The risk panorama is present process fast and unprecedented change, as mirrored within the “Verizon 2026 Knowledge Breach Investigations Report.” For the primary time within the report’s 19-year historical past, vulnerability exploitation was the main preliminary entry vector, displacing credential abuse from the highest spot. It was additionally the primary yr that researchers documented an AI-executed state-sponsored assault, bringing the hypothetical and experimental into actuality.
However the extra issues change, the extra they keep the identical.
“The 2026 version of the DBIR invitations you to think about the significance of the basics of cybersecurity as one of the best ways to courageous all of this transformation,” the report reads. “A bit cyber-stoicism, if you’ll.”
Merely put, the tried-and-true greatest practices safety groups have relied on for years — from visibility and patching to MFA and insurance policies — are key to profitable the battle towards cyberattackers.
Beneath are six key takeaways from the 2026 DBIR for CISOs and their groups.
Vulnerability exploitation overtakes stolen credentials
Exploiting vulnerabilities grew to become the commonest methodology risk actors use to realize preliminary entry to victims’ networks — accounting for 31% of assaults, up from 20% in 2024 — displacing credential abuse because the longstanding main vector.
Organizations are clearly struggling to remediate flaws, with the DBIR reporting that solely 26% of CISA’s Identified Exploited Vulnerabilities (KEVs) had been totally remediated in 2025, down from 38% the earlier yr. To make issues worse, the report famous, median remediation time elevated from 32 days to 43 days, maybe partially as a result of the median variety of KEVs was 16 in 2025, up from 11 in 2024.
As a result of the report’s knowledge set spans October 2024 by November 2025, it predates the discharge of Mythos, suggesting future studies might see even larger ranges of vulnerability exploitation.
Credential abuse dropped to 13% from 22%, partially attributed to the addition of pretexting as an preliminary entry vector (extra on that beneath).
Vulnerability administration and patching recommendation
Dangerous information and excellent news on ransomware
Ransomware proved but once more that it is the risk that retains on threatening. Almost half of all incidents (48%) concerned some type of ransomware, up from 44% within the earlier reporting interval.
On the considerably constructive aspect, 69% of victims didn’t pay the ransom, and the median ransomware cost decreased from $150,000 to $139,875.
Ransomware recommendation
Shadow AI turns into a significant insider danger
Regardless of a slight year-over-year decline, use of noncorporate GenAI accounts on company units stays widespread, with 67% of customers nonetheless counting on them to entry AI companies. AI adoption amongst workers has accelerated: 45% at the moment are common customers of AI instruments, licensed or in any other case, in contrast with simply 15% in 2024.
Shadow AI was named the third most typical nonmalicious insider danger detected within the DBIR’s knowledge loss prevention (DLP) knowledge set, a 400% improve from 2024. The DBIR discovered customers generally leak supply code, photographs and different structured knowledge to GenAI fashions, and that 3.2% of DLP coverage violations contain workers leaking mental property, reminiscent of analysis or technical documentation, to LLMs.
AI safety recommendation
Third-party assaults account for nearly half of all breaches
Breaches involving third events elevated by 60%, accounting for 48% of all breaches in 2025 in comparison with 30% in 2024.
The DBIR breaks provide chain breaches into three classes:
- Vendor in a corporation’s software program provide chain. The preliminary entry vector was beneath the group’s management. This could possibly be a vulnerability in a vendor’s product, for instance, the SolarWinds breach.
- Vendor internet hosting a corporation’s knowledge in its setting. Preliminary entry was towards a vendor that shops the group’s knowledge. For instance, the Snowflake assault.
- Vendor with a connection to a corporation’s setting. Preliminary entry is on the seller, with lateral motion into the group. For instance, the Goal breach.
The report famous that “at first look, there would not seem like something that would have been completed to forestall these from the sufferer group’s perspective,” however nearer evaluation of the basis causes of many incidents involving third events boils all the way down to “insecure authentication — absence of MFA, improper credential rotation — or lack of least privilege enforcement for customers or service accounts.”
Third-party and provide chain safety recommendation
Social engineering techniques shift barely
Whereas e-mail phishing stays the social engineering vector of selection, many risk actors as we speak goal victims on their cell units — and are probably seeing better success. The DBIR famous that mobile-centric voice- or text-based scams achieved a 40% larger click-through charge in phishing simulations than email-based campaigns. The report proposed that attackers are attempting to bypass conventional enterprise phishing defenses by infiltrating customers’ units.
Additionally, pretexting was separated from credential misuse on this yr’s DBIR, accounting for six% of preliminary entry vectors. Whereas the identical proportion because the earlier report, the DBIR justified its addition as an preliminary entry vector resulting from its use in high-profile ransomware breaches analyzed for the report.
Phishing scams, the report defined, contain asynchronous social actions that end in a sufferer sharing credentials, downloading malicious recordsdata or clicking spoofed hyperlinks, for instance. Pretexting entails a synchronous part — reminiscent of an attacker establishing a trusted relationship with the sufferer earlier than manipulating them into sharing delicate knowledge or transferring cash.
“If there may be somebody on the opposite aspect of the proverbial line interacting with you to do one thing you should not, that is pretexting,” the report famous.
Social engineering and phishing recommendation
AI is altering how attackers assault
DBIR researchers collaborated with Anthropic to uncover how risk actors use AI platforms for malicious functions. Categorised towards the Mitre ATT&CK framework, DBIR and Anthropic researchers discovered that attackers used AI throughout 15 ATT&CK strategies, with some utilizing as many as 40 or 50.
For instance, risk actors use GenAI to develop malware, goal victims, achieve preliminary entry and carry out fundamental duties reminiscent of file obfuscation or forensic cleanup. The researchers discovered that lower than 2.5% of the AI-assisted actions concerned unusual strategies. In different phrases, attackers usually use AI to automate and scale well-known strategies fairly than create novel or uncommon assaults.
“However who is aware of? Given the speed of change in AI capabilities, this evaluation could be out of date by the point this report is lastly revealed,” the report mentioned.
The report and its findings additionally precede the information surrounding Mythos and Glasswing, developments that would reshape how risk actors use AI.
AI safety recommendation
Sharon Shea is government editor of TechTarget Safety.
