Vulnerability exploitation has overtaken credential abuse as the top initial access vector for breaches, according to Verizon’s 19th annual data breach investigations report. The telecom giant analyzed more than 31,000 real-world security incidents, including more than 22,000 confirmed breaches across 145 countries. Exploitation of vulnerabilities rose to 31% in this year’s reporting dataset, while credential abuse fell to 13%.
The findings deliver a new set of marching orders to channel partners: help customers patch faster, govern AI use, secure the new-employee edge and build enough resilience to withstand ransomware attacks without being forced into a payout.
It’s an imperative that propels the security conversation beyond identity alone. Mark Tina, channel chief and vice president of indirect partner sales at Verizon Business, said the latest DBIR shows the attack surface has “fundamentally changed,” requiring partners to shift with it.
“For our partners, this is a signal to stop playing defense only at the credential layer and shift to more proactive, continuous exposure management, because the corporate perimeter isn’t just a firewall anymore — it’s the entire edge of the network,” Tina said.
This gives MSPs, MSSPs and solution providers a larger role in security, risk assessment and patch management, especially around the network and connectivity environments customers depend on. Tina said partners who wrap managed security services around those core network and connectivity services are protecting the “critical transition point where the internet meets corporate infrastructure.”
The partner’s responsibility is also expanding as customers struggle to turn vulnerability data into finished remediation work.
Only 26% of critical vulnerabilities — defined as those in the Cybersecurity Infrastructure and Security Agency’s Known Exploited Vulnerabilities catalog — were fully addressed by organizations in 2025, down from 38% the previous year. Median time to full resolution rose to 43 days, up from 32 days. In the median case, organizations had almost 50% more known exploited vulnerabilities to patch, with the median rising from 11 in 2024 to 16 in 2025.
The problems do not reflect a resource shortage.
“It’s not a tools problem — most organizations have plenty of tools,” Tina said. “What they’re missing is prioritization and someone to actually drive the work, and this is where partners come in.”
The biggest partner opportunity lies in helping customers focus on vulnerabilities that are actively being exploited rather than trying to address every exposure at once, then steering that remediation through to completion.
Ransomware, supply chain, more
Ransomware remains another major area for channel partners to focus on, too.
Verizon found ransomware in 48% of breaches, up from 44% in the previous year. Yet, 69% of ransomware victims in the dataset did not pay, as the median ransom payment declined to $139,875 from $150,000.
Tina said the decline does not mean ransomware is becoming less damaging. Downtime still carries a cost, and when an organization can’t operate, the impact ripples across its supply chain. But the nonpayment trend does show that shoring up foundations can change outcomes.
“Strong preparation means better backups, faster recovery and cleaner incident response plans,” Tina said. “The conversation partners should have with customers has to shift from ‘how do we prevent this’ to ‘how do we stay operational when it happens.’ Resilience is the product now.”
Supply chains are another pressure point where channel partners can step in. According to the report, breaches involving third parties increased 60% from last year and accounted for 48% of total breaches. Among third-party cloud exposures, only 23% of third-party organizations fully remediated missing or improperly secured multifactor authentication on cloud accounts. For weak passwords and permission misconfigurations, the time to resolve 50% of findings stretched to almost eight months.
Sensitive data walks right out the door
The Verizon study highlights risks from the places employees now work the most: mobile devices, messaging apps and unauthorized AI tools.
“That's source code and sensitive data walking right out the door,” Tina said.
The human element accounted for 62% of breaches. Mobile-centric social engineering campaigns, including voice and text messaging, had median successful click rates 40% higher than email in phishing simulations.
Shadow AI is moving just as quickly. Nearly half of employees are now considered regular users of AI tools on corporate devices, up from 15% last year. More than two-thirds of users accessing AI services on corporate devices did so through non-corporate accounts. Shadow AI became the third most common non-malicious insider action in Verizon’s data loss prevention dataset.
Channel partners should approach remediation with care.
“Employees aren't trying to create risk,” Tina said. “They're trying to move fast, and AI has accelerated that. Partners who build that reality into their security stack with policies, controls, education and AI governance are the ones customers will turn to first when something goes wrong. You need to meet users where they actually work.”
