Verizon’s 2026 Data Breach Investigations Report (DBIR) arrives alongside industry discussion about Anthropic’s Mythos and the broader implications of AI-accelerated vulnerability discovery. Much of that conversation has focused on whether frontier AI models will dramatically expand offensive cyber capabilities. The bigger threat, however, is the burden this will place on IT and security teams that are already struggling to keep pace with the volume of risk they can see today.
This concept is reinforced by DBIR data.
Vulnerability exploitation became the leading initial access vector in this year’s report, appearing in 31% of breaches analyzed. Organizations faced 50% more critical vulnerabilities requiring remediation as compared to the previous reporting period, and median remediation timelines increased from 32 days to 43 days.
These numbers reinforce the criticality of patching discipline and exposure management, but they do not tell the whole story. The broader report reflects escalating enterprise risk resulting from an intersection of vulnerabilities, identities, cloud services, third-party ecosystems, and human behavior.
Credential abuse still appeared in 39% of breaches. Third-party involvement reached 48%. Human involvement remained present in 62% of breaches. Shadow AI activity increased fourfold in Verizon’s DLP datasets. Ransomware continued growing even as more organizations declined to pay.
Taken together, the findings point to attackers scaling exploitation, credential abuse, social engineering, and automation faster than enterprise security teams can remediate, govern, and coordinate response.
Vulnerability exploitation is scaling efficiently
Without a doubt, the headline shift in this year’s report is that exploitation of vulnerabilities overtook credential abuse as the leading initial access vector. What’s more, only 26% of critical vulnerabilities in the CISA Known Exploited Vulnerabilities catalog were fully remediated by organizations, down from 38% the previous year. Median remediation timelines increased to 43 days, and organizations faced 50% more critical vulnerabilities requiring remediation compared to the prior reporting period.
The report highlights how efficiently internet-facing vulnerabilities can now be operationalized at scale. Discovery, scanning, targeting, and exploitation can all be automated broadly across exposed infrastructure. Those footholds also increasingly become entry points into broader attack chains involving credential abuse, privilege escalation, cloud access, and trusted collaboration platforms.
That scalability changes attacker economics at a time when organizations are already struggling with prioritizing and accelerating remediation, limited headcount, and governance coordination at current exposure levels. Verizon’s analysis showed a growing backlog, with vulnerable asset instances increasing dramatically from 2022 to 2025 and nearly half of known exploited vulnerabilities demonstrating persistent exploitation activity throughout the year.
The AI-related findings in the DBIR reinforce an adversarial focus on speed, automation, reconnaissance, phishing generation, and exploit operationalization. Verizon observed threat actors using AI assistance across targeting, initial access, malware development, and tooling workflows, but most observed AI-assisted malware development activity aligned with well-known attack techniques that already had extensive malware examples publicly available. Fewer than 2.5% of observations involved less-common techniques with limited prior malware examples. Phishing-related activity represented 44% of observed AI-assisted initial access techniques.
Glasswing signals a broader resilience push
Verizon’s participation in Anthropic’s Glasswing initiative is notable in the context of this year’s DBIR findings because it reflects a broader industry recognition that cybersecurity challenges are extending beyond individual tools or isolated attack techniques.
Glasswing focuses on developing best practices, improving information sharing, and strengthening safeguards around frontier AI systems and critical infrastructure protection. The initiative brings together AI companies, security vendors, and infrastructure stakeholders around the operational realities of emerging AI-related cyber risk. From this standpoint, Glasswing reflects that improving resilience around critical infrastructure and AI-related cyber risk will require stronger execution of core security fundamentals at scale, better operational coordination, shared defensive practices, and broader ecosystem collaboration across both public and private sectors.
Identity remains central to security and resilience
Vulnerability exploitation may be top of mind as a scalable attack path across internet-facing infrastructure, but identity-related risk remains critical to address.
Credential abuse appeared in 39% of breaches analyzed in this year’s report. Verizon also highlighted continued weaknesses around cloud authentication and third-party exposure. Nearly half of all breaches involved third parties, while only 23% of organizations fully remediated improperly secured or missing MFA protections on cloud accounts. Weak password and privilege exposure remediation timelines often stretched toward eight months.
At the same time, social engineering is evolving beyond traditional email-centric security models. Verizon found that mobile-centric phishing simulations involving voice and text messaging produced success rates 40% higher than email-based phishing campaigns. Notably, Verizon added pretexting attacks involving impersonation and social manipulation as a prominent initial access vector.
These attacks involve Teams impersonation, SMS engagement, voice calls, email bombing, and remote support abuse. They exploit workflow trust, communication fatigue, and operational disruption rather than relying solely on traditional phishing patterns. That creates a growing mismatch between attacker behavior and many enterprise awareness models, which still remain heavily centered around email-centric phishing detection.
The takeaway is that the operational separation between “identity attacks” and “vulnerability attacks” is breaking down in practice. Modern attack chains combine exploitation, credential abuse, token theft, privilege escalation, SaaS access, cloud misconfiguration, and collaboration platform impersonation..
Many organizations still manage identity, cloud security, vulnerability management, SaaS governance, and security operations through separate teams and tooling stacks, while adversaries move fluidly across infrastructure, identities, cloud services, collaboration platforms, and third-party ecosystems simultaneously.
That leaves security teams coordinating across remediation backlog growth, prolonged cloud authentication exposure, third-party dependency expansion, persistent exploitation activity, unmanaged AI usage, and fragmented governance responsibilities all at the same time. This fragmentation across control failures that are no longer isolated ultimately creates more risk than any individual attack trend highlighted in the report.
Shadow AI adoption is outpacing governance
Shadow AI reflects another dimension of this broader coordination problem. Employees are increasingly integrating AI tools into day-to-day workflows faster than organizations can establish governance, visibility, and approved usage models. The resulting exposure is driven by unmanaged workflow behavior occurring outside traditional security controls.
Verizon found that 67% of users accessing AI services on corporate devices did so using non-corporate accounts. At the same time, 45% of employees were identified as regular AI users on corporate devices, whether authorized or not.
Shadow AI activity became the third most common non-malicious insider action detected in Verizon’s DLP dataset, increasing fourfold year over year. Source code represented 28% of uploaded data types, followed by images, structured data, and documents. Verizon also observed research and technical documentation being uploaded to unauthorized AI systems in portions of the dataset.
While not every unauthorized AI interaction represents sensitive data exposure, the risk is that organizations increasingly expect AI-assisted productivity inside day-to-day workflows, but most still lack mature governance structures, approved tooling pathways, browser visibility, or policy enforcement mechanisms aligned to that reality.
Ransomware economics are shifting
The DBIR findings reflect that security outcomes are shaped as much by operational resilience as by prevention alone. That becomes particularly visible in the report’s ransomware findings.
Ransomware remained one of the most common breach patterns in this year’s DBIR, appearing in 48% of breaches analyzed, up from 44% the prior year. At the same time, Verizon observed continued declines in ransom payment behavior. Sixty-nine percent of ransomware victims in the dataset declined payment, while the median ransom payment fell from $150,000 to $139,875.
While the data does not definitively explain payment decisions, the findings reinforce that operational resilience and recovery readiness are as important as prevention itself.
Resilience requires coordination
This year’s DBIR shows that the most pressing enterprise security challenges do not fit neatly into isolated control categories. Vulnerability management, identity security, SaaS governance, cloud posture, third-party risk, AI governance, and security operations intersect during real attacks and real recovery scenarios.
For practitioners, the challenge is reducing the lag between identifying risk and coordinating response across teams that historically have operated separately.
That requires security leaders to improve how remediation, identity governance, cloud operations, resilience planning, and incident response function together operationally. The most successful organizations will be the ones that can translate visibility into coordinated action and recovery more consistently at enterprise scale.
