According to the 2026 Verizon Data Breach Investigations Report, the threat environment is transforming in terms of speed, scale, and interconnected risk. For the first time in its history, vulnerability exploitation was identified as the top initial access vector, representing 31% of attacks, and the report found that ransomware, third-party attacks, and misuse of AI are all on the rise, both for attack purposes and within organizations.
Increasing pressure on security teams includes worsening patch cycles, mobile-focused social engineering campaigns, and shadow AI, all of which increase the risk of source code/data leakage. What underlies all of these trends is a move toward targeting the entire software development process through vulnerabilities, identities, dependencies, AI use, and more.
We’ll now hear from several security experts to get their views on the DBIR and what it means for today’s businesses.
Organizations need continuous visibility
Matthew Hartman, Chief Strategy Officer at Merlin Group, says: “Today’s Verizon DBIR confirms what security teams are already experiencing: AI has compressed the time between vulnerability discovery and exploitation from months to hours. Companies can’t defend against that reality with periodic assessments and siloed tools. To keep pace, organizations need continuous visibility into vulnerabilities, vendors, and employee AI usage — and the ability to act on that intelligence before attackers can.”
Jason Soroko, Senior Fellow at Sectigo, adds: “The headline finding of the 2026 Data Breach Investigations Report reveals a stark shift in the threat landscape where vulnerability exploitation has surged to account for nearly a third of all initial access vectors, decisively outpacing traditional credential abuse. While the industry fixates on the growing backlog of unpatched systems and a worsening median time to remediate, reading this data purely as a patching crisis represents a critical failure in strategic thinking.”
The relationship between unpatched vulnerabilities and identity security
Soroko says from the vantage point of a Certificate Authority, the true revelation is the relationship between unpatched vulnerabilities and identity security. “A breached perimeter through a software exploit is often just the opening maneuver. The subsequent lateral movement and privilege escalation rely entirely on brittle authentication mechanisms. When we analyze the underlying genealogy of these attacks, it becomes evident that robust cryptographic trust and rigorous certificate lifecycle management act as the definitive fail-safe.
“This dynamic changes how we must architect enterprise defenses, especially as AI-augmented weaponization accelerates the pace of exploitation beyond human response capabilities. As autonomous systems become deeply integrated into corporate networks, the traditional focus on securing human credentials is no longer sufficient. The most effective mitigation strategy requires abstracting our defenses away from the endless race to patch individual endpoints and instead establishing a hardened identity and authorization control plane.”
Soroko says by guaranteeing that every machine, workload, and enterprise AI agent is strictly authenticated through tightly managed public key infrastructure, organizations can effectively neutralize the blast radius of an exploited vulnerability. “Even if an attacker successfully breaches the outer wall, cryptographic verification ensures they cannot assume trusted roles or siphon data, ultimately transforming a potentially catastrophic breach into a localized and manageable event.”
The losing strategy patches by volume
Collin Hogue-Spears, Senior Director of Solution Management at Black Duck, says: “Vulnerability exploitation topped the DBIR because AI-accelerated attacks outrun patching. AI did not create that gap. AI erased the head start defenders used to have. The fix is not faster patching. It is patching by reachability and containing the rest.”
He says the losing strategy patches by volume. The winning one patches by reachability and contains the rest. “Reachability analysis separates the flaws attackers can actually exploit from the ones that only look dangerous. Compensating controls buy time on everything triage has not cleared. Log4Shell proved the point: speed was never the bottleneck. Teams could not patch a library buried in thousands of dependencies, and the ones that filtered outbound traffic bought time to find it.
Prioritize the CISA Known Exploited Vulnerabilities catalog
Hogue-Spears says the strategic takeaway, is what while it is true security leaders must prioritize the CISA Known Exploited Vulnerabilities catalog before the CVSS severity queue.
“CVSS tells you how bad a flaw can be. KEV tells you which flaws attackers already use. Patch by severity alone, and you will spend scarce engineering time on theoretical risk while active exploitation waits in the queue. Patching is just one of two layers. Leaders must invest in two layers, not one. The first is AI-augmented reachability analysis that separates exploitable findings from theoretical ones. The second is compensating controls: egress restrictions, behavioral allowlists, and identity-bound access. Those controls slow exploitation while triage runs, because triage and containment are the two clocks defenders can still control.”
Cybercrime has become industrialized
Chandra Gnanasambandam, Chief Technology Officer at SailPoint says we’re in a new normal where the time to exploitation has changed dramatically. “It used to take about a year in the early 2020s. Today, it’s getting close to an hour, and the direction it’s going, it could be minutes.”
Cybercrime has become industrialized, he adds. “It’s no longer a cottage industry. It’s no longer a bunch of rogue actors trying to do things. Now combine that with the fact that cloud environments, particularly dev environments, were always built with a developer in mind. They were really built for developer experience. They were never built with a security posture in mind. And in a world where 95% of access is standing, this is a deadly combination. This is really what has led to the new normal, and it is against this backdrop where we are moving to one of the most fundamental transformations in the world. In the last 25 years, security and governance have always been about human.”
Today, Gnanasambandam says we’re in a human plus AI world, requiring a very different security paradigm, one that’s based on adaptive identity with zero standing privilege as a minimum requirement.
An economics story
Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, says the DBIR’s 19-year credential streak ending is not primarily a credential story, but one of economics.
“AI is making vulnerability discovery and weaponization so fast and cheap that attackers no longer need a stolen password when a known, unpatched flaw gets them in faster. Third-party involvement now accounts for 48% of all breaches, up 60% year over year, which means the attack surface enterprises must defend extends well beyond anything they directly control or test. AI has compressed the window between a published vulnerability and an active exploit from months to hours. Security budgets still calibrated to annual assessment cycles are now structurally mismatched with how fast the threat actually moves.”
The data argues against more AI detection tooling
Ford says the reflex after a report like this is to procure more AI detection tooling. “The data argues against it. Third-party involvement in breaches jumped 60%, which underscores that coverage problems extend well beyond your perimeter, into every vendor, supplier, and integration partner you rely on. No product closes that gap. Continuous, adversarial pressure across the full attack surface is how you find what attackers will find before they find it.”
On the credential-to-vulnerability shift, Ford says for 19 consecutive years, stolen credentials were the primary way attackers got in. “That changed because AI has compressed the window between a published vulnerability and an active exploit from months to hours. Security budgets still calibrated to annual assessment cycles are now structurally mismatched with how fast the threat actually moves.”
He says point-in-time testing cannot keep pace with machine-speed exploitation, response and patching velocity will need to respond accordingly. “Every day, a known vulnerability sits unvalidated, an attacker with AI-assisted tooling is closing the gap. The security programs that will hold are built around continuous adversarial coverage, human researcher depth, and systematic triage — not periodic snapshots.
Continuous, adversarial pressure across the full attack surface
“Third-party involvement in breaches jumped 60%. The coverage problem extends well beyond your perimeter, into every vendor, supplier, and integration partner you rely on. No product closes that gap. Continuous, adversarial pressure across the full attack surface is how you find what attackers will find before they find it.”
Shadow AI tripling in a single year is the DBIR’s quietest signal and its most consequential one, Ford adds. “Employees feeding unapproved tools with sensitive business data have created a data leakage category that most security programs have no coverage model for.”
The headline belongs to vulnerability exploitation
Morey Haber, Chief Security Advisor at BeyondTrust, comments: “Every year, the Verizon Data Breach Investigations Report (DBIR) lands like an annual cybersecurity checkup whether you wanted to see it or not. Unfortunately, the symptoms and reporting already lend credence to the diagnosis, but the numbers still manage to sting. The 2026 edition is no different and the pain is very real.”
Analyzing more than 22,000 confirmed breaches across 145 countries, it is the largest and most comprehensive study DBIR team has ever conducted in a single report, says Haber. “That is not a milestone we should celebrate but rather a warning that cybersecurity incidents continue to escalate and become more public.
“To that end, the headline this year belongs to vulnerability exploitation, which has surpassed credential abuse as the most common initial attack vector. Exploitation now accounting for 31% of breaches, while stolen credentials have fallen to 13% (16% with Pretexting as a consideration). This inversion matters because for years, organizations have operated under the assumption that identity, specifically, compromised usernames and passwords, was the primary entry point into an organization. After all, it is easier for a threat actor to login verse hack in, right?”
Haber says that assumption has shaped how organizations have prioritized identity security controls for the last several years, but there is a catch. “The 2026 DBIR politely suggests we recalibrate our understanding of breaches since credential-based attack vectors still are included in 39% of all incidents but they were not the initial entry point. This implies Privileged Access Management and Identity Security (MFA, SSO, ITDR, etc.) are working effectively and organizations should still prioritize their deployments to keep credential-based attack vectors second to vulnerabilities and exploits.
“The DBIR’s core message this year is not revolution but rather maturity and cybersecurity refinement. Strong fundamentals: asset and identity visibility, patching discipline, least privilege enforcement, and practiced incident response plans.”
For 2027, Haber says it is not a matter of if your organization will appear in next year’s dataset but how your organization responds once an incident has occurred. “Will you support the trend or be one of the few that continues to mature and thwart the next wave of attacks?”
Refinement, not revolution
Mika Aalto, Co-Founder and CEO at Hoxhunt, says the DBIR’s message this year is refinement, not revolution. “AI is accelerating threats, but the organizations that will stay resilient are still the ones executing well on fundamentals: patching, incident response, identity management, and increasingly, security culture.
“Having contributed our own data set of tens of millions of human cyber behaviors with Verizon for the second year in a row, I found it interesting that Verizon explicitly included ‘a culture that supports and enables secure behavior’ alongside technical controls like patch management and response planning. That’s an important signal for the industry. Security culture is no longer a soft initiative sitting outside core security operations. It’s part of the operational foundation.”
Complex systems cannot be guaranteed to be safe
Ram Varadarajan, CEO at Acalvio, says fundamentally, complex systems cannot be guaranteed to be safe. “So the more complex our software and infrastructure becomes, the more threats we introduce into it. This risk will now compound as we use AI to write limitless amounts of code. Add in the vulnerabilities being exploited in code bases driven by AI, the effectiveness AI has in socially engineering humans, and also the phenomena of emergent misalignment, and we can see that we’re living in a truly zero-trust world. You thought you were safe when you locked the door behind you in your house, but the doors and windows aren’t secure, and there are already attackers hiding in your closet and beneath your bed. And this will forever be the case.”
He says our only true defense is to comprehensively tripwire our cyber infrastructure with model-aware detections and traps, and to dynamically engage reasoning swarms of AI attackers with swarms of reasoning AI defenders. It’s a future that’s full-on game-theoretic, AI-driven, bot-on-bot cyber defense.
Many of the risks and barriers are behavioral
Maxime Cartier, VP of Human Risk at Hoxhunt, adds: “We participated in this year’s DBIR research with our human behavior and risk data, and I was struck by Verizon’s finding that vulnerability exploitation has become the number one breach entry point. Historically, risky behavior and the human element have been linked to 70-90% of breaches, primarily via social engineering and phishing. But when you look closely at this year’s findings, and why patching programs fail, many of the risks and barriers are behavioral, not technical.”
He says the people responsible for patching are employees too. “Developers, admins, IT operations teams — they respond to the same drivers we think about in Human Risk Management every day: motivation, prioritization, clarity, communication, and friction. If security teams want patching outcomes to improve, they need to communicate risk in ways that help people act, not just escalate pressure.
“I think this creates a major opportunity for security awareness and Human Risk Management teams to collaborate more closely with vulnerability management teams. We spend a lot of time thinking about how to influence secure behavior at scale. Those same principles apply directly to improving remediation outcomes across the organization.”
AI is not magically creating a new cyber universe
Diana Kelley, Chief Information Security Officer at Noma Security, says the Verizon DBIR makes one thing very clear: AI is not magically creating a new cyber universe. “It is industrializing the one we already struggle to defend. The notable finding is that most AI-assisted malware and tooling activity still maps to “well-known and defined attack techniques,” but those techniques are getting faster, broader and easier to execute. The rise of vulnerability exploitation to 31% of initial access and the System Intrusion pattern growing from 36% in 2024 to about 60% in 2026 show this in practice.”
For CISOs, she says that means the AI story is not just phishing emails with better grammar. “It is about vulnerability exploitation becoming the top initial access vector, Shadow AI turning source code and technical documents into accidental data leakage, and agentic systems creating a new class of privileged, machine-speed actors. If an AI agent can act, connect to tools, move data or trigger workflows, it needs to be governed like a privileged identity: least privilege, full logging, human approval for high-risk actions and a fast way to revoke access.
The fundamentals still matter most
“The practical response is not panic or a ban. It is governance with teeth: know where AI is being used, understand the blast radius, manage confidential data egress, treat agents and service accounts as high-risk identities, enforce least privilege, monitor tool use, and rehearse what happens when an agent makes the wrong decision at machine speed.”
Kelley says the DBIR’s most important AI takeaway is refreshingly grounded: attackers are scaling the basics and “the fundamentals still matter most.” Defenders need to do the same: only faster, cleaner and with much better control over identity, data and third parties.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.