlled environment. Simulate malicious links, weaponized attachments, fileless payloads, and spoofed sender techniques without impacting productivity. Gain visibility into user interactions and technical detection gaps across SEG, EDR, and XDR layers.
Correlate phishing simulations with ransomware scenarios: Simulate pre-ransomware reconnaissance behaviors such as infostealer malware delivery, credential phishing, and initial access broker handoffs.
Establish training and simulation KPIs: Track metrics such as simulation click rates, reporting rates, MTTR for phishing incidents, and ransomware readiness scores to measure maturity and progress.

Securing the Third-Party Ecosystem (Now Involved in 30% of Breaches)

With third-party risks on the rise, it's critical to extend security controls and visibility to vendors and partners. The following actions help strengthen your extended security perimeter:

Extend SAT programs to suppliers and third-party users: Keepnet’s SCORM Proxy allows training content to be deployed without integrating external LMS systems, enabling lightweight supplier onboarding and compliance.
Continuously assess vendor phishing resilience: Include partners in controlled phishing simulations to gauge social engineering risk exposure across your extended attack surface. Through the Supply Chain Security solution, organizations can centrally manage the security posture of all third-party users and vendors.

Turning Phishing Reports Into Real-Time Defense Triggers

Empowering users to report phishing not only speeds up threat detection, but also fuels automated SOC actions and adaptive training based on actual risk exposure:

Use the Phishing Reporter plugin in Outlook/Google Workspace: Empower end users to report suspicious emails directly, creating a closed loop from phish detection to SOC triage.
Automate SOC response using reported emails: With Keepnet’s Phishing Incident Response, automatically detonate attachments, extract IOCs, and quarantine similar emails across the environment.
Prioritize users for adaptive training: Feed SOC outcomes and click/report behavior into a Risk-Based Training Engine, ensuring high-risk users are remediated first.

The 2025 DBIR makes it clear—cybersecurity is no longer just a technical issue; it is a human and systemic one. Keepnet’s Human Risk Management Platform enables organizations to preemptively address the exact vulnerabilities that threat actors exploit—turning insight into action, users into sensors, and breaches into teachable moments.

Download 2025 Verizon Data Breach Investigations Report

To dive deeper into the full scope of cybersecurity trends shaping 2025, we highly recommend reading the complete Verizon Data Breach Investigations Report (DBIR).

Whether you’re building your cybersecurity strategy or refining your awareness program, the report delivers the data-backed clarity you need. Download the full report and equip your team with the metrics that matter most.