Form: Cost-of-Breach DisclosureSource: IBM 2025Filed: 28 Apr 2026
DataBreachCost.comOpen calc
Schedule 05 / Prevention ROIIBM 2025 cost-factor analysis

Investment vs avoided cost

Extensive security AI cuts the average breach by $1.9M.

Security controls ranked by the IBM 2025 cost-factor analysis (Figure 39, plus the extensive AI/automation comparison). Saving figures are IBM's measured cost differences; annual cost figures are editorial mid-market estimates, and the ROI multiple is derived from the two. Vendor-neutral.

Top single saver

-$1.90M

Extensive AI & automation

Top Figure-39 factor

-$227K

DevSecOps approach

Without AI/automation

$5.52M

Average breach cost

With AI/automation

$3.62M

Extensive deployment

Section 05.1 / Controls ranked by IBM 2025 saving

The investment ladder

Sorted by IBM's measured cost difference. Saving figures are the IBM 2025 cost-factor deltas, measured per factor in isolation against the report average; they do not stack additively. Annual cost figures are editorial mid-market estimates (organizations between 500-5,000 employees), and the ROI multiple is derived from the two. Smaller organizations realise the savings at lower implementation cost; enterprises pay more but face larger downside.

Rank #01 / Implementation: 6-12 months

AI & Security Automation (extensive)

$300K

cost / yr

-$1900K

avoided

6.3x

ROI

Organizations using AI and automation extensively across the security lifecycle averaged $3.62M in breach costs versus $5.52M for those that did not, a $1.9M difference (IBM 2025, Figure 44). They also shortened breach lifecycles by 80 days. This is the largest verified cost difference of any capability in the 2025 report.

Implementation checklist

  • [x]Deploy UEBA on identity logs
  • [x]Integrate AI-assisted triage into SOC
  • [x]Automate alert enrichment and triage
  • [x]Use predictive risk scoring on vulnerabilities
  • [x]Continuously tune detection rules

Tool categories (vendor-neutral)

AI-powered SIEMUEBA (user / entity behaviour analytics)AI-assisted threat huntingAutomated phishing triage

Rank #02 / Implementation: 6-12 months

DevSecOps Approach

$100K

cost / yr

-$227K

avoided

2.3x

ROI

The number-one cost-reducing factor in IBM's 2025 factor analysis (-$227K vs the average). Shifting security left catches vulnerabilities at design and build time, where fixes cost a fraction of production remediation, and reduces the breach surface that reaches production in the first place.

Implementation checklist

  • [x]Integrate SAST into CI/CD pipelines
  • [x]Run DAST on every release
  • [x]Automate dependency scanning
  • [x]Include security review gates in sprints
  • [x]Train developers on OWASP Top 10

Tool categories (vendor-neutral)

SASTDASTDependency scanning (SCA)Secret scanning

Rank #03 / Implementation: 3-6 months

Security Analytics / SIEM

$100K

cost / yr

-$212K

avoided

2.1x

ROI

A security information and event management platform for detecting and responding to threats was the third-ranked cost-reducing factor in IBM 2025 (-$212K). The benefit concentrates in faster identification: breaches found by internal security teams cost $4.18M versus $5.08M when the attacker discloses first.

Implementation checklist

  • [x]Centralise identity, endpoint, and network logs
  • [x]Tune detections to the environment
  • [x]Integrate SOAR playbooks for triage
  • [x]Measure MTTI / MTTC quarterly
  • [x]Review alert fidelity monthly

Tool categories (vendor-neutral)

SIEM platformSOAR integrationLog pipeline / data lake

Rank #04 / Implementation: 2-4 months

Threat Intelligence

$120K

cost / yr

-$212K

avoided

1.8x

ROI

Threat-intelligence integration helps SOCs prioritise alerts and recognise emerging campaigns. IBM's 2025 factor analysis puts the cost difference at -$212K, essentially level with SIEM, reflecting how the two reinforce each other.

Implementation checklist

  • [x]Integrate intel feeds into SIEM
  • [x]Subscribe to relevant ISACs
  • [x]Map detections to ATT&CK
  • [x]Brief executives on emerging threats
  • [x]Update IoCs continuously

Tool categories (vendor-neutral)

Commercial threat-intel feedsISAC sharingOpen-source intel (MITRE ATT&CK)

Rank #05 / Implementation: 2-4 months

Encryption (Data at Rest & Transit)

$80K

cost / yr

-$208K

avoided

2.6x

ROI

Encrypting data at rest and in transit ensures stolen records are useless without keys (-$208K in IBM's 2025 factor analysis). Even if attackers exfiltrate data, regulatory exposure is dramatically reduced because most state and federal laws contain encryption safe harbors that limit notification obligations.

Implementation checklist

  • [x]Encrypt all databases at rest (AES-256)
  • [x]Enforce TLS 1.3 for all data in transit
  • [x]Implement field-level encryption for PII / PHI
  • [x]Use HSMs for key management
  • [x]Audit encryption coverage quarterly

Tool categories (vendor-neutral)

KMS / HSM platformsTLS 1.3 enforcementField-level encryption for PII / PHI

Rank #06 / Implementation: 3-6 months

Proactive Threat Hunting

$150K

cost / yr

-$193K

avoided

1.3x

ROI

Hunting for intrusions rather than waiting for alerts cuts dwell time, the variable most tightly correlated with total cost: breaches contained under 200 days cost $1.14M less than those that run longer. IBM's 2025 factor analysis credits proactive threat hunting with a -$193K cost difference.

Implementation checklist

  • [x]Stand up a recurring hunt cadence
  • [x]Build hypothesis playbooks per threat model
  • [x]Review identity and data-access anomalies
  • [x]Feed hunt findings back into detections
  • [x]Track dwell-time trend quarterly

Tool categories (vendor-neutral)

EDR telemetry huntingHypothesis-driven hunt playbooksUEBA anomaly review

Rank #07 / Implementation: 1-2 months

Employee Security Training

$100K

cost / yr

-$192K

avoided

1.9x

ROI

Phishing was the most common initial attack vector in IBM 2025 (16% of breaches) and human error remains a leading root cause. Training is credited with a -$192K cost difference in the 2025 factor analysis, and the low cost of delivery keeps its return attractive.

Implementation checklist

  • [x]Quarterly phishing simulations
  • [x]Annual security-awareness certification
  • [x]Role-specific training (finance, IT, executives)
  • [x]Just-in-time training triggered by risky behaviour
  • [x]Insider-threat awareness program

Tool categories (vendor-neutral)

Phishing-simulation platformsAnnual security-awareness certificationJust-in-time micro-training

Rank #08 / Implementation: 3-6 months

Identity & Access Management (IAM)

$120K

cost / yr

-$190K

avoided

1.6x

ROI

Compromised credentials remain a top-four initial vector ($4.67M average breach cost). IAM, including MFA enforcement, least privilege, and lifecycle governance, carries a -$190K cost difference in IBM's 2025 factor analysis and blocks the credential-stuffing attacks that drive opportunistic breaches.

Implementation checklist

  • [x]Enforce MFA on all accounts, privileged first
  • [x]Deploy conditional-access policies
  • [x]Implement least-privilege access reviews
  • [x]Automate joiner-mover-leaver deprovisioning
  • [x]Monitor for MFA-fatigue attacks

Tool categories (vendor-neutral)

MFA / passkeysPAM (privileged access management)Identity governance & lifecycle

Rank #09 / Implementation: 1-2 months

Offensive Security Testing

$50K

cost / yr

-$184K

avoided

3.7x

ROI

Penetration testing and red-teaming identify exploitable issues before adversaries do (-$184K in IBM's 2025 factor analysis). The figure is conservative because the true value is probabilistic, an unprevented breach simply doesn't appear in the dataset. Higher value when paired with continuous attack-surface monitoring.

Implementation checklist

  • [x]Annual external pen test (network + app)
  • [x]Continuous attack-surface monitoring
  • [x]Targeted re-tests after major changes
  • [x]Optional: ongoing bug-bounty program

Tool categories (vendor-neutral)

External pen-test engagementContinuous attack-surface monitoringBug-bounty program

Rank #10 / Implementation: 2-4 months

Endpoint Detection & Response (EDR)

$80K

cost / yr

-$168K

avoided

2.1x

ROI

EDR shortens the identification phase that dominates breach lifecycles (181 days mean time to identify in 2025). IBM's factor analysis credits EDR tools with a -$168K cost difference, and carriers increasingly require EDR before binding cyber-insurance cover.

Implementation checklist

  • [x]Deploy EDR to all endpoints and servers
  • [x]Integrate EDR telemetry into SIEM
  • [x]Define containment automation rules
  • [x]Test isolate-and-restore workflows
  • [x]Review coverage gaps quarterly

Tool categories (vendor-neutral)

EDR / XDR platformManaged detection & response (MDR)Device-health attestation

Rank #11 / Implementation: 1-2 months

Cyber Insurance

$75K

cost / yr

-$0K

avoided

0x

ROI

Cyber insurance is risk transfer rather than cost reduction. It cannot prevent a breach but can soften the financial impact. Carriers increasingly require named controls (MFA, EDR, IR retainer) before binding, so the underwriting itself enforces hygiene.

Implementation checklist

  • [x]Engage broker for limit / sub-limit modelling
  • [x]Implement carrier-required controls before binding
  • [x]Review exclusions (nation-state, ransomware sub-limits)
  • [x]Test claim notification process

Tool categories (vendor-neutral)

Cyber liability policyBreach-response retainerIR carrier panel

Primary source:Saving figures: IBM Cost of a Data Breach Report 2025, Figures 39 and 44. Annual cost figures: editorial mid-market estimates, not IBM data. Last verified June 2026.

Section 05.2 / Stack economics

Full stack vs $4.44M average

Total annual cost

$1275K

All 10 controls implemented

Maximum theoretical saving

-$3.69M

If every IBM-verified saving stacks (real-world: 40-60%)

vs average breach

$4.44M

Global average IBM 2025


The full security stack costs a fraction per year of the IBM 2025 average breach. The IBM dataset reports that organizations with extensive AI / automation use averaged $3.62M in breach costs versus $5.52M for those without these capabilities. The control investment pays back inside a single avoided or contained incident.

Index / Companion schedules

Schedule F / Reference Q&A

Frequently Asked Questions