In the 19th edition of the Verizon Data Breach Investigations Report (DBIR), security leaders can examine data pulled from 31,000 security events — 22,000 of which were confirmed data breaches from more than 145 countries. This marks the greatest number of data breaches Verizon has examined within a single report. 

According to Verizon, the overarching theme of this year’s report is “keeping a strong foundation in the face of change.”

2026 Verizon DBIR at a Glance

• Software vulnerabilities have surpassed stolen credentials (for the first time) as the predominant way attackers gain access. 
• Mobile devices have become the new favorite target. 
• 15 various attack techniques are being enhanced with generative AI. 

Deeper Key Findings 

• Nearly half of all breaches (48%) involve ransomware; however, payouts are decreasing.
• 31% of breaches begin with software vulnerabilities, making them the top way malicious actors gain access. 
• A majority of breaches (62%) involved the human element, with social engineering being the third most frequent breach pattern at 16% of all breaches. 
• Mobile-centric phishing sees 40% more successful “click” rates than email phishing attempts. 
• 67% of users leverage non-corporate AI accounts (“Shadow AI”) on corporate devices. Shadow AI is the third most frequent non-malicious insider data loss action. 
• Third-party involvement in breaches increased by 60% from the previous year and reached nearly half (48%) of all breaches. 
• Global traffic from AI bot crawlers and fetchers grew 21% month-over-month, with a 4% increase for fetchers and a 32% increase for crawlers. 

Security Leaders Weigh In 

Matthew Hartman, Chief Strategy Officer at Merlin Group:

This year’s Verizon DBIR confirms what security teams are already experiencing: AI has compressed the time between vulnerability discovery and exploitation from months to hours. Companies can’t defend against that reality with periodic assessments and siloed tools. To keep pace, organizations need continuous visibility into vulnerabilities, vendors, and employee AI usage — and the ability to act on that intelligence before attackers can.

Jason Soroko, Senior Fellow at Sectigo:

The headline finding of the 2026 DBIR reveals a stark shift in the threat landscape where vulnerability exploitation has surged to account for nearly a third of all initial access vectors, decisively outpacing traditional credential abuse. While the industry fixates on the growing backlog of unpatched systems and a worsening median time to remediate, reading this data purely as a patching crisis represents a critical failure in strategic thinking. From the vantage point of a Certificate Authority, the true revelation is the relationship between unpatched vulnerabilities and identity security. A breached perimeter through a software exploit is often just the opening maneuver. The subsequent lateral movement and privilege escalation rely entirely on brittle authentication mechanisms. When we analyze the underlying genealogy of these attacks, it becomes evident that robust cryptographic trust and rigorous certificate lifecycle management act as the definitive fail-safe.

This dynamic changes how we must architect enterprise defenses, especially as AI-augmented weaponization accelerates the pace of exploitation beyond human response capabilities. As autonomous systems become deeply integrated into corporate networks, the traditional focus on securing human credentials is no longer sufficient. The most effective mitigation strategy requires abstracting our defenses away from the endless race to patch individual endpoints and instead establishing a hardened identity and authorization control plane. By guaranteeing that every machine, workload, and enterprise AI agent is strictly authenticated through tightly managed public key infrastructure, organizations can effectively neutralize the blast radius of an exploited vulnerability. Even if an attacker successfully breaches the outer wall, cryptographic verification ensures they cannot assume trusted roles or siphon data, ultimately transforming a potentially catastrophic breach into a localized and manageable event.

Collin Hogue-Spears, Senior Director of Solution Management at Black Duck:

Vulnerability exploitation topped the DBIR because AI-accelerated attacks outrun patching. AI did not create that gap. AI erased the head start defenders used to have. The fix is not faster patching. It is patching by reachability and containing the rest.

The losing strategy patches by volume. The winning one patches by reachability and contains the rest. Reachability analysis separates the flaws attackers can actually exploit from the ones that only look dangerous. Compensating controls buy time on everything triage has not cleared. Log4Shell proved the point: speed was never the bottleneck. Teams could not patch a library buried in thousands of dependencies, and the ones that filtered outbound traffic bought time to find it.

Strategic Takeaway: While it is true security leaders must prioritize the CISA Known Exploited Vulnerabilities catalog before the CVSS severity queue. CVSS tells you how bad a flaw can be. KEV tells you which flaws attackers already use. Patch by severity alone, and you will spend scarce engineering time on theoretical risk while active exploitation waits in the queue. Patching is just one of two layers. Leaders must invest in two layers, not one. The first is AI-augmented reachability analysis that separates exploitable findings from theoretical ones. The second is compensating controls: egress restrictions, behavioral allowlists, and identity-bound access. Those controls slow exploitation while triage runs, because triage and containment are the two clocks defenders can still control.

Chandra Gnanasambandam, Chief Technology Officer at SailPoint:

We’re in a new normal where the time to exploitation has changed dramatically. It used to take about a year in the early 2020s. Today, it’s getting close to an hour, and the direction it’s going, it could be minutes.

Cybercrime has become industrialized. It’s no longer a cottage industry. It’s no longer a bunch of rogue actors trying to do things. Now combine that with the fact that cloud environments, particularly dev environments, were always built with a developer in mind. They were really built for developer experience. They were never built with a security posture in mind. And in a world where 95% of access is standing, this is a deadly combination. This is really what has led to the new normal, and it is against this backdrop where we are moving to one of the most fundamental transformations in the world. In the last 25 years, security and governance have always been about human. 

Today, we’re in a human plus AI world, requiring a very different security paradigm, one that’s based on adaptive identity with zero standing privilege as a minimum requirement.

Trey Ford, Chief Strategy and Trust Officer at Bugcrowd:

The DBIR's 19-year credential streak ending is not primarily a credential story — it is an economics story. 

AI is making vulnerability discovery and weaponization so fast and cheap that attackers no longer need a stolen password when a known, unpatched flaw gets them in faster. Third-party involvement now accounts for 48% of all breaches, up 60% year over year, which means the attack surface enterprises must defend extends well beyond anything they directly control or test.

AI has compressed the window between a published vulnerability and an active exploit from months to hours. Security budgets still calibrated to annual assessment cycles are now structurally mismatched with how fast the threat actually moves.

The reflex after a report like this is to procure more AI detection tooling. The data argues against it. Third-party involvement in breaches jumped 60%, which underscores that coverage problems extend well beyond your perimeter, into every vendor, supplier, and integration partner you rely on. No product closes that gap. Continuous, adversarial pressure across the full attack surface is how you find what attackers will find before they find it.

• On the credential-to-vulnerability shift: For 19 consecutive years, stolen credentials were the primary way attackers got in. That changed because AI has compressed the window between a published vulnerability and an active exploit from months to hours. Security budgets still calibrated to annual assessment cycles are now structurally mismatched with how fast the threat actually moves.
• On continuous coverage: Point-in-time testing cannot keep pace with machine-speed exploitation, response and patching velocity will need to respond accordingly. Every day a known vulnerability sits unvalidated, an attacker with AI-assisted tooling is closing the gap. The security programs that will hold are built around continuous adversarial coverage, human researcher depth, and systematic triage — not periodic snapshots.
• On third-party and supply chain: Third-party involvement in breaches jumped 60%. The coverage problem extends well beyond your perimeter, into every vendor, supplier, and integration partner you rely on. No product closes that gap. Continuous, adversarial pressure across the full attack surface is how you find what attackers will find before they find it.
• On shadow AI and the human element: Shadow AI tripling in a single year is the DBIR’s quietest signal and its most consequential one. Employees feeding unapproved tools with sensitive business data have created a data leakage category that most security programs have no coverage model for.

Morey Haber, Chief Security Advisor at BeyondTrust:

Every year, the Verizon DBIR lands like an annual cybersecurity checkup whether you wanted to see it or not. Unfortunately, the symptoms and reporting already lend credence to the diagnosis, but the numbers still manage to sting. The 2026 edition is no different and the pain is very real. 

Analyzing more than 22,000 confirmed breaches across 145 countries, it is the largest and most comprehensive study DBIR team has ever conducted in a single report. That is not a milestone we should celebrate but rather a warning that cybersecurity incidents continue to escalate and become more public.

To that end, the headline this year belongs to vulnerability exploitation, which has surpassed credential abuse as the most common initial attack vector. Exploitation now accounting for 31% of breaches, while stolen credentials have fallen to 13% (16% with Pretexting as a consideration). This inversion matters because for years, organizations have operated under the assumption that identity, specifically, compromised usernames and passwords, was the primary entry point into an organization. After all, it is easier for a threat actor to login verse hack in, right? 

That assumption has shaped how organizations have prioritized identity security controls for the last several years but there is a catch. The 2026 DBIR politely suggests we recalibrate our understanding of breaches since credential-based attack vectors still are included in 39% of all incidents but they were not the initial entry point. This implies Privileged Access Management and Identity Security (MFA, SSO, ITDR, etc.) are working effectively and organizations should still prioritize their deployments to keep credential-based attack vectors second to vulnerabilities and exploits. 

The DBIR’s core message this year is not revolution but rather maturity and cybersecurity refinement. Strong fundamentals: asset and identity visibility, patching discipline, least privilege enforcement, and practiced incident response plans. 

For 2027, it is not a matter of if your organization will appear in next year’s dataset but how your organization responds once an incident has occurred. Will you support the trend or be one of the few that continues to mature and thwart the next wave of attacks?

Mika Aalto, Co-Founder and CEO at Hoxhunt:

The DBIR’s message this year is refinement, not revolution. AI is accelerating threats, but the organizations that will stay resilient are still the ones executing well on fundamentals: patching, incident response, identity management, and increasingly, security culture.

Having contributed our own data set of tens of millions of human cyber behaviors with Verizon for the second year in a row, I found it interesting that Verizon explicitly included ‘a culture that supports and enables secure behavior’ alongside technical controls like patch management and response planning. That’s an important signal for the industry. Security culture is no longer a soft initiative sitting outside core security operations. It’s part of the operational foundation.

Ram Varadarajan, CEO at Acalvio:

Fundamentally, complex systems cannot be guaranteed to be safe. So the more complex our software and infrastructure becomes, the more threats we introduce into it. This risk will now compound as we use AI to write limitless amounts of code. Add in the vulnerabilities being exploited in code bases driven by AI, the effectiveness AI has in socially engineering humans, and also the phenomena of emergent misalignment, and we can see that we’re living in a truly zero-trust world. You thought you were safe when you locked the door behind you in your house, but the doors and windows aren’t secure, and there are already attackers hiding in your closet and beneath your bed. And this will forever be the case.

Our only true defense is to comprehensively tripwire our cyber infrastructure with model-aware detections and traps, and to dynamically engage reasoning swarms of AI attackers with swarms of reasoning AI defenders. It’s a future that’s full-on game-theoretic, AI-driven, bot-on-bot cyber defense.

Maxime Cartier, VP of Human Risk at Hoxhunt:

We participated in this year’s DBIR research with our human behavior and risk data, and I was struck by Verizon’s finding that vulnerability exploitation has become the number one breach entry point. Historically, risky behavior and the human element have been linked to 70-90% of breaches, primarily via social engineering and phishing. But when you look closely at this year’s findings, and why patching programs fail, many of the risks and barriers are behavioral, not technical.

The people responsible for patching are employees too. Developers, admins, IT operations teams — they respond to the same drivers we think about in Human Risk Management every day: motivation, prioritization, clarity, communication, and friction. If security teams want patching outcomes to improve, they need to communicate risk in ways that help people act, not just escalate pressure.

I think this creates a major opportunity for security awareness and Human Risk Management teams to collaborate more closely with vulnerability management teams. We spend a lot of time thinking about how to influence secure behavior at scale. Those same principles apply directly to improving remediation outcomes across the organization.

Dana Simberkoff, Chief Risk, Privacy and Information Security Officer at AvePoint:

I’m not surprised that 45% of employees are using unapproved AI tools. In fact, I would have expected the number to be even higher. But the answer to shadow AI isn’t to block tools. It’s to build a comprehensive trust layer that continuously secures, governs, and audits how data is accessed and used across the enterprise. At the same time, organizations should implement guardrails that make it easier for employees to use and access approved AI solutions. 

The DBIR reinforces an important point: while AI accelerates the speed and scale of risk, it doesn’t change the fundamental principles of security. Organizations realize value at the intersection of data and AI. However, that’s also where risk compounds. Ultimately, the true differentiator won’t be how quickly companies adopt AI, but whether they’ve established the trust layer and data protection guardrails needed to deploy it securely, responsibly, and with confidence.

With AI-driven bot traffic increasing 21% month-over-month, the traditional perimeter has effectively disappeared. Attackers are using AI to identify data exposure gaps faster, while employees are inadvertently leaking sensitive information into public models. AvePoint’s data supports this trend, showing that 75% of organizations have already experienced AI-related security incidents. These incidents are largely driven by oversharing.

Verizon’s findings also highlight how AI is compressing vulnerability exploitation timelines which have shrunk from months to hours. Organizations are recognizing that they simply can’t patch fast enough to keep pace with exposure. The path forward is to build a resilient trust layer that reduces the overall attack surface and proactively mitigates the risk of automated exploitation before it ever reaches the network. This is truly what a zero-trust architecture is designed to address.