The 2026 Verizon Data Breach Investigations Report dropped today, and at 121 pages and a dataset of more than 31,000 incidents and 22,000 confirmed breaches across 145 countries, it’s the largest edition Verizon has ever published. The headline themes from the authors are vulnerability exploitation, ransomware, third-party risk, and generative AI. None of those are new categories, which is the point.
This piece walks through the findings in plain terms, because the DBIR has historically been one of the few reports the industry can actually agree on, and the data this year deserves to be read carefully rather than reflexively.
The single most important point: AI is not the threat actor in this report. AI is the catalyst. The same groups that have been running ransomware, vulnerability exploitation, and social engineering campaigns for years are now running them faster, in more languages, and with fewer skill barriers. The targets, techniques, and outcomes still look familiar.
Vulnerability exploitation has taken the lead#
For the first time, exploitation of vulnerabilities is the most common initial access vector in the dataset, sitting at 31%. That’s up from 20% in the 2025 report, a 55% jump in a single year. Credential abuse, which used to lead this category, is down to 13%.
It’s important for two reasons. The obvious one is that attackers are increasingly finding it easier (or more rewarding) to break in through unpatched software than through compromised credentials. The less obvious one is what the patching data shows next to it.
Only 26% of vulnerabilities in the CISA KEV catalog were fully remediated by organizations in 2025, down from 38% the year before. The median time to full resolution went up to 43 days from 32. And in the median case, organizations had 50% more critical vulnerabilities to patch than they did the previous year.
The DBIR authors also looked at re-exploitation probability over time using CISA KEV data. The likelihood of seeing a vulnerability re-exploited drops by roughly half at 30 days, again at 90 days, and again around nine months. After a year, the probability is about the same as a vulnerability that was never exploited at all. That has practical implications for how you prioritize patching, which I’ll come back to.
Ransomware: still growing, still less profitable per victim#
Ransomware was involved in 48% of all breaches this year, up from 44%. So the prevalence is still climbing. But the economics are getting worse for the attackers.
Sixty-nine percent of ransomware victims didn’t pay. The median ransom paid dropped to $139,875 from $150,000 the previous year. That continues a multi-year downward trend that the DBIR has been tracking.
So the picture is this: more breaches involve ransomware, but more victims are refusing to pay and the ones who do pay are paying less. The DBIR notes that this is consistent with adaptations and increased resilience on the victim side, including better backup hygiene, more mature incident response programs, and more organizations declining payment for legal and operational reasons.
Third-party involvement is the trend line to watch#
Third-party involvement in breaches reached 48% this year, up from 30% in the 2025 report. That’s a 60% increase year over year, after the metric already doubled the year before. The DBIR’s own language calls this “quite a trajectory,” which is restrained for a phenomenon that’s now affecting roughly half of all breaches in the dataset.
The Verizon team breaks third-party breaches into three archetypes, and the distinction between them matters operationally:
Vendor in your software supply chain. The attacker compromises a product or component you use. Initial access happens through that product. Most of the single-exploit vulnerability stories sit here.
Vendor hosting your data. The attacker hits the vendor directly or steals your credentials to the vendor’s environment. Your data is exfiltrated from the vendor’s systems. Last year’s Snowflake campaign was an example.
Vendor connected to your environment. The attacker compromises the vendor and uses that foothold to move laterally into your network. The Target breach from over a decade ago is still the textbook case.
The Salesloft Drift campaign that ran through 2025 hit two of these at once. Attackers compromised customer OAuth tokens from the Salesloft Drift application (archetype 3) and then used those tokens against the Salesforce platform to steal customer data (archetype 2). The report calls this combination “Two’s company, three’s a breach.”
For anyone running a third-party risk program, this is the practical case for why vendor responsibility matrices need to be actual living documents rather than annual paperwork. The matrix needs to map cleanly to the archetype the relationship represents, because the controls that matter are different in each case.
The cloud exposure data inside third-party environments tells the same story from a different angle. Only 23% of third-party organizations fully remediated missing or improperly secured MFA on their cloud accounts. For weak passwords and permission misconfigurations, the time to resolve 50% of findings was almost eight months. These are basic controls, and they’re sitting open in the environments your data lives in.
The AI section deserves a careful read#
This is the part of the report where the framing matters most, because the headlines this week are going to oversimplify it.
Verizon collaborated with Anthropic on a section that analyzes 793 unique threat actors who used the Claude AI platform between March 2025 and February 2026, all of whom received enforcement action for violating the acceptable use policy. The data was mapped to the MITRE ATT&CK framework, which gives us a rare look at how threat actors are actually using generative AI in practice.
In the median case, a malicious actor sought AI assistance for about 15 distinct ATT&CK techniques. In the extreme cases, actors queried for 40 or 50 techniques, treating the platform like a co-developer across the full attack chain. Less than 1% of those 793 actors were rated High or Critical risk. Ninety-nine percent fell into Medium and Low risk categories.
When the DBIR team measured the “rarity” of the techniques being requested (using MITRE’s catalog of known malicious software as a baseline), the result was telling. The median technique observed had 55 existing known malware examples that already performed the same function. Less than 2.5% of the AI-assisted observations involved techniques with one or fewer known existing examples.
The DBIR’s own conclusion, in their words:
“AI’s primary impact is currently operational: automating and scaling techniques defenders already know how to detect, not yet unlocking these novel or rare attack surfaces, which means defensive postures don’t need to be reinvented today, but they do need to keep pace with faster, more adaptive execution.”
Put differently, attackers are using AI to do the same things faster, not different things. Process injection. File obfuscation. Forensic cleanup. Phishing email generation in target languages. These are well-trodden paths with mature detections.
The framing affects how organizations communicate about AI threats internally. If your executive briefing positions AI as a new kind of adversary, the DBIR data doesn’t support that. What it does support is telling them that the same adversaries are now operating faster, with more reach, and against more targets simultaneously. That’s still a significant problem, but it calls for different investments than fighting a hypothetical novel AI attacker.
Social engineering is going mobile#
The human element was present in 62% of breaches, statistically flat from 60% the previous year. Social engineering as a pattern represents 16% of all breaches, also roughly flat. Phishing as an initial access vector held at 16%.
What changed is the channel. In phishing simulations, the median click rate in mobile-centric vectors (voice and text messaging) is 40% higher than via email. Pretexting, where an attacker builds a trusted relationship through a concocted scenario, reached 6% of breaches as an initial access vector.
The combination of voice-based pretexting plus mobile-channel phishing is the operational pattern showing up in real incident response work. The Scattered Spider and ShinyHunters style attacks against help desks, where a caller convinces a service desk agent to reset MFA on a target account, fit this pattern exactly. Most awareness training programs are still oriented around email phishing, which is the channel where success rates are now lowest.
Shadow AI is a data loss problem, not a malware problem#
The DBIR has a section on what they call “Shadow AI,” which is unauthorized GenAI use on corporate devices. The numbers:
- 45% of employees are now regular users of AI on corporate devices, up from 15% the previous year
- 67% of those users are using non-corporate accounts on corporate devices to access AI services
- Shadow AI is now the third most common non-malicious insider action detected in the data loss prevention (DLP) datasets, a fourfold increase
- The most common data submitted to external AI models is source code by a large margin, followed by images and structured data
- In 3.2% of DLP violations, research and technical documentation was being uploaded to unauthorized AI systems
This is a data governance problem, not a malware problem, and it should be treated as such. The risk profile here is intellectual property exposure and inadvertent training data contribution, not malicious data exfiltration. The control set looks more like DLP, browser extension management, and a clear sanctioned-AI policy than it does like EDR or network detection.
There’s also a browser extension angle. The average company in the dataset had more than 15% of users with unauthorized AI extensions installed on their browsers. Browser plugins that retain context about what users are browsing are quietly collecting non-public internal content as employees move through internal sites. Most security programs haven’t built a control for that yet.
A look back at the year in incidents#
Verizon’s wrap-up section walks through the year month by month, and a few items stand out for anyone who wasn’t tracking everything in real time:
The Salesloft Drift OAuth token compromise hit Google, Zscaler, Cisco, and others. The Shai-Hulud npm worm compromised 500+ packages in September. The Jaguar Land Rover ransomware attack caused £1.9 billion in damages and halted production for five weeks. The Aisuru botnet launched a record 29.7 Tbps DDoS attack in October, nearly doubling previous peaks. Federal authorities seized approximately $15 billion in Bitcoin from the Cambodian Prince Group in October. And 29% of CISA KEV vulnerabilities in 2025 were attacked before public disclosure.
The DBIR closes its timeline with the December discovery of VoidLink, a malware framework written in six days by an AI agent, which the authors describe as marking “a point of no return for automated threat development.” That line will likely generate the bulk of the coverage this week, though the broader data in the report is more useful for shaping internal conversations.
Practitioner takeaways#
For practitioners, the report’s findings cluster around a few clear priorities. None of them are new, but the data this year reinforces why they matter.
Patch what’s being exploited, not just what’s critical by CVSS. With only 26% of KEV vulnerabilities fully remediated and median time-to-patch climbing, the gap between what attackers are using and what defenders are fixing is widening. The DBIR’s re-exploitation analysis suggests that recent exploitation history is a better signal than age-on-KEV alone.
Treat third-party relationships as having a security archetype. A vendor in your supply chain, a vendor hosting your data, and a vendor with a network connection to your environment are not the same risk and don’t deserve the same controls. The same questionnaire and the same matrix won’t catch the same problems across all three.
Move social engineering training to where the attacks are. Voice and SMS attacks are succeeding at a 40% higher rate than email in the dataset. Help desk procedures, MFA reset workflows, and out-of-band verification for sensitive actions are where the practical control investment goes.
Build a Shadow AI policy that assumes the use is happening. Forty-five percent of employees are regular AI users on corporate devices. Two-thirds are using personal accounts. A sanctioned AI offering with the same convenience characteristics, combined with DLP coverage that includes AI endpoints, addresses both the data loss risk and the policy violation risk.
Stop treating AI as a separate threat category in your risk register. The DBIR’s own data shows that AI is amplifying existing techniques, not creating new ones. Map AI-enabled attacks back to the underlying ATT&CK techniques in your threat model and address them there.
Closing thoughts#
The DBIR’s opening line this year is that change is the only constant, but the fundamentals still matter most. The data backs that up. Vulnerability exploitation, ransomware, third-party compromise, and social engineering are still the dominant categories. AI hasn’t changed that. AI has made them faster.
If your security program has been chasing every AI headline for the past 18 months, this report is a useful reset. The work that was important before is still the work that’s important now. It just needs to be done at a higher cadence, against a broader surface, and with the assumption that attackers are operating with tooling that compresses their timelines.
If you have the time, read the report end to end. The Anthropic-collaboration section starting around page 25 is the part the rest of the industry will argue about for the next month, and the actual data tells a more measured story than most of the summaries will.
