The 2026 Verizon Data Breach Investigations Report analyzed more than 22,000 confirmed data breaches across 145 countries. Its findings point to a single uncomfortable truth: organizations cannot patch fast enough to prevent every incident. Exploitation of vulnerabilities surged to become the leading initial access vector, the median time to remediate a critical flaw climbed to 43 days, and the volume of critical vulnerabilities grew 50% year over year. Even top-performing organizations only managed to fix 30% to 40% of known exploited vulnerabilities listed in the CISA Known Exploited Vulnerabilities catalog within the first week of detection. That rate barely budged despite years of investment in tooling, process maturity and regulatory pressure.

Most organizations will eventually face a serious incident. The quality of your response determines the outcome.

Ransomware hits 48% of breaches. The payment decision is just the beginning

Ransomware appeared in 48% of all confirmed breaches, up from 44% the prior year. Among cases where organization size was known, 96% of victims were small and medium-sized businesses.

The “climax” of every ransomware tabletop I witness has always been the question: pay or refuse? The DBIR reveals that 69% of victims chose not to pay, up from 65% the year before. That number held even when attackers encrypted systems. Refusing is becoming standard practice. The median payout dropped to $139,875.

Facing shrinking revenues, ransomware operators now deliberately maximize operational disruption to force faster decisions. The 2025 attack on Marks & Spencer knocked out online sales, inventory tracking and refrigeration monitoring for weeks, costing an estimated £300 million. The Jaguar Land Rover breach halted manufacturing for five weeks, inflicted £1.9 billion in damages and dragged UK GDP below its quarterly forecast.

Consider using these cases to inspire your next ransomware drill. The ransom question is one agenda item. Sustaining operations without primary systems, coordinating with legal counsel and law enforcement, managing customer and investor communications under regulatory deadlines, deciding what to disclose and when: these are the decisions that determine whether a company survives a ransomware event or becomes a cautionary headline. Organizations that rehearse only the payment question are practicing the opening scene and skipping the rest of the play.

Third-party breaches jumped 60%. Your exercises should reflect that

Breaches involving a vendor, supplier or service provider reached 48% of all confirmed incidents, a 60% increase from the previous year. This metric doubled the year before that. The trajectory is unmistakable.

The DBIR identifies three archetypes: a vulnerability in a vendor’s product opens the door to your environment; a vendor holding your data gets compromised directly; or an attacker breaches the vendor and pivots laterally into your network. Several of the year’s most prominent campaigns triggered two or all three archetypes simultaneously.

Most tabletop programs ignore this scenario entirely. I have seen organizations rehearse their internal playbooks dozens of times without once simulating a call to a compromised vendor. When the real call comes, they freeze. A third-party breach tests a fundamentally different set of skills than an internal compromise.

When a vendor is breached, the information your team needs most is the information the vendor is least prepared to share quickly. Tabletop exercises should simulate that friction. Participants should practice asking precise questions: What data of ours did you hold? What is the confirmed scope? What logs exist? How are you notifying other affected customers?

The other half of the exercise is equally critical. Your customers will demand answers while the investigation is still unfolding. Transparency builds trust. Premature attribution destroys partnerships. The discipline lies in communicating what you know and what you are doing about it without publicly blaming a vendor whose cooperation you still require. A press statement that throws a third party under the bus may generate a satisfying headline. It will also guarantee that the vendor’s legal team stops sharing information with yours.

Vulnerability exploitation is the top attack vector. AI will accelerate it

Exploitation of vulnerabilities reached 31% of all confirmed breaches, a 55% increase over the prior year’s 20%. It displaced credential abuse as the leading initial access method for the first time in the DBIR’s history.

The structural problem is straightforward. Organizations faced a median of 16 CISA Known Exploited Vulnerabilities in 2025, up from 11 the year before. Only 26% were fully remediated, down from 38%. Defenders are caught in Alice’s Red Queen Race.

AI is compressing the timeline further. The DBIR’s collaboration with Anthropic examined 793 threat actors who misused AI platforms for malicious purposes between March 2025 and February 2026. The median actor sought assistance across 15 distinct ATT&CK techniques. Thirty-two percent of AI-assisted initial access activity targeted vulnerability exploitation specifically. The report notes that creating exploit tools, adapting them across languages and discovering new vulnerabilities “is within reach with current AI coding assistance.” Anthropic’s own threat research documented the first known AI-orchestrated cyber espionage campaign, in which attackers used agentic AI to execute intrusions autonomously. By December 2025, researchers documented VoidLink, a complete malware framework built by an AI agent in six days. Twenty-nine percent of KEV vulnerabilities were attacked before public disclosure that year.

This acceleration demands a shift in how organizations exercise their incident response capabilities. NIST SP 800-84 has long recommended formal test, training and exercise programs for evaluating incident response preparedness. The growing speed and volume of exploitation makes that guidance urgent. Technical tabletop exercises, where participants work through actual triage rather than discuss hypothetical responses, should become routine. Teams need to practice identifying affected systems, determining blast radius, executing containment playbooks and coordinating remediation across departments under realistic time pressure. The window between initial compromise and full-blown breach is shrinking. How fast your technical teams can triage and contain directly determines the severity of the outcome. Organizations that encounter these decisions for the first time during a live incident will not move fast enough.

The breach you practice for is the one you survive

The 2026 DBIR and Google’s M-Trends 2026 report paint the same picture from different angles: the speed of attacks is accelerating, the surface area is expanding through third-party dependencies, and the sophistication gap between attackers and defenders is narrowing thanks to widely available AI tooling. These are not projections. They describe the threat landscape as it exists today.

Organizations that wait for a breach to test their response capabilities will discover their gaps at the worst possible moment. Playbooks that have never been exercised under pressure tend to collapse on first contact with a real incident. Communication plans that look reasonable on paper fall apart when the general counsel, the CISO and the CEO are in the same room arguing about disclosure timing while customers flood the support lines.

The remedy is deliberate, repeated practice. Tabletop exercises that simulate ransomware scenarios should go beyond the payment question and into the operational chaos that follows. Exercises involving third-party breaches should force participants to navigate the tension between transparency and partnership preservation. Technical exercises should compress timelines and demand the same speed of triage that a real exploitation campaign would require.

None of this is new advice. But the 2026 data makes the stakes clearer than ever. The organizations that build crisis response as a practiced skill will weather these incidents. Those that treat their incident response plan as a static document will learn its shortcomings the hard way.

This article is published as part of the Foundry Expert Contributor Network.
Want to join?