Verizon DBIR 2026: How AI Has Reshaped the Breach Landscape
The Verizon DBIR 2026 reveals: vulnerability exploitation overtakes password theft and AI shrinks attack windows from months to hours. Here are the key findings.
by Cleverson Gouvêa

The Verizon DBIR 2026 has arrived with a message that shakes anyone responsible for infrastructure: for the first time in 19 editions, exploitation of unpatched vulnerabilities has overtaken credential theft as the primary entry point for data breaches. As a developer who has managed Linux servers for over 15 years, I have read the entire report and extracted what really matters for UK businesses — no alarmism, just the numbers on the table.
TL;DR
- The DBIR 2026 analysed 31,000 incidents and confirmed over 22,000 breaches — nearly double the previous year.
- Vulnerability exploitation became the number one vector (31%), ahead of credential abuse (13%).
- Artificial intelligence has shortened the time between vulnerability discovery and attack from months to hours.
- Shadow AI has exploded: employees using unauthorised AI jumped from 15% to 45% in one year.
- Ransomware appeared in 48% of breaches, but only 31% of victims paid the ransom.
What is the DBIR 2026 and why it matters
The DBIR (Data Breach Investigations Report) is the annual data breach investigation report published by Verizon Business. Released on 19 May 2026, this is the 19th year of the study, considered the most respected reference in the information security industry. It is not opinion: it is statistics based on real incidents.
This year's edition covers the period from 1 November 2024 to 31 October 2025 and analysed 31,000 security incidents, of which over 22,000 were confirmed breaches — practically double the 12,195 confirmed cases in the previous edition. This jump does not just mean the world has become more dangerous; it also means data collection has improved and more organisations are reporting incidents.
For me, the value of the DBIR 2026 lies in turning headlines into decisions. When the report points to a growing attack vector, that becomes a priority for patching, budgeting and internal policy the following week. It is the difference between reacting to the next news scare and planning defence based on what actually brought down other companies in the past year.
Vulnerability exploitation overtakes stolen credentials
The historic shift in the DBIR 2026 is this: 31% of breaches began with the exploitation of an unpatched software vulnerability, compared to just 13% that involved credential abuse. For nearly two decades, stolen passwords were the attackers' preferred route. Now, the forgotten flaw on your server is the invitation.
Why this is happening
The answer is uncomfortable: companies patch slowly. The DBIR 2026 shows that the median time to patch a vulnerability has risen to 43 days, up from 32 days in the previous survey. Worse: of the flaws listed in the CISA KEV catalogue (known exploited vulnerabilities), only 26% were patched in time — a drop from 38% last year.
In practice, the attacker has a window of over a month while the IT team pushes the patch to the next sprint. I see this up close in the VLE environments I manage: an outdated Moodle or an abandoned plugin is exactly the kind of target the DBIR 2026 describes.
How AI changed the speed of attacks
Here is the point that connects the DBIR 2026 to everything I write about artificial intelligence: AI did not invent a new attack, but it has accelerated old ones brutally. The report notes that the time between vulnerability publication and active exploitation has fallen from months to hours.
Attackers now use AI models to scan code, identify flaws and generate exploits at scale. Verizon documented the use of AI in at least 15 distinct attack techniques. The result is that the defence window — that interval between "the patch is out" and "I am protected" — has become a matter of hours, not weeks.
This changes the maths of defence. It is no longer possible to treat security updates as a monthly task. Anyone working with internet-exposed systems needs patch automation and continuous monitoring, because the speed of the automated attacker does not wait for business hours.
AI also plays on the defence side
For balance: the same DBIR 2026 that shows AI accelerating attacks also records defenders using AI to detect anomalies, prioritise fixes and respond to incidents faster. The difference is one of maturity. Attackers adopted automation first, without an approval committee and without fear of error. Security teams, bound by processes and audits, take longer to incorporate the same technology. The report's message is not "fear AI", but "use it before it is used against you" — in detection, alert triage and exposure management.
Shadow AI: the insider threat that grew from 15% to 45%
Perhaps the most underestimated figure in the DBIR 2026 is the explosion of Shadow AI — the use of AI tools not approved by the company. The proportion of employees who are regular AI users jumped from 15% to 45% in just one year. And 67% access AI services on corporate devices using personal accounts.
The problem is not AI itself. It is the silent leak: someone pastes a contract, source code or customer database into a public chatbot and that data leaves the security perimeter without a trace. No firewall catches this, because the traffic looks legitimate.
The lesson from the DBIR 2026 is not to ban AI — that would be futile and counterproductive. It is to offer official tools, with corporate accounts and clear policies, so that employees do not have to resort to the pirated version in the browser. AI governance has become a security issue, not just a productivity one.
Ransomware in 48% of breaches — but fewer people pay
Ransomware remains dominant: it featured in 48% of confirmed breaches in the DBIR 2026, up from 44% in the previous cycle. The good news is that the criminals' business model is under pressure. The median ransom demand has fallen to less than £110,000, and only 31% of victims paid.
This decline in payments suggests that the "don't pay" message has finally stuck. Companies with tested backups and a recovery plan can say no. Those that pay are generally the ones that discovered too late that their backup did not work.
It is worth remembering why paying is bad business: there is no guarantee the criminal will return the data, the payment funds the next wave of attacks and marks the company as a willing target — an invitation for repeat attacks. The money that would go to the ransom yields far more invested in immutable backup, network segmentation and an incident response plan that someone has actually tested in a drill.
| DBIR Metric | Previous Edition | DBIR 2026 |
|---|---|---|
| Breaches via vulnerability exploitation | less than credentials | 31% (1st place) |
| Breaches with ransomware | 44% | 48% |
| Third-party involvement | 30% | 48% |
| Median patch time | 32 days | 43 days |
| Employees regular AI users | 15% | 45% |
The weakest link remains third parties
One of the most alarming increases in the DBIR 2026 is third-party involvement in breaches: it jumped from 30% to 48% — an increase of 60%. Nearly half of all breaches today go through a supplier, partner or software dependency.
This is the supply chain attack in full force. I have written about the infected NPM packages by Shai-Hulud and about the malicious VS Code extension that leaked 3,800 repositories on GitHub — both cases are exactly what the DBIR 2026 measures: the attacker does not knock on your door; they enter through your supplier's door.
The aggravating factor: only 23% of third-party organisations fully remediated MFA (multi-factor authentication) on cloud accounts. In other words, you may have done your homework and still be compromised by the weakest link in the chain. That is why supplier risk management has moved from compliance paperwork to concrete defence: it is worth mapping which third parties have access to your data, demanding evidence of MFA and reviewing integration permissions and tokens as often as you review your own.
Social engineering and the human factor
Technology does not fail alone — people make mistakes. The DBIR 2026 shows that 62% of breaches involved a human element, and 16% started with phishing. The new detail is the channel: phishing attacks via mobile devices had a success rate 40% higher than those via email.
It makes sense. On a mobile phone, the screen is small, the URL is hidden and the person is distracted, walking down the street. The same link that would be ignored on a desktop becomes a click on a smartphone. Worse still: scams via WhatsApp and SMS arrive looking like personal messages, bypassing the corporate email filters that took years to mature. This ties directly to the defences I commented on in the post about Android 17's security features, where the system now delays app access to SMS verification codes.
Team training, therefore, is no longer an HR item — it is a first-line security control.
What UK businesses should do now
The DBIR 2026 is global, but the translation to the UK reality is direct. Here is what I recommend prioritising:
- Automate patch management. If the attack window is hours, manual monthly updates do not protect. Monitor the CISA KEV catalogue and treat exploited flaws as emergencies.
- Implement MFA everywhere — and demand it from suppliers. It is not enough to secure your own house if 48% of breaches come from third parties. Contractually require MFA.
- Create an official AI policy. Offer approved tools with corporate accounts to kill Shadow AI before it leaks your data.
- Test your backup for real. The decline in ransomware payments comes from those who can restore. A backup that has never been tested is just hope.
- Train against mobile phishing. Run simulations on mobile devices, not just on corporate email.
None of these measures are expensive. All of them, according to the report itself, are what separate the compromised companies from those that resist.
Conclusion: doing the basics well wins
The message from the Verizon DBIR 2026 is almost uncomfortable in its simplicity: attacks have become faster with AI, but the defences remain the same as ever — up-to-date patches, MFA, data governance and trained staff. As Daniel Lawson, Senior Vice President of Global Solutions at Verizon Business, summarised, while the speed of threats increases, the fundamental principles of security remain the most effective defence.
If your company has internet-exposed systems — a website, an API, a VLE — it is worth reviewing today how long it takes between a patch being released and it being applied. At Agathas Web, that is the first number I look at in any audit. Want help mapping your vulnerabilities before the attacker's AI does it for you? Get in touch.
Related posts

Volkswagen Connected Cars: 100K in the UK and the Arrival of OTTO AI
Less than two years to reach 100,000 connected cars. Understand VW's digital transformation and what your business can learn from it.

Eli Lilly: How AI Built the First $1 Trillion Pharma Giant
Eli Lilly became the first $1 trillion pharma company by betting on AI. Discover the 2026 moves and what your business can learn from its strategy.

AI Cloud in 2026: The UK Business Guide
While tech giants pour billions into data centres, discover how your business can leverage AI cloud without building any infrastructure — practically.