The Verizon 2026 Data Breach Investigations Report (DBIR) reveals a threat environment moving much faster than many organizations can reasonably protect themselves against.
Based on information collected from more than 31,000 security incidents and over 22,000 confirmed data breaches spanning 145 different countries, the DBIR reveals a changing face to how attackers get in, how fast vulnerabilities are exploited, and the role of AI in both attack and defense.
This year’s report makes it clear that vulnerability exploitation has overtaken credential abuse as the top method of initial access to breached networks.
Vulnerability exploitation overtakes stolen credentials
In past years, compromised credentials were the most common reason for breaches. This is not the case in the 2026 DBIR.
Exploitation of vulnerabilities accounted for 31% of breach initial access vectors, compared to credential abuse, which dropped to 13%.
The DBIR states that organizations find themselves overwhelmed with the number of patches due to the large number of vulnerabilities that are being actively exploited in the wild.
Only 26% of CISA KEV vulnerabilities were fully remediated by organizations in 2025, compared to 38% in 2024. Concurrently, median remediation times grew from 32 days to 43 days.
The magnitude of the issue is becoming hard to overlook. According to Verizon, there was a 50% increase in KEV vulnerabilities compared to the previous year.
There is also an indication that organizations may be approaching the limits of their vulnerability management processes. Despite their maturity level, organizations still leave roughly 60–70% of KEV vulnerabilities unpatched during the first week after discovery.
Ransomware keeps growing, but fewer victims pony up
The trend of ransomware attacks also rose, accounting for 48% of all breaches, up from 44% the year before.
At the same time, fewer ransomware payments were made. As per the report, 69% of ransomware victims in the sample paid no ransom. Additionally, the median ransom payment fell from $150,000 to $139,875.
The report suggests that one factor behind the rise of ransomware is the prevalence of pretexting and social engineering targeting helpdesk personnel via phone and messaging channels.
Mobile and voice phishing are outperforming email
One of the report’s interesting revelations is that mobile social engineering is becoming highly effective. While the human factor was involved in 62% of breaches, an increase from 60% from the previous year, attackers have started shifting from email-based phishing attacks to voice, SMS-based, and live impersonations.
According to Verizon’s simulated phishing campaigns, mobile-based phishing attacks had engagement rates 40% higher than email-based attacks.
In this report, the use of “pretexting” as an approach has been noted. In these instances, bad actors gain the trust of the target by pretending to be an IT support team member or creating a situation to make the employee comply.
According to Verizon, most awareness campaigns are not prepared to deal with this approach, especially when the employee is under pressure to make quick decisions.
AI is now embedded across the attack chain
This report also validates that GenAI is no longer experimental for threat actors. Threat actors leverage these tools through many stages of their operations, including reconnaissance, targeting, malware tooling, phishing, and exploit research.
Also, it said: “The median threat actor researched or used AI assistance in 15 different documented techniques, with some actors leveraging as many as 40 or 50.”
Nevertheless, the report stops short of regarding AI-created malware as revolutionary. The vast majority of malware created with the help of AI was based on known attack methods and was very similar to previously seen malware families. Less than 2.5% of malware with AI assistance used uncommon methods.
In Verizon’s opinion, what is more worrying is the speed and scale of the attacks.
Third-party risk continues to spiral
Breaches caused by third parties rose by 60%, accounting for 48% of all breaches recorded in the data set.
Weak authentication, lack of MFA, excessive privileges, and mismanagement of cloud were highlighted as prevalent problems.
One of the more worrying statistics is the delays in remediation within third-party cloud environments. Verizon reported that only 23% of organizations fully remediated vulnerabilities related to the lack of MFA or its misconfiguration. Weak passwords and excessive permissions typically took up to 8 months to be fixed.
The report repeatedly highlights how businesses are inheriting the security weaknesses of their vendors, cloud providers, SaaS platforms, and software supply chains.
Shadow AI becomes a growing insider risk
Unsanctioned use of AI within organizational contexts is becoming another important governance problem.
According to the report, 67% of users who accessed AI services using corporate devices used non-corporate accounts. At the same time, the number of employees regularly using AI increased from 15% to 45% in just one year.
Verizon noted that Shadow AI was the third most common non-malicious insider activity in its data loss prevention data set, a fourfold increase from the previous year.
When it came to what is the most common form of data uploaded to external GenAI systems, source code emerged as the most common data type. Also noted in the report were examples of research papers, technical documents, and possibly proprietary information that was being uploaded to unapproved AI systems.
Security fundamentals still dominate the outcome
Even though there is a focus on AI, ransomware attacks, and emerging social engineering techniques, the general message from Verizon is unsurprising. Throughout the report, there is an underlying message regarding asset visibility, patch management, authentication, least privilege, and incident response.
The risk environment may be constantly shifting, but those entities that have problems are being compromised the old-fashioned way, through familiar weaknesses and long-standing security gaps.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.