The DBIR title "Data Breach Investigations Report" centers on the Data Risk Event (outcome) — the loss of Confidentiality, Integrity, or Availability. Readers must identify the Cyber Part: the causal threat clusters that enabled these outcomes. TLCTC separates causes (threat clusters) from consequences (data breaches), providing the semantic clarity the DBIR's outcome-focused analysis often conflates.
TLCTC Coverage in 2025 DBIR
The 10 non-overlapping TLCTC clusters provide a cause-based framework for understanding the DBIR's findings. Below shows which clusters are most represented in the report's 12,195 confirmed breaches.
TLCTC Cluster Prevalence Score
Scoring based on mention frequency and relevance in DBIR findings (0-100 scale).
| Cluster | Name | Score | Key DBIR Finding |
|---|
Threat Actor Profiles
TLCTC Axiom IV: Threats are separate from threat actors. Classification is by exploited vulnerability, not by "who."
State-sponsored actors show 28% Financial motive alongside Espionage — suggesting double-dipping behavior. Espionage-motivated breaches tripled (163% increase), using vulnerability exploitation in 70% of cases (#2 cluster).
Targeted IT Asset Types
TLCTC Axiom I: No system-type differentiation — the same generic vulnerabilities apply across all asset types.
Edge Device Crisis
VPN and edge device vulnerabilities grew 8x (3% → 22%) — network infrastructure is now a prime target. Organizations fully remediated only 54% of edge vulnerabilities (median 32 days to patch).
Most Common Attack Paths (TLCTC Notation)
TLCTC Axiom IX: Clusters chain into attack paths representing complete scenarios.
Attack Velocity Insight (Δt)
Ransomware attacks show VC-3/VC-4 velocity — automated exploitation chains complete in seconds to minutes. Human-dependent controls (#9→#4) operate at VC-1/VC-2, creating structural control gaps.
Key TLCTC Findings from 2025 DBIR
#4 Identity Theft — Dominant Cluster
Present in 88% of BWAA breaches, 22% of all initial access. Infostealers compromise 30% enterprise devices. 54% of ransomware victims had prior credential exposure.
#7 Malware — Ransomware Dominance
44% of all breaches involve ransomware (up from 32%). Median ransom: $115K. 64% of victims didn't pay — forcing actors to evolve tactics.
#9 Social Engineering — Persistent Threat
60% of breaches involve human element. Prompt bombing (MFA fatigue) emerged as new technique. AI-generated phishing text doubled in 2 years.
#10 Supply Chain Attack — Doubled Impact
30% of breaches involve third parties (up from 15%). Snowflake campaign affected 165 organizations. Supply chain = systemic risk.
#2 Exploiting Server — Edge Device Crisis
Vulnerability exploitation at 20% initial access (34% YoY growth). Edge device vulns grew 8x. 70% of espionage attacks use this vector.
TLCTC Framework Value Demonstrated
✓ Cause-Based Clarity
DBIR conflates "ransomware" (outcome) with attack vectors. TLCTC separates: #9→#4→#7 shows the actual causal chain.
✓ Attack Path Visibility
TLCTC notation reveals that most "credential" attacks are #9→#4 chains, enabling targeted control placement.
✓ Velocity-Based Control Selection
Edge device attacks (VC-4) require automated controls. Human awareness training won't stop #2→#7 at machine speed.
✓ Third-Party Risk Quantification
TLCTC #10 precisely captures supply chain risk — enabling systematic risk appetite statements for C-suite.
Analysis based on Verizon 2025 DBIR | TLCTC Framework v2.0 by Bernhard Kreinz | CC BY 4.0
Data source: 22,052 incidents, 12,195 confirmed breaches