Investment vs avoided cost
Extensive security AI cuts the average breach by $1.9M.
Security controls ranked by the IBM 2025 cost-factor analysis (Figure 39, plus the extensive AI/automation comparison). Saving figures are IBM's measured cost differences; annual cost figures are editorial mid-market estimates, and the ROI multiple is derived from the two. Vendor-neutral.
Top single saver
-$1.90M
Extensive AI & automation
Top Figure-39 factor
-$227K
DevSecOps approach
Without AI/automation
$5.52M
Average breach cost
With AI/automation
$3.62M
Extensive deployment
Section 05.1 / Controls ranked by IBM 2025 saving
The investment ladder
Sorted by IBM's measured cost difference. Saving figures are the IBM 2025 cost-factor deltas, measured per factor in isolation against the report average; they do not stack additively. Annual cost figures are editorial mid-market estimates (organizations between 500-5,000 employees), and the ROI multiple is derived from the two. Smaller organizations realise the savings at lower implementation cost; enterprises pay more but face larger downside.
Rank #01 / Implementation: 6-12 months
AI & Security Automation (extensive)
$300K
cost / yr
-$1900K
avoided
6.3x
ROI
Organizations using AI and automation extensively across the security lifecycle averaged $3.62M in breach costs versus $5.52M for those that did not, a $1.9M difference (IBM 2025, Figure 44). They also shortened breach lifecycles by 80 days. This is the largest verified cost difference of any capability in the 2025 report.
Implementation checklist
- [x]Deploy UEBA on identity logs
- [x]Integrate AI-assisted triage into SOC
- [x]Automate alert enrichment and triage
- [x]Use predictive risk scoring on vulnerabilities
- [x]Continuously tune detection rules
Tool categories (vendor-neutral)
Rank #02 / Implementation: 6-12 months
DevSecOps Approach
$100K
cost / yr
-$227K
avoided
2.3x
ROI
The number-one cost-reducing factor in IBM's 2025 factor analysis (-$227K vs the average). Shifting security left catches vulnerabilities at design and build time, where fixes cost a fraction of production remediation, and reduces the breach surface that reaches production in the first place.
Implementation checklist
- [x]Integrate SAST into CI/CD pipelines
- [x]Run DAST on every release
- [x]Automate dependency scanning
- [x]Include security review gates in sprints
- [x]Train developers on OWASP Top 10
Tool categories (vendor-neutral)
Rank #03 / Implementation: 3-6 months
Security Analytics / SIEM
$100K
cost / yr
-$212K
avoided
2.1x
ROI
A security information and event management platform for detecting and responding to threats was the third-ranked cost-reducing factor in IBM 2025 (-$212K). The benefit concentrates in faster identification: breaches found by internal security teams cost $4.18M versus $5.08M when the attacker discloses first.
Implementation checklist
- [x]Centralise identity, endpoint, and network logs
- [x]Tune detections to the environment
- [x]Integrate SOAR playbooks for triage
- [x]Measure MTTI / MTTC quarterly
- [x]Review alert fidelity monthly
Tool categories (vendor-neutral)
Rank #04 / Implementation: 2-4 months
Threat Intelligence
$120K
cost / yr
-$212K
avoided
1.8x
ROI
Threat-intelligence integration helps SOCs prioritise alerts and recognise emerging campaigns. IBM's 2025 factor analysis puts the cost difference at -$212K, essentially level with SIEM, reflecting how the two reinforce each other.
Implementation checklist
- [x]Integrate intel feeds into SIEM
- [x]Subscribe to relevant ISACs
- [x]Map detections to ATT&CK
- [x]Brief executives on emerging threats
- [x]Update IoCs continuously
Tool categories (vendor-neutral)
Rank #05 / Implementation: 2-4 months
Encryption (Data at Rest & Transit)
$80K
cost / yr
-$208K
avoided
2.6x
ROI
Encrypting data at rest and in transit ensures stolen records are useless without keys (-$208K in IBM's 2025 factor analysis). Even if attackers exfiltrate data, regulatory exposure is dramatically reduced because most state and federal laws contain encryption safe harbors that limit notification obligations.
Implementation checklist
- [x]Encrypt all databases at rest (AES-256)
- [x]Enforce TLS 1.3 for all data in transit
- [x]Implement field-level encryption for PII / PHI
- [x]Use HSMs for key management
- [x]Audit encryption coverage quarterly
Tool categories (vendor-neutral)
Rank #06 / Implementation: 3-6 months
Proactive Threat Hunting
$150K
cost / yr
-$193K
avoided
1.3x
ROI
Hunting for intrusions rather than waiting for alerts cuts dwell time, the variable most tightly correlated with total cost: breaches contained under 200 days cost $1.14M less than those that run longer. IBM's 2025 factor analysis credits proactive threat hunting with a -$193K cost difference.
Implementation checklist
- [x]Stand up a recurring hunt cadence
- [x]Build hypothesis playbooks per threat model
- [x]Review identity and data-access anomalies
- [x]Feed hunt findings back into detections
- [x]Track dwell-time trend quarterly
Tool categories (vendor-neutral)
Rank #07 / Implementation: 1-2 months
Employee Security Training
$100K
cost / yr
-$192K
avoided
1.9x
ROI
Phishing was the most common initial attack vector in IBM 2025 (16% of breaches) and human error remains a leading root cause. Training is credited with a -$192K cost difference in the 2025 factor analysis, and the low cost of delivery keeps its return attractive.
Implementation checklist
- [x]Quarterly phishing simulations
- [x]Annual security-awareness certification
- [x]Role-specific training (finance, IT, executives)
- [x]Just-in-time training triggered by risky behaviour
- [x]Insider-threat awareness program
Tool categories (vendor-neutral)
Rank #08 / Implementation: 3-6 months
Identity & Access Management (IAM)
$120K
cost / yr
-$190K
avoided
1.6x
ROI
Compromised credentials remain a top-four initial vector ($4.67M average breach cost). IAM, including MFA enforcement, least privilege, and lifecycle governance, carries a -$190K cost difference in IBM's 2025 factor analysis and blocks the credential-stuffing attacks that drive opportunistic breaches.
Implementation checklist
- [x]Enforce MFA on all accounts, privileged first
- [x]Deploy conditional-access policies
- [x]Implement least-privilege access reviews
- [x]Automate joiner-mover-leaver deprovisioning
- [x]Monitor for MFA-fatigue attacks
Tool categories (vendor-neutral)
Rank #09 / Implementation: 1-2 months
Offensive Security Testing
$50K
cost / yr
-$184K
avoided
3.7x
ROI
Penetration testing and red-teaming identify exploitable issues before adversaries do (-$184K in IBM's 2025 factor analysis). The figure is conservative because the true value is probabilistic, an unprevented breach simply doesn't appear in the dataset. Higher value when paired with continuous attack-surface monitoring.
Implementation checklist
- [x]Annual external pen test (network + app)
- [x]Continuous attack-surface monitoring
- [x]Targeted re-tests after major changes
- [x]Optional: ongoing bug-bounty program
Tool categories (vendor-neutral)
Rank #10 / Implementation: 2-4 months
Endpoint Detection & Response (EDR)
$80K
cost / yr
-$168K
avoided
2.1x
ROI
EDR shortens the identification phase that dominates breach lifecycles (181 days mean time to identify in 2025). IBM's factor analysis credits EDR tools with a -$168K cost difference, and carriers increasingly require EDR before binding cyber-insurance cover.
Implementation checklist
- [x]Deploy EDR to all endpoints and servers
- [x]Integrate EDR telemetry into SIEM
- [x]Define containment automation rules
- [x]Test isolate-and-restore workflows
- [x]Review coverage gaps quarterly
Tool categories (vendor-neutral)
Rank #11 / Implementation: 1-2 months
Cyber Insurance
$75K
cost / yr
-$0K
avoided
0x
ROI
Cyber insurance is risk transfer rather than cost reduction. It cannot prevent a breach but can soften the financial impact. Carriers increasingly require named controls (MFA, EDR, IR retainer) before binding, so the underwriting itself enforces hygiene.
Implementation checklist
- [x]Engage broker for limit / sub-limit modelling
- [x]Implement carrier-required controls before binding
- [x]Review exclusions (nation-state, ransomware sub-limits)
- [x]Test claim notification process
Tool categories (vendor-neutral)
Primary source:Saving figures: IBM Cost of a Data Breach Report 2025, Figures 39 and 44. Annual cost figures: editorial mid-market estimates, not IBM data. Last verified June 2026.
Section 05.2 / Stack economics
Full stack vs $4.44M average
Total annual cost
$1275K
All 10 controls implemented
Maximum theoretical saving
-$3.69M
If every IBM-verified saving stacks (real-world: 40-60%)
vs average breach
$4.44M
Global average IBM 2025
The full security stack costs a fraction per year of the IBM 2025 average breach. The IBM dataset reports that organizations with extensive AI / automation use averaged $3.62M in breach costs versus $5.52M for those without these capabilities. The control investment pays back inside a single avoided or contained incident.
Index / Companion schedules
01 Calculator
→Apply selected controls to your specific exposure.
02 Statistics
→The $4.44M average and the saving-per-control figures.
06 Ransomware
→Specific controls that block ransomware initial access.
07 Small business
→Affordable subset of these controls for SMBs.
10 Cost breakdown
→Where unavoided costs go.
04 Biggest breaches
→See which controls would have prevented each named incident.
Schedule F / Reference Q&A