The 2026 Verizon Data Breach Investigations Report (DBIR) paints a clearer picture of today’s cybersecurity landscape: attackers are moving faster, artificial intelligence is accelerating cybercrime, and organizations continue to struggle with basic security practices.
Key Takeaways from the 2026 Verizon DBIR Report
According to the report:
- Vulnerability exploitation (31%) overtook credential abuse (13%) as the top initial access vector in Verizon DBIR 2026.
- AI-driven cyberattacks are accelerating, and threat actors are using GenAI for phishing, research and malware development.
- Humans accounted for 62% of breaches, underscoring the importance of security awareness and human-centric security strategies.
- Third-party breaches rose to 48% of incidents, highlighting growing risks in the software supply chain and between vendors.
- Ransomware remained one of the most dominant threats, affecting 96% of small and medium-sized businesses (SMBs).
Based on an analysis of more than 31,000 security incidents and more than 22,000 confirmed data breaches in 145 countries, the report highlights that vulnerability exploitation, third-party risk, ransomware and human error remain the dominant drivers of compromise.
“With vulnerability exploitation now the primary vector of initial access, and RMM abuse up 240% year-on-year, attackers have honed in on the tools and infrastructure organizations already trust,” Will Baxter, Team Cymru’s product lead, told eSecurityPlanet in an email.
John Watters, Chairman and CEO of iCOUNTER, added: “DBIR’s finding that third-party involvement reached 48% of breaches this year, after a 60% year-over-year increase, should fundamentally change the way organizations think about cyber risk and systemic exposure.”
Vulnerability abuse trumps credential abuse
One of the most important findings in this year’s DBIR is that vulnerability exploitation has officially overtaken credential abuse as the number one initial access vector.
According to Verizon, vulnerability abuse now accounts for 31% of initial access methods, while credential abuse has dropped to 13%. This shift reflects the growing number of exposed systems with Internet access and the growing use of artificial intelligence by threat actors to accelerate attacks.
The report also highlights a widening gap in redress. Only 26% of critical vulnerabilities listed in the Cyber Security and Infrastructure Agency’s (CISA) Catalog of Known Exploited Vulnerabilities (KEVs) were fully patched by 2025, and the median patch time increased from 32 days to 43 days.
Threat actors are exploiting vulnerabilities faster than organizations can patch them, creating a growing imbalance between attackers and defenders.
Artificial intelligence accelerates cybercrime
Artificial intelligence is another major theme throughout the report.
Verizon notes that cybercriminals are using generative artificial intelligence (GenAI) to automate detection, generate phishing content, conduct vulnerability research and even help develop malware. The report warns of the rise of autonomous adversaries, where AI-driven attacks are faster, more scalable and adaptive.
The Rise of Shadow AI and Insider Risk
Artificial intelligence not only creates external threats, but also introduces new internal risks.
The DBIR also investigated the rise of shadow AI, which involves employees using unauthorized AI tools and unapproved accounts on corporate systems.
Verizon found that 67% of users accessed AI services through non-corporate accounts on corporate devices, while 45% of employees are now regular users of AI (approved or unapproved) on corporate systems, up from just 15% the previous year.
Employees were found to be uploading source code, technical documents and other sensitive data to external AI platforms, increasing the risk of data leakage and intellectual property exposure.
Human error remains a major security concern
Despite the growing role of artificial intelligence in cyberattacks, Verizon found that human involvement still contributed to 62% of breaches in 2025.
Social engineering attacks continue to evolve towards voice phishing, mobile attacks and real-time impersonation tactics that use artificial intelligence. The report bluntly reminds readers that humans are not computers and emphasizes the importance of designing security programs based on actual human behavior, not unrealistic expectations.
Safety coverage you must read
Third-party risk continues to grow
Third-party risk also emerged as one of the fastest growing issues in the report.
Verizon found that 48% of breaches involved a third party, up from 30% the previous year. Organizations increasingly rely on interconnected vendors, cloud providers, SaaS platforms, and APIs where a single compromise can affect multiple organizations simultaneously.
Several of the top breaches analyzed in the report involved attackers compromising multiple third-party providers during the same campaign.
Ransomware still dominates the threat landscape
Ransomware continues to dominate the threat landscape.
According to DBIR, ransomware was present in 48% of all breaches analyzed in 2025. Small and medium-sized businesses (SMBs) remain particularly vulnerable, accounting for approximately 96% of ransomware victims for which the size of the organization was known.
Verizon notes that many ransomware campaigns are opportunistic and target organizations with stolen credentials, unpatched vulnerabilities or limited security resources.
DDoS attacks are on the rise
The report also highlights the rapid increase in distributed denial-of-service (DDoS) attacks. Verizon found that the largest DDoS attacks increased by 198% in bits per second and 156% in packets per second.
Finance, professional services and manufacturing remained the most targeted sectors.
The fundamentals of cyber security are still the most important
Perhaps the most important takeaway from DBIR is that cybersecurity fundamentals still matter. Attackers are increasingly using AI and automation to scale cyberattacks faster than ever before.
Despite these evolving threats, Verizon’s report highlights the continued importance of asset visibility, multi-factor authentication (MFA), patch management, security training, third-party risk and incident response preparedness.
Editor’s Note: This article originally appeared in our sister publication eSecurityPlanet.
