The 2025 Verizon Data Breach Investigations Report (DBIR) just dropped, and if it were a movie, the tagline would be: "Credential reuse, third-party carnage, and zero-day drama. Coming to a supply chain near you."
This year's DBIR is packed with familiar villains—ransomware, unpatched edge devices, infostealer logs—but it also has some unsettling new plot twists, especially around software supply chain breaches and third-party risk. And spoiler alert: the bad guys are getting faster, better, and more financially motivated than ever.
Let’s break down what this means and, more importantly, how the Finite State platform is built to not just survive this chaos, but help your org own it.
The Big Stats from DBIR 2025 (aka The Cybersecurity Hall of Shame)
- Third-party involvement in breaches doubled, from 15% to 30%
- Credential reuse + GitHub secrets = Median time to remediate exposed secrets? 94 days
- Edge device vulnerabilities exploded — 22% of initial access vectors, up from 3% last year
- Ransomware showed up in 44% of breaches (and 88% of SMBs got hit)
- Infostealer malware logs correlated with 54% of ransomware victims, most with compromised credentials from unmanaged BYOD devices
- And yeah, AI-generated phishing emails are on the rise. It’s Clippy’s evil twin, now in malware-as-a-service.
How the Finite State Platform Meets This Moment
The DBIR practically screams for proactive, software-focused security that scales with complex supply chains and product development. That’s our jam.
Let’s break it down, DBIR-style:
SBOMs and Enriched SBOMs: A Compass in the Supply Chain Fog
DBIR highlighted how third-party code and platforms are directly contributing to breaches, whether through exposed API keys or unpatched edge vulnerabilities.
What Finite State does:
- Generates SBOMs at scale: From firmware and binaries, even without source.
- Enriches them with real-time threat intelligence: Know not just what’s in the code, but what’s exploitable.
- Maps software components to known exploited vulnerabilities (KEVs), and flags risky components linked to past breaches, like MOVEit or Snowflake-related exposures.
- Credentials? We’ve got credentials! As part of our SBOM analysis, Finite State also evaluates and reports on risky behavior, such as default and hard-coded credentials, as well as those pesky private certificates and keypairs left behind.
Result: You gain visibility and control where DBIR shows most organizations are flying blind.
Vulnerability Management That’s Actually Risk-Based
It’s not just about CVSS scores anymore. The DBIR proves that attackers are exploiting business-critical vulnerabilities with ruthless efficiency.
Finite State brings:
- Automated analysis of CVEs in context, considering reachability, device function, exploitability, and compensating controls.
- Exploit-aware prioritization
- Integration with secure-by-design goals, aligning with FDA 524B, EU CRA, and beyond.
Takeaway: When patching everything is impossible (and it is), focus on what matters. We help you figure that out.
Penetration Testing: Firmware to Factory Floor
System Intrusion was a dominant theme in the report, especially hands-on-keyboard attacks post-initial access.
How Finite State helps:
- Device-level pen testing on embedded and IoT systems, simulating real-world attack paths—from UART ports to insecure OTA updates.
- Source-to-silicon assessments, helping validate SBOMs, secure boot, and memory protections.
- Third-party vendor evaluation, because attackers don’t care if your software came from “a trusted partner.”
Pre-Certification Services: Built for Today’s Regulatory Gauntlet
The 2025 DBIR made it clear: ignoring security outcomes from vendors is no longer viable. That’s exactly why regulations are tightening across the board:
Finite State supports your prep for:
- EU Cyber Resilience Act (CRA) – Validate the security posture of embedded components.
- CE RED Article 3.3 (d), (e), and (f) – Demonstrate secure communication, data protection, and access control.
- U.S. Cyber Trust Mark – Provide continuous attestation on security baselines.
- Connected Vehicle Rule – Ensure vehicle software is tamper-resistant and patchable.
- FDA 524B – Meet postmarket software transparency and vulnerability disclosure requirements.
TL;DR: We help you move from checklist compliance to demonstrable assurance.
Bonus: Real-World Lessons from the Report + Action Items
DBIR Insight |
Finite State Countermeasure |
Secrets exposed for 94 days on GitHub |
Git integration + leaked credential detection |
BYOD devices leaking corporate creds |
SBOM correlation to device management insights |
Ransomware rising for SMBs |
Device risk scoring + exploit chaining analysis |
Edge device exploitation booming |
Automated firmware vulnerability scanning |
MFA absent in breaches like Snowflake |
Credential & secret hygiene reports |
Final Thought: You Can’t Outsource Risk, But You Can Outsmart It
2025’s DBIR is a brutal reminder that we’re all deeply entangled in the choices of our vendors, developers, and platforms. But that doesn’t mean we’re helpless.
Finite State’s platform turns supply chain chaos into actionable intelligence. Whether you’re getting breached by a leaked GitLab token or preparing for a CE RED audit, we’ve got your back with tools that speak both to engineer and regulator.
Let’s make “third-party breach” a thing of the past—or at least not your future headline. Book a demo to learn more.
Share this
You May Also Like
These Related Stories

The 2025 Verizon Data Breach Investigations Report: What It Means for Product and Supply Chain Security

Key cybersecurity challenges for the energy sector—and how to address them
