For the first time in its publication history of nearly 20 years, Verizon’s annual Data Breach Investigations Report (DBIR) is tracking vulnerability exploitation as the leading initial access method for attackers. Stolen credentials had been the #1 method for the entirety of the report’s history up to this year.
The researchers believe this is due more to increasing inability to keep up with patching than to AI assistance with exploitation, though new AI models will likely exacerbate this issue going forward. Other key observations from the report include an increase of almost two weeks in average time to patch vulnerabilities, phishing attacks are seeing increasing rates of success, and “shadow IT” has also spiked to become a top three source of risk to data.
Verizon DBIR 2026 finds organizations simply cannot keep up with patching
Though vulnerability exploitation has taken the lead in the newest Verizon DBIR, it does have a somewhat slim advantage with 31% of documented incidents on the year. Still, it is the first time it has been the leading cause of breaches in the report’s 19-year history. Credential abuse remains a very substantial factor, but has actually dropped to the #3 position just behind phishing.
What might explain vulnerability exploitation suddenly lurching into the lead? The time period covered by the 2026 DBIR actually runs from the start of November 2024 to the end of October 2025, so recent developments in AI from this year are not a factor. The numbers instead point to increasing struggles to keep up with patching. During this period only 26% of critical vulnerabilities as defined by the Cybersecurity Infrastructure and Security Agency’s Known Exploited Vulnerabilities (CISA KEV) were patched, a drop from 385 the previous year. The median time to patch also increased to 43 days, from 32 days in the previous DBIR. This came as organizations faced a 50% increase in critical vulnerabilities that required patching.
Chris Wysopal, Co-founder and Chief Security Evangelist at Veracode, notes a trend here that is likely to be exacerbated by more current developments in the AI sphere: “The findings in Verizon’s 2026 DBIR are striking because it reinforces something we have been saying for years: exploitation is now the leading breach vector, and organizations are still simply not fixing flaws fast enough.”
“While the datapoints are clear, the takeaway for the industry is resounding,” Wysopal added. “Security teams can’t rely solely on downstream remediation. As attackers increasingly target common coding weaknesses, organizations need to prioritize finding and fixing vulnerabilities during development—not months, or even a year, down the line when the burden of time, cost, and risk is multiplied. This is even more important as GenAI continues to change the code vulnerability calculus. This is why secure by design has become an operational imperative, not just a security best practice.”
On the subject of frontier AI’s expected contribution Matthew Hartman, Chief Strategy Officer at Merlin Group, adds: “Today’s Verizon DBIR confirms what security teams are already experiencing: AI has compressed the time between vulnerability discovery and exploitation from months to hours. Companies can’t defend against that reality with periodic assessments and siloed tools. To keep pace, organizations need continuous visibility into vulnerabilities, vendors, and employee AI usage – and the ability to act on that intelligence before attackers can.”
Part of the drop in credential abuse in this year’s DBIR does come from the addition of a new category, “pretexting,” which shares some overlap and likely took at least a couple of percentage points from it. However, even under the old format credential abuse would now be roughly tied with phishing and still substantially behind vulnerability exploitation.
A mitigating factor that is more important to note is that while only 26% of these critical vulnerabilities were patched, an additional 58% were logged as “partially remediated.” In at least some cases this could involve conflict with legacy systems or some other environment-specific functional factor stopping a straightforward patch from being applied despite the IT teams being on top of the issue. Only 16% of these vulnerabilities were listed as totally unaddressed.
Vulnerability exploitation is usually heavily tied to state-backed threat actors looking to commit espionage or wiggle into long-term position in critical infrastructure. However, this year’s DBIR numbers do not point to a huge increase in the share of these advanced threat groups causing breaches. 87% of all incidents in the DBIR were tied to an organized cybercrime group, with state-backed actors at 15% (there being some overlap for actors such as North Korea that aggressively attempt to steal crypto). Other factors, such as activists or a customer fiddling with networks, were negligible.
Vulnerability exploitation rises along with phishing and insider threats
Vulnerability exploitation saw the single most notable spike in this DBIR, but it is not the only threat category on the move upwards.
Ransomware is the threat that will seemingly never go away, gaining a little more ground during this period to represent 48% of all breaches (up 4% from the prior year). This is in spite of a recent sharp increase in organizations refusing to pay. 69% that were successfully attacked during this period refused to make a payment, and when they do pay the average is down to $139,785 per incident (from $150,000 previously).
Breaches caused by “shadow IT,” particularly unauthorized AI on work devices, are another area on an upswing. At this point, most of these incidents consist of simple errant submission of code, images or other sensitive and proprietary information to a generative AI in the course of doing regular work. The report notes that employees seem to have a specific need for education about the risks of uploading research and technical documentation that contains secrets when asking AI for assistance with their projects.
The “human element” is also on the move upward in all breaches, particularly when they involve a third party vendor or contractor; these incidents surged to 48% from 30% in the prior DBIR.
Collin Hogue-Spears, Senior Director of Solution Management at Black Duck, has some parting advice for organizations looking to make practical use of this new information: “The losing strategy patches by volume. The winning one patches by reachability and contains the rest. Reachability analysis separates the flaws attackers can actually exploit from the ones that only look dangerous. Compensating controls buy time on everything triage has not cleared. Log4Shell proved the point: speed was never the bottleneck. Teams could not patch a library buried in thousands of dependencies, and the ones that filtered outbound traffic bought time to find it.”
“Strategic Takeaway: While it is true security leaders must prioritize the CISA Known Exploited Vulnerabilities catalog before the CVSS severity queue. CVSS tells you how bad a flaw can be. KEV tells you which flaws attackers already use. Patch by severity alone, and you will spend scarce engineering time on theoretical risk while active exploitation waits in the queue,” Hogue-Spears explains. “Patching is just one of two layers. Leaders must invest in two layers, not one. The first is AI-augmented reachability analysis that separates exploitable findings from theoretical ones. The second is compensating controls: egress restrictions, behavioral allowlists, and identity-bound access. Those controls slow exploitation while triage runs, because triage and containment are the two clocks defenders can still control.”

