The 2025 editions of the Verizon Data Breach Investigations Report (DBIR) and Google’s M-Trends Report are here – and they paint a striking picture of how attackers are gaining an initial foothold within modern organizations.
If you have been paying attention to how attacks have evolved, two stats in particular should jump out:
- For the fifth year in a row, exploits were the most observed initial vector in Mandiant incident response investigations. For intrusions in which an initial infection vector was identified, 33% began with the exploitation of a vulnerability (M-Trends Report).
- This is the first year in which vulnerability exploitation overtook phishing as an initial attack vector in the DBIR’s findings. Vulnerability exploitation increased by 34% in 2024 (DBIR).
Vulnerability exploits were used by attackers to infiltrate systems more commonly than phishing attacks in the past year. The kicker? These exploits are happening primarily through the web applications that modern organizations have come to rely on.
While web applications have long been a leading breach vector, these stats show a notable shift. As modern organizations continue to build, deploy, and scale applications to drive innovation, the attack surface of these tools is growing dramatically. It makes sense – applications are complex and made up of an array of open-source, first-party, and third-party code. It can be difficult to gain visibility into each component to secure it in production – and this is something that attackers are clearly paying attention to.
Initial Access: A Deeper Look
Initial access vectors have a clearly established “Big 3” over the past few years – with exploits, credential abuse, and phishing consistently at the top of the list.
Notably, in the DBIR, we can see in the below graph that:
- Credential abuse is still prevalent, but trending down – hopefully an indicator that investments in identity security are paying off.
- Phishing has remained relatively consistent in terms of serving as an initial attack mechanism, which isn’t surprising given humans are consistently one of the weakest security links in organizations.
- The exploitation of vulnerabilities is seeing a sharp uptick, likely due to the increased use of applications to drive efficiency for organizations, a lack of tools that can identify and stop exploits at the application layer, and the sheer volume of CVEs that are disclosed each year.
The New Reality: You Can’t Just Focus on Known CVEs
Let’s take a step back to fully understand why only one of the “Big 3” is trending upward.
It is clear that identity security and phishing protection strategies are, for the most part, working. The investments still have a way to go, but the indication is that sophisticated attackers aren’t having increased success gaining a foothold through these avenues. What is also clear is that applications are increasingly becoming the path of least resistance.
Why is that?
Most application security strategies today are centered on detecting known vulnerabilities – those that already have a CVE attached to them. Even worse, these strategies primarily rely on point-in-time tools that can’t see what code is actually used in production. So while they have an idea that something vulnerable might be in their running application, it’s difficult to know with 100% certainty.
That aside, this year’s data makes it clearer than ever: relying solely on finding and fixing known vulnerabilities to protect your applications isn’t enough. While detecting and remediating vulnerabilities is an important part of the equation, it's a never-ending game: CVEs keep growing, zero-days are always emerging, and teams simply can't keep pace. Adding detection and response capabilities for web applications is imperative if we are going to reverse this trend.
If your defense stops at whatever is cataloged in a vulnerability database, you aren’t prepared to stop exploits, you are only prepared to detect CVEs.
The Path Forward
Traditional security tools are great at detection. But detection alone isn’t enough, especially when attackers are exploiting new vulnerabilities faster than ever.
With Oligo’s Application Detection and Response solution, organizations don’t just get alerts; they get the ability to see and block exploits in real time, based on the actual behavior of their applications in production.
The 2025 DBIR and M-Trends reports confirm what many of us are seeing in the trenches: adversaries are evolving, and so too must our defenses. Vulnerability exploits are no longer just a member of the “Big 3” – they are becoming the top way that attackers infiltrate organizations.
It’s time for a shift and a new mindset when it comes to protecting modern environments -- one that actively understands and protects applications where it actually matters: at runtime.
Learn More
Interested in learning more about how Oligo protects the applications that power modern businesses?
- Book a demo: https://www.oligo.security/demo
- Dive into what makes our tech unique: https://www.oligo.security/company/whyoligo
- Hear from our customers: https://www.oligo.security/resources/case-studies
