The threat landscape is undergoing rapid and unprecedented change, as reflected in the "Verizon 2026 Data Breach Investigations Report." For the first time in the report's 19-year history, vulnerability exploitation was the leading initial access vector, displacing credential abuse from the top spot. It was also the first year that researchers documented an AI-executed state-sponsored attack, bringing the hypothetical and experimental into reality.
But the more things change, the more they stay the same.
"The 2026 edition of the DBIR invites you to consider the importance of the fundamentals of cybersecurity as the best way to brave all of this change," the report reads. "A little cyber-stoicism, if you will."
Simply put, the tried-and-true best practices security teams have relied on for years -- from visibility and patching to MFA and policies -- are key to winning the fight against cyberattackers.
Below are six key takeaways from the 2026 DBIR for CISOs and their teams.
Vulnerability exploitation overtakes stolen credentials
Exploiting vulnerabilities became the most common method threat actors use to gain initial access to victims' networks -- accounting for 31% of attacks, up from 20% in 2024 -- displacing credential abuse as the longstanding leading vector.
Organizations are clearly struggling to remediate flaws, with the DBIR reporting that only 26% of CISA's Known Exploited Vulnerabilities (KEVs) were fully remediated in 2025, down from 38% the previous year. To make matters worse, the report noted, median remediation time increased from 32 days to 43 days, perhaps in part because the median number of KEVs was 16 in 2025, up from 11 in 2024.
Because the report's data set spans October 2024 through November 2025, it predates the release of Mythos, suggesting future reports could see even higher levels of vulnerability exploitation.
Credential abuse dropped to 13% from 22%, partially attributed to the addition of pretexting as an initial access vector (more on that below).
Vulnerability management and patching advice
Bad news and good news on ransomware
Ransomware proved yet again that it's the threat that keeps on threatening. Nearly half of all incidents (48%) involved some form of ransomware, up from 44% in the previous reporting period.
On the somewhat positive side, 69% of victims did not pay the ransom, and the median ransomware payment decreased from $150,000 to $139,875.
Ransomware advice
Shadow AI becomes a major insider risk
Despite a slight year-over-year decline, use of noncorporate GenAI accounts on corporate devices remains widespread, with 67% of users still relying on them to access AI services. AI adoption among employees has accelerated: 45% are now regular users of AI tools, authorized or otherwise, compared with just 15% in 2024.
Shadow AI was named the third most common nonmalicious insider risk detected in the DBIR's data loss prevention (DLP) data set, a 400% increase from 2024. The DBIR found users commonly leak source code, images and other structured data to GenAI models, and that 3.2% of DLP policy violations involve employees leaking intellectual property, such as research or technical documentation, to LLMs.
AI security advice
Third-party attacks account for almost half of all breaches
Breaches involving third parties increased by 60%, accounting for 48% of all breaches in 2025 compared to 30% in 2024.
The DBIR breaks supply chain breaches into three categories:
- Vendor in an organization's software supply chain. The initial access vector was under the organization's control. This could be a vulnerability in a vendor's product, for example, the SolarWinds breach.
- Vendor hosting an organization's data in its environment. Initial access was against a vendor that stores the organization's data. For example, the Snowflake attack.
- Vendor with a connection to an organization's environment. Initial access is on the vendor, with lateral movement into the organization. For example, the Target breach.
The report noted that "at first glance, there doesn't appear to be anything that could have been done to prevent these from the victim organization's perspective," but closer analysis of the root causes of many incidents involving third parties boils down to "insecure authentication -- absence of MFA, improper credential rotation -- or lack of least privilege enforcement for users or service accounts."
Third-party and supply chain security advice
Social engineering tactics shift slightly
While email phishing remains the social engineering vector of choice, many threat actors today target victims on their mobile devices -- and are possibly seeing greater success. The DBIR noted that mobile-centric voice- or text-based scams achieved a 40% higher click-through rate in phishing simulations than email-based campaigns. The report proposed that attackers are trying to circumvent traditional enterprise phishing defenses by infiltrating users' devices.
Also, pretexting was separated from credential misuse in this year's DBIR, accounting for 6% of initial access vectors. While the same percentage as the previous report, the DBIR justified its addition as an initial access vector due to its use in high-profile ransomware breaches analyzed for the report.
Phishing scams, the report explained, involve asynchronous social actions that result in a victim sharing credentials, downloading malicious files or clicking spoofed links, for example. Pretexting involves a synchronous component -- such as an attacker establishing a trusted relationship with the victim before manipulating them into sharing sensitive data or transferring money.
"If there is someone on the other side of the proverbial line interacting with you to do something you shouldn't, that's pretexting," the report noted.
Social engineering and phishing advice
AI is changing how attackers attack
DBIR researchers collaborated with Anthropic to uncover how threat actors use AI platforms for malicious purposes. Classified against the Mitre ATT&CK framework, DBIR and Anthropic researchers found that attackers used AI across 15 ATT&CK techniques, with some using as many as 40 or 50.
For example, threat actors use GenAI to develop malware, target victims, gain initial access and perform basic tasks such as file obfuscation or forensic cleanup. The researchers found that less than 2.5% of the AI-assisted actions involved uncommon techniques. In other words, attackers often use AI to automate and scale well-known techniques rather than create novel or rare attacks.
"But who knows? Given the rate of change in AI capabilities, this assessment might be obsolete by the time this report is finally published," the report said.
The report and its findings also precede the news surrounding Mythos and Glasswing, developments that could reshape how threat actors use AI.
AI security advice
- How AI malware works and how to defend against it
- AI-powered attacks: What CISOs need to know now
- How AI is making phishing attacks more dangerous
- Lessons in the new era of AI-enabled cybercrime
Sharon Shea is executive editor of TechTarget Security.