I’ve been reading the 2026 Verizon DBIR faithfully since the early editions, as a practitioner in the trenches, then as a CISO, Gartner analyst, and now at Symmetry Systems. Every year I block out at least 3 hours to read it cover to cover — in search of a tidbit of insight and counter-intuitive that challenges my thinking. This year was no different, except I’m not sure there are any real surprises. My key takeaways are decidedly unsurprising, perhaps not unsurprising enough to claim that cybersecurity is really boring like my friend Ross Haleliuk, but still mostly unsurprising. And I don’t think the DBIR team would disagree, based on some of their well placed Sardonic footnotes. Nineteen editions of the same findings will do that.
AI is changing the economics of attack, but not yet defense
1. Vulnerability exploitation is now the #1 initial access vector.
The 2024 DBIR flagged the climb. The 2025 DBIR flagged it harder. Every major vulnerability campaign of the past two years was a public demonstration that unpatched internet-facing systems are becoming open doors. Anyone tracking the growth trajectory and doing basic math knew this crossing was coming. The only genuine question was the year. 2026 was the year. Exploitation of vulnerabilities hit 31% of breaches, up from 20% last year, officially dethroning credential abuse. Every security outlet is writing this up as a watershed moment. It is.
What the report doesn’t fully reckon with is how much of the volume increase driving those numbers is coming from the defender side. Frontier models are getting very good at finding bugs in codebases at scale. The DBIR even mentions the “recently declared success in the usage of GenAI platforms to discover large numbers of new vulnerabilities” and then pivots almost immediately to what that means for attackers. It’s worth sitting with the other half of that sentence. If a meaningful portion of the 50% increase in KEV-listed vulnerabilities organizations faced in 2025 came from AI-accelerated defensive research rather than attacker activity, then the remediation crisis looks less like organizations getting worse at patching and more like the numerator growing faster than any realistic capacity to absorb it. That’s a different problem with different solutions, and treating vulnerability volume as an unchanging background condition is going to look increasingly naive as AI-assisted discovery matures. The zero-days are coming faster. Whether they’re found by your researchers or theirs, the patch queue doesn’t care.
2. Patching can’t keep up.
Patch management is a volume problem masquerading as a process problem. The number of vulnerabilities being disclosed has grown faster than any realistic expansion of remediation capacity, and the CISA KEV catalog — which represents only the vulnerabilities confirmed to be actively exploited, not the full universe — has been expanding at a pace that would stress even mature programs. This was always going to show up in the data eventually.
Only 26% of CISA KEV vulnerabilities were fully remediated, down from 38% last year. Organizations faced a median of 16 KEV vulnerabilities to patch in 2025, up from 11 in 2024. Median time to patch went from 32 days to 43 days. What’s useful in this year’s DBIR is the framing of a physical ceiling: even the best-resourced organizations can only patch 30-40% of KEV instances in the first week, and that number hasn’t moved in three years regardless of tooling investment or mandate pressure. The answer isn’t trying harder. It’s accepting the ceiling exists and prioritizing around it — specifically around what data sits behind each vulnerable system, because not all unpatched CVEs carry equal data security risk.
3. Shadow AI is leaking source code, and everyone already knew it would.
Developers are pasting code into ChatGPT, lawyers are summarizing contracts in consumer tools, and executives are drafting board communications on personal laptops. The security teams that hadn’t already seen it in their DLP logs were looking in the wrong places, or believed that blocking it was the solution. The only question was how long before we had quotable data in a report to drive the next business case. The DBIR does not disappoint.
67% of employees accessing AI on corporate devices use personal accounts. 45% are now regular AI users on corporate devices, up from 15% a year ago. Shadow AI is the third most common non-malicious insider action in DLP datasets, a fourfold increase from last year. The data type breakdown is what matters: source code is the most common thing being pasted into external AI models, by a wide margin. Every time an engineer pastes a function into a consumer AI tool to debug it, that code has left your environment. The intent is benign. The effect is identical to exfiltration. The organizations that responded to the AI boom with a blanket ban instead of a governed adoption policy created exactly the shadow IT dynamic they spent the previous decade trying to eliminate, just with higher stakes data.
Ransomware: the market is declining, the threat isn’t
4. Ransomware is a slow-moving arms race, and both sides are keeping score.
There has never been a DBIR edition where ransomware went down. It is now in 48% of breaches, up from 44% last year. But the more interesting story isn’t the growth number — it’s the evidence of both sides actively adapting, and what that arms race looks like in 2026.
Defenders are genuinely winning on payments. 69% of victims didn’t pay, up from 65% the previous year. Median ransom paid fell to $139,875 from $150,000. Better backups, faster recovery, improved resilience — these are real, measurable gains. The DBIR acknowledges this directly: “the volume reduction of payments to threat actors may be one of those signs of progress that we could measure.” That’s not nothing.
The ransomware ecosystem’s response has been precise. When fewer victims pay, you need more victims — hence the volume expansion and the industrialization the DBIR describes as “rampant commoditization.” Service models, affiliate networks, dedicated negotiation teams. And when payment rates fall because organizations can recover from encryption, you shift the leverage. The DBIR puts it plainly: “if companies are paying less frequently, then the recent attack trend of attempting to inflict the maximum business interruption in order to put greater time pressure on victims makes even more sense.” Marks & Spencer lost an estimated £300 million from weeks of operational disruption — online sales down, stock tracking broken, refrigeration monitoring offline. That’s not a data exfiltration story. It’s attackers targeting the operational systems that, if down long enough, make paying look rational regardless of backup quality.
The tooling adaptation is equally deliberate. Defenders got better at detecting Cobalt Strike, so use of legitimate Remote Monitoring and Management (RMM) tools in System Intrusion cases jumped 240% while Cobalt Strike dropped 27%. The typical attack pattern now involves Microsoft Teams to initiate contact posing as help desk, then Quick Assist for a legitimate remote session. Both Microsoft products, both whitelisted, neither triggering an alert. No malicious code, no C2 infrastructure, no EDR signature. The current score: defenders winning on payments, attackers winning on volume, disruption severity, and detection evasion. The DBIR calls it “a market in decline, albeit a slow decline.” Slow is doing a lot of work in that sentence.
Identity and data flows are still the connective tissue of every breach
5. Credentials are still fueling attacks. They’ve just moved to the second act.
Credential theft has been the most reliably productive attack technique in the security industry’s collective memory. Phishing works. Infostealers work. Credential stuffing works. The dark web has functioned as a liquid market for stolen access for over a decade. Nothing in the threat environment changed to make credentials less valuable — and the growth of cloud services over the past five years created orders of magnitude more credential-protected entry points. The idea that credentials would somehow fall out of the picture was never grounded in anything.
Credentials still appear in 39% of all breaches at some point in the attack chain. What changed is placement: exploitation opens the door, then credential abuse handles lateral movement, privilege escalation, and data access. The credentials didn’t get less important. They got a new cue. Meanwhile, 37% of organizations still have admin accounts with MFA disabled on IaaS offerings. After Snowflake. After three years of cloud breach campaigns. The DBIR notes that only 14% of Snowflake customers still had admin MFA disabled, suggesting most got the memo from last year’s breach. The memo format being: a catastrophic, public, expensive incident that made every major newspaper. The bar we are celebrating here is low.
6. Third-party risk is now half your breach risk. Your vendor questionnaire is not a risk management program.
The writing has been on the wall since SolarWinds in 2020, which demonstrated that a trusted vendor could become an attack vector at scale. Every major supply chain incident since — Kaseya, MOVEit, the Snowflake campaign, the ongoing cascade of SaaS-to-SaaS compromise — reinforced the same point: your security posture is only as strong as the weakest link in the chain of organizations that can reach your data. Third-party risk as a board-level topic has been climbing for four years. The breach data just finally caught up to the conversation.
Third-party involvement reached 48% of breaches, up from 30% last year and roughly double the year before that. The programs most organizations have — annual questionnaires, SOC 2 collection, vendor tiers — were designed for a world where third-party breaches were exceptional. That world is gone. New data this year from inside third-party cloud environments shows weak passwords and excessive permissions take nearly eight months to remediate at median. Eight months, for problems that have been on every security framework checklist since 2005. The Salesforce/Salesloft example in the report is worth reading carefully: OAuth tokens compromised at one vendor, used to exfiltrate data from another. The initial access point, the data custodian, and the victim organization are three different entities. One questionnaire doesn’t cover that chain.
7. People are human. Annual phishing training is still not the solution.
Security awareness training as an industry has been selling the same product — simulated phishing emails, click-rate reporting, annual compliance completions — for fifteen years. The human element percentage has not materially moved in three consecutive DBIR editions. At some point the gap between “we run a phishing simulation program” and “we have reduced the risk of our employees being socially engineered” has to be acknowledged. Most organizations have the former and call it the latter.
The human element appeared in 62% of breaches. Within the margin of error, it hasn’t moved in three years. The finding that deserves more attention is the vector shift: voice and SMS-based phishing has a 40% higher success rate than email in simulation data, and the DBIR team acknowledge they struggled to find companies running those simulations at all — and there are almost no controls to block them. The training industry built itself around email because email is easy to productize. Voice-based social engineering is harder to score and harder to sell as a quarterly compliance metric. The specific attack pattern appearing repeatedly this year — spam-bomb an inbox to manufacture a fake IT emergency, reach out via Microsoft Teams posing as help desk, request desktop access to troubleshoot — leaves no malicious code, no suspicious network connections, nothing for an EDR to flag. The defense is an employee who was specifically told this scenario exists. Most weren’t, because it doesn’t fit in a 12-minute annual training module.
8. Misconfiguration and misdelivery are still causing breaches. Healthcare has been on this list for a decade.
The idea that human error causes data breaches is not a new insight. It was not a new insight when the DBIR first started tracking it. What makes this finding perennially unsurprising is that the organizations most affected — healthcare in particular — have been in this exact pattern, paying the exact same HIPAA fines, completing the exact same corrective action plans, and then returning to the list the following year for the better part of a decade. The problem was never awareness. It was always system design.
Miscellaneous Errors appeared in nearly 9% of breaches. Healthcare has had this pattern in its top three for as long as the DBIR has tracked it. The DBIR’s observation that organizations and the people whose data was compromised are “rather tired of people doing things in the name of expediency” is the most diplomatically understated sentence in the report. The finding that gets less attention: developers and system admins cause these errors more than end users and have access to orders of magnitude more data. A misconfigured S3 bucket exposes more records than a misaddressed email. The blast radius is disproportionate to the frequency, and most organizations are still investing in awareness training rather than redesigning the workflows that make the error easy to commit in the first place.
No surprises That The 2026 DBIR is funny
It is every year, and this year is no exception. Perhaps my favorite line is where ransomware is described as “the yoga pants of cybersecurity — ubiquitous, stubbornly popular and appearing in unexpected places near you.” Buffer overflow vulnerabilities are noted to be old enough to rent a car without a young driver surcharge. The report opens by invoking Heraclitus — “the only constant is change” — and then immediately notes that “there has been no historical evidence uncovered that he had any hands-on experience with cybersecurity, but he would be right at home in our field with this mentality.” The chart format explanation ends with “embrace the silly glyphs and never forget what they took from you,” which is the kind of sentence that only lands if you’ve spent years explaining confidence intervals to a CFO at 8am.
Nineteen editions in, the jokes are better and the numbers are worse. That is itself a kind of punchline, and the Verizon team have clearly made their peace with it, because “The jokes, sadly, do not write themselves.”
