Five takeaways from the 2025 Verizon Data Breach Investigations Report
The 18th annual DBIR analyzed 22,052 incidents and 12,195 confirmed breaches across 139 countries. Five findings every security leader should be acting on now.
The 2025 Verizon Data Breach Investigations Report (DBIR) is out, and at 18 annual editions in, it remains the most widely cited dataset in the industry. This year's report covers 22,052 real-world security incidents and 12,195 confirmed data breaches across organizations of every size, drawn from 139 countries. That breadth matters — when the DBIR moves a percentage point, it represents tens of thousands of real organizations.
Here are the five findings we think security leaders should be acting on now.
1. The human element is still the dominant story — at 60%
The headline number from this year's report: the human element was involved in roughly 60% of breaches, holding steady from the previous year. That includes social engineering, errors, credential abuse, and privilege misuse — the categories where a person, not a vulnerability scanner, is the right unit of analysis.
The human element doesn't drop because attackers stop targeting people. It drops because the people get harder to fool. That's an awareness program problem, not an EDR problem.
2. Vulnerability exploitation jumped 34%
Exploitation of vulnerabilities reached 20% as an initial access vector — a 34% increase over last year — and is now neck-and-neck with credential abuse for the top spot. A big driver: zero-day exploits targeting edge devices and VPNs grew from 3% of exploitation actions to 22%, an almost eight-fold jump.
The patching story is sobering. Organizations only fully remediated 54% of edge-device vulnerabilities through the year, and the median remediation time was 32 days. That's a long window for an attacker.
3. Ransomware presence jumped to 44%
Ransomware (with or without encryption) appeared in 44% of all breaches, up from 32% the prior year. The good news: median ransom paid dropped to $115,000 (from $150,000), and 64% of victim organizations did not pay. Defender economics improved even as the volume of ransomware attempts rose.
Ransomware also remains disproportionately a problem for small and mid-sized organizations. SMBs experienced ransomware-related events at a markedly higher rate.
4. Third-party involvement doubled
Third-party involvement in breaches doubled from 15% to 30%. That mirrors a structural shift many security teams already feel — your attack surface increasingly includes your vendors' attack surfaces. Software supply chains, MSPs, professional services, and SaaS providers all show up as breach vectors in this year's data.
The takeaway isn't "audit your vendors more." Most organizations already do that. The takeaway is that your awareness program needs to include vendor and contractor users if those people have access to your systems — which they almost certainly do.
5. Social engineering: 17% of breaches, with pretexting nearly doubling
17% of breaches involved social engineering as the primary classification. That number, taken alone, can feel low — but it's the share where social engineering was the primary technique. Many credential-abuse and ransomware breaches in the dataset started with a social engineering action that didn't quite count under the strict classification.
Within social engineering, pretexting attacks doubled and now represent ~50% of social-engineering activity. Pretexting is the patient, contextual, often multi-message kind of attack — it's exactly the category that simple click-rate metrics tend to miss.
What to do about this
The DBIR doesn't prescribe controls, but a few things follow directly from the data:
- Patch faster on edge devices. 32 days to remediate edge-device CVEs is not survivable when zero-days are an eight-fold larger problem this year.
- Treat vendors as part of your awareness program. If they touch your data, they need to be in your testing rotation.
- Move from click-rate to behavior-change metrics. Pretexting attacks rarely show up as one-click events. Measure who reports, who repeats, and who improves over time.
- Pair simulation with adaptive training. Click rates falling in isolation just means people learned to spot that template. Real risk reduction comes from a closed loop: test, train, retest, measure delta.
The 60% human-element number won't move because of one new tool. It moves when programs treat employees as a population to develop, not a population to score.
Sources: Verizon 2025 Data Breach Investigations Report — Executive Summary, Verizon 2025 DBIR — News Release.