The 2026 Verizon Data Breach Investigations Report (DBIR) paints a clearer picture of today’s cybersecurity landscape: attackers are moving faster, artificial intelligence is accelerating cybercrime, and organizations continue to struggle with foundational security practices.
Key takeaways from the 2026 Verizon DBIR report
According to the report:
- Vulnerability exploitation (31%) overtook credential abuse (13%) as the top initial access vector in the 2026 Verizon DBIR.
- AI-driven cyberattacks are accelerating, with threat actors using GenAI for phishing, reconnaissance, and malware development.
- Humans accounted for 62% of breaches, underscoring the importance of security awareness and human-centered security strategies.
- Third-party breaches surged to 48% of incidents, highlighting growing risks in the software supply chain and among vendors.
- Ransomware remained one of the most dominant threats, impacting 96% of small and midsize businesses (SMBs).
Based on an analysis of more than 31,000 security incidents and over 22,000 confirmed data breaches across 145 countries, the report highlights that vulnerability exploitation, third-party risk, ransomware, and human error remain the dominant drivers of compromise.
“With vulnerability exploitation now the leading initial access vector and RMM abuse up 240% year-over-year, attackers have perfected operating within the tools and infrastructure organizations already trust,” said Will Baxter, Head of Product at Team Cymru, in an email to eSecurityPlanet.
John Watters, chairman and CEO at iCOUNTER, added, “The DBIR’s finding that third-party involvement reached 48% of breaches this year, following a 60% year-over-year increase, should fundamentally change how organizations think about cyber risk and systemic exposure.”
Vulnerability exploitation overtakes credential abuse
One of the most important findings in this year’s DBIR is that the exploitation of vulnerabilities has officially overtaken credential abuse as the leading initial access vector.
According to Verizon, exploitation of vulnerabilities now accounts for 31% of initial access methods, while credential abuse has dropped to 13%. This shift reflects the growing number of exposed internet-facing systems and the increasing use of AI by threat actors to accelerate attacks.
The report also highlights a widening remediation gap. Only 26% of critical vulnerabilities listed in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog were fully remediated in 2025, and the median remediation time increased from 32 days to 43 days.
Threat actors are exploiting vulnerabilities faster than organizations can remediate them, creating a growing imbalance between attackers and defenders.
AI is accelerating cybercrime
Artificial intelligence is another major theme throughout the report.
Verizon notes that cybercriminals are using generative AI (GenAI) to automate reconnaissance, generate phishing content, conduct vulnerability research, and even assist in malware development. The report warns of the rise of autonomous adversaries, where AI-driven attacks become faster, more scalable, and more adaptive.
The rise of shadow AI and insider risk
AI is not only creating external threats but also introducing new insider risks.
The DBIR also examined the rise of shadow AI, which refers to employees using unauthorized AI tools and non-approved accounts on corporate systems.
Verizon found that 67% of users accessed AI services through non-corporate accounts on company devices, while 45% of employees are now regular AI (approved or not) users on corporate systems, up from just 15% the previous year.
Employees were found uploading source code, technical documents, and other sensitive data into external AI platforms, increasing the risk of data leakage and intellectual property exposure.
Human error remains a major security challenge
Despite the growing role of AI in cyberattacks, Verizon found that human involvement still contributed to 62% of breaches in 2025.
Social engineering attacks continue evolving toward voice phishing, mobile-centric attacks, and real-time impersonation tactics that leverage AI. The report bluntly reminds readers that people are not computers and stresses the importance of designing security programs around real human behavior rather than unrealistic expectations.
Must-read security coverage
Third-party risk continues to grow
Third-party risk also emerged as one of the fastest-growing concerns in the report.
Verizon found that 48% of breaches involved a third party, up from 30% the previous year. Organizations increasingly rely on interconnected vendors, cloud providers, SaaS platforms, and APIs, in which a single compromise can affect multiple organizations simultaneously.
Several major breaches analyzed in the report involved attackers compromising multiple third-party providers during the same campaign.
Ransomware still dominates the threat landscape
Ransomware continues to dominate the threat landscape.
According to the DBIR, ransomware was present in 48% of all breaches analyzed in 2025. Small and midsize businesses (SMBs) remain especially vulnerable, accounting for approximately 96% of ransomware victims for which organization size was known.
Verizon notes that many ransomware campaigns are opportunistic, targeting organizations with stolen credentials, unpatched vulnerabilities, or limited security resources.
DDoS attacks are increasing in scale
The report also highlights the rapid growth of distributed denial-of-service (DDoS) attacks. Verizon observed that the largest DDoS attacks increased by 198% in bits per second and 156% in packets per second.
Finance, professional services, and manufacturing sectors remained the most heavily targeted industries.
Cybersecurity fundamentals still matter most
Perhaps the most important takeaway from the DBIR is that cybersecurity fundamentals still matter. Attackers are increasingly leveraging AI and automation to scale cyberattacks faster than ever.
Despite these evolving threats, Verizon’s report emphasizes the continued importance of asset visibility, multifactor authentication (MFA), patch management, security awareness training, third-party risk, and incident response readiness.
Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.
Read the full article here
