The menace panorama is present process fast and unprecedented change, as mirrored within the “Verizon 2026 Information Breach Investigations Report.” For the primary time within the report’s 19-year historical past, vulnerability exploitation was the main preliminary entry vector, displacing credential abuse from the highest spot. It was additionally the primary yr that researchers documented an AI-executed state-sponsored assault, bringing the hypothetical and experimental into actuality.
However the extra issues change, the extra they keep the identical.
“The 2026 version of the DBIR invitations you to think about the significance of the basics of cybersecurity as one of the best ways to courageous all of this transformation,” the report reads. “A bit of cyber-stoicism, if you’ll.”
Merely put, the tried-and-true greatest practices safety groups have relied on for years — from visibility and patching to MFA and insurance policies — are key to successful the combat towards cyberattackers.
Under are six key takeaways from the 2026 DBIR for CISOs and their groups.
Vulnerability exploitation overtakes stolen credentials
Exploiting vulnerabilities turned the commonest technique menace actors use to achieve preliminary entry to victims’ networks — accounting for 31% of assaults, up from 20% in 2024 — displacing credential abuse because the longstanding main vector.
Organizations are clearly struggling to remediate flaws, with the DBIR reporting that solely 26% of CISA’s Identified Exploited Vulnerabilities (KEVs) have been absolutely remediated in 2025, down from 38% the earlier yr. To make issues worse, the report famous, median remediation time elevated from 32 days to 43 days, maybe partly as a result of the median variety of KEVs was 16 in 2025, up from 11 in 2024.
As a result of the report’s information set spans October 2024 by way of November 2025, it predates the discharge of Mythos, suggesting future studies may see even greater ranges of vulnerability exploitation.
Credential abuse dropped to 13% from 22%, partially attributed to the addition of pretexting as an preliminary entry vector (extra on that beneath).
Vulnerability administration and patching recommendation
Unhealthy information and excellent news on ransomware
Ransomware proved but once more that it is the menace that retains on threatening. Practically half of all incidents (48%) concerned some type of ransomware, up from 44% within the earlier reporting interval.
On the considerably optimistic aspect, 69% of victims didn’t pay the ransom, and the median ransomware cost decreased from $150,000 to $139,875.
Ransomware recommendation
Shadow AI turns into a serious insider danger
Regardless of a slight year-over-year decline, use of noncorporate GenAI accounts on company gadgets stays widespread, with 67% of customers nonetheless counting on them to entry AI providers. AI adoption amongst workers has accelerated: 45% are actually common customers of AI instruments, approved or in any other case, in contrast with simply 15% in 2024.
Shadow AI was named the third commonest nonmalicious insider danger detected within the DBIR’s information loss prevention (DLP) information set, a 400% enhance from 2024. The DBIR discovered customers generally leak supply code, pictures and different structured information to GenAI fashions, and that 3.2% of DLP coverage violations contain workers leaking mental property, reminiscent of analysis or technical documentation, to LLMs.
AI safety recommendation
Third-party assaults account for nearly half of all breaches
Breaches involving third events elevated by 60%, accounting for 48% of all breaches in 2025 in comparison with 30% in 2024.
The DBIR breaks provide chain breaches into three classes:
- Vendor in a corporation’s software program provide chain. The preliminary entry vector was underneath the group’s management. This could possibly be a vulnerability in a vendor’s product, for instance, the SolarWinds breach.
- Vendor internet hosting a corporation’s information in its setting. Preliminary entry was towards a vendor that shops the group’s information. For instance, the Snowflake assault.
- Vendor with a connection to a corporation’s setting. Preliminary entry is on the seller, with lateral motion into the group. For instance, the Goal breach.
The report famous that “at first look, there does not seem like something that would have been finished to stop these from the sufferer group’s perspective,” however nearer evaluation of the basis causes of many incidents involving third events boils right down to “insecure authentication — absence of MFA, improper credential rotation — or lack of least privilege enforcement for customers or service accounts.”
Third-party and provide chain safety recommendation
Social engineering techniques shift barely
Whereas e mail phishing stays the social engineering vector of selection, many menace actors at present goal victims on their cell gadgets — and are probably seeing better success. The DBIR famous that mobile-centric voice- or text-based scams achieved a 40% greater click-through price in phishing simulations than email-based campaigns. The report proposed that attackers try to bypass conventional enterprise phishing defenses by infiltrating customers’ gadgets.
Additionally, pretexting was separated from credential misuse on this yr’s DBIR, accounting for six% of preliminary entry vectors. Whereas the identical proportion because the earlier report, the DBIR justified its addition as an preliminary entry vector as a result of its use in high-profile ransomware breaches analyzed for the report.
Phishing scams, the report defined, contain asynchronous social actions that end in a sufferer sharing credentials, downloading malicious information or clicking spoofed hyperlinks, for instance. Pretexting includes a synchronous element — reminiscent of an attacker establishing a trusted relationship with the sufferer earlier than manipulating them into sharing delicate information or transferring cash.
“If there may be somebody on the opposite aspect of the proverbial line interacting with you to do one thing you should not, that is pretexting,” the report famous.
Social engineering and phishing recommendation
AI is altering how attackers assault
DBIR researchers collaborated with Anthropic to uncover how menace actors use AI platforms for malicious functions. Categorised towards the Mitre ATT&CK framework, DBIR and Anthropic researchers discovered that attackers used AI throughout 15 ATT&CK methods, with some utilizing as many as 40 or 50.
For instance, menace actors use GenAI to develop malware, goal victims, acquire preliminary entry and carry out primary duties reminiscent of file obfuscation or forensic cleanup. The researchers discovered that lower than 2.5% of the AI-assisted actions concerned unusual methods. In different phrases, attackers usually use AI to automate and scale well-known methods relatively than create novel or uncommon assaults.
“However who is aware of? Given the speed of change in AI capabilities, this evaluation may be out of date by the point this report is lastly revealed,” the report mentioned.
The report and its findings additionally precede the information surrounding Mythos and Glasswing, developments that would reshape how menace actors use AI.
AI safety recommendation
Sharon Shea is government editor of TechTarget Safety.
