Verizon DBIR 2026: AI Has Changed the Game of Breaches

The Verizon DBIR 2026 has arrived with a message that shakes up infrastructure managers: for the first time in 19 editions, exploitation of unpatched vulnerabilities has overtaken credential theft as the primary entry point for data breaches. As a developer who has managed Linux servers for over 15 years, I read the entire report and have broken down what really matters for UK companies — no alarmism, just the numbers on the table.

TL;DR

• The DBIR 2026 analysed 31,000 incidents and confirmed over 22,000 breaches — nearly double the previous year.
• Vulnerability exploitation became the number one vector (31%), ahead of credential abuse (13%).
• Artificial intelligence shortened the time between discovery of a flaw and attack from months to hours.
• Shadow AI exploded: employees using unauthorised AI jumped from 15% to 45% in one year.
• Ransomware appeared in 48% of breaches, but only 31% of victims paid the ransom.

What is the DBIR 2026 and why it matters

The DBIR (Data Breach Investigations Report) is the annual data breach investigation report published by Verizon Business. Released on 19 May 2026, this is the 19th year of the study, considered the most respected reference in the information security industry. It is not opinion: it is statistics based on real incidents.

This year's edition covers the period from 1 November 2024 to 31 October 2025 and analysed 31,000 security incidents, of which over 22,000 were confirmed breaches — practically double the 12,195 confirmed cases in the previous edition. This jump does not just mean the world has become more dangerous; it also means data collection has improved and more organisations are reporting incidents.

For me, the value of the DBIR 2026 lies in turning headlines into decisions. When the report points to a growing attack vector, that becomes a priority for patching, budgeting, and internal policy the following week. It is the difference between reacting to the next news scare and planning defence based on what actually brought down other companies in the past year.

Vulnerability exploitation overtakes stolen credentials

The historic shift in the DBIR 2026 is this: 31% of breaches began with the exploitation of an unpatched software vulnerability, compared to just 13% involving credential abuse. For nearly two decades, stolen passwords were the attackers' preferred route. Now, the forgotten flaw on your server is the invitation.

Why this is happening

The answer is uncomfortable: companies patch slowly. The DBIR 2026 shows that the median time to patch a vulnerability rose to 43 days, up from 32 days in the previous survey. Worse: of the flaws listed in the CISA KEV catalogue (known exploited vulnerabilities), only 26% were patched in time — a drop from 38% last year.

In practice, attackers have over a month of open window while the IT team pushes the patch to the next sprint. I see this up close in the EAD environments I manage: an outdated Moodle or an abandoned plugin is exactly the type of target the DBIR 2026 describes.

How AI changed the speed of attacks

Here is the point that connects the DBIR 2026 to everything I write about artificial intelligence: AI did not invent a new attack, but it accelerated old ones brutally. The report notes that the time between the publication of a vulnerability and its active exploitation dropped from months to hours.

Attackers now use AI models to scan code, identify flaws, and generate exploits at scale. Verizon documented AI use in at least 15 distinct attack techniques. The result is that the defence window — that interval between "the patch is out" and "I am protected" — has become a matter of hours, not weeks.

This changes the maths of defence. You can no longer treat security updates as a monthly task. Those working with internet-exposed systems need patch automation and continuous monitoring, because the speed of the automated attacker does not wait for business hours.

AI also plays on the defence side

For balance: the same DBIR 2026 that shows AI accelerating attacks also records defenders using AI to detect anomalies, prioritise fixes, and respond to incidents faster. The difference is maturity. Attackers adopted automation first, without approval committees and without fear of error. Security teams, tied to processes and audits, take longer to incorporate the same technology. The report's message is not "fear AI", but "use it before it is used against you" — in detection, alert triage, and exposure management.

Shadow AI: the insider threat that grew from 15% to 45%

Perhaps the most underestimated data point in the DBIR 2026 is the explosion of Shadow AI — the use of AI tools not approved by the company. The proportion of employees who are regular AI users jumped from 15% to 45% in just one year. And 67% access AI services on corporate devices using personal accounts.

The problem is not AI itself. It is the silent leak: someone pastes a contract, source code, or customer database into a public chatbot, and that data leaves the security perimeter without a trace. No firewall catches this because the traffic looks legitimate.

The lesson from the DBIR 2026 is not to ban AI — that would be futile and counterproductive. It is to offer official tools with corporate accounts and clear policies, so employees do not have to resort to the pirated version in the browser. AI governance has become a security issue, not just a productivity one.

Ransomware in 48% of breaches — but fewer people pay

Ransomware remains dominant: it was present in 48% of confirmed breaches in the DBIR 2026, up from 44% in the previous cycle. The good news is that the criminal business model is under pressure. The median ransom demand fell to less than US$140,000, and only 31% of victims paid.

This decline in payments suggests the "don't pay" message has finally stuck. Companies with tested backups and a recovery plan can say no. Those that pay are generally the ones that discovered too late that their backup did not work.

It is worth remembering why paying is bad business: there is no guarantee the criminal will return the data, the payment funds the next wave of attacks, and it marks the company as a willing target — an invitation for repeat incidents. The money that would go to the ransom yields much more invested in immutable backup, network segmentation, and an incident response plan that someone has actually tested in a drill.

DBIR Metric	Previous edition	DBIR 2026
Breaches via vulnerability exploitation	less than credentials	31% (1st place)
Breaches with ransomware	44%	48%
Third-party involvement	30%	48%
Median patch time	32 days	43 days
Employees regular AI users	15%	45%

The weakest link remains third parties

One of the most alarming growths in the DBIR 2026 is third-party involvement in breaches: it jumped from 30% to 48% — an increase of 60%. Nearly half of breaches today go through a supplier, partner, or software dependency.

This is the supply chain attack in the vein. I have written about the NPM packages infected by Shai-Hulud and about the malicious extension that leaked 3,800 repositories on GitHub — both cases are exactly what the DBIR 2026 measures: the attacker does not knock on your door, they enter through your supplier's door.

The aggravating factor: only 23% of third-party organisations fully remediated MFA (multi-factor authentication) on cloud accounts. In other words, you may have done your homework and still be compromised by the weakest link in the chain. That is why supplier risk management has ceased to be compliance paperwork and become concrete defence: it is worth mapping which third parties have access to your data, demanding evidence of MFA, and reviewing integration permissions and tokens as often as you review your own.

Social engineering and the human factor

Technology does not fail alone — people make mistakes. The DBIR 2026 shows that 62% of breaches involved a human element, and 16% started with phishing. The new detail is the channel: phishing attacks via mobile devices had a success rate 40% higher than those via email.

It makes sense. On a mobile phone, the screen is small, the URL is hidden, and the person is distracted, walking down the street. The same link that would be ignored on a desktop becomes a click on a smartphone. Worse: scams via WhatsApp and SMS arrive looking like personal messages, bypassing corporate email filters that took years to mature. This ties directly to the defences I commented on in the post about Android 17's security news, where the system started delaying app access to SMS verification codes.

Team training, therefore, is no longer an HR item — it is a first-line security control.

What UK companies should do now

The DBIR 2026 is global, but the translation to the UK reality is direct. Here is what I recommend prioritising:

1. Automate patch management. If the attack window is hours, manual monthly updates do not protect. Monitor the CISA KEV catalogue and treat exploited flaws as emergencies.
2. Implement MFA everywhere — and demand it from suppliers. It is not enough to protect your own house if 48% of breaches come from third parties. Contractually require MFA.
3. Create an official AI policy. Offer approved tools with corporate accounts to kill Shadow AI before it leaks your data.
4. Test your backup for real. The decline in ransomware payments comes from those who can restore. A backup that has never been tested is just hope.
5. Train against mobile phishing. Simulations on mobile phones, not just corporate email.

None of these measures are expensive. All of them, according to the report itself, are what separates compromised companies from those that resist.

Conclusion: the basics done well win

The message from the Verizon DBIR 2026 is almost uncomfortable in its simplicity: attacks have become faster with AI, but the defences remain the same — up-to-date patching, MFA, data governance, and trained people. As Daniel Lawson, Senior Vice President of Global Solutions at Verizon Business, summarised: while the speed of threats increases, the fundamental principles of security remain the most effective defence.

If your company has systems exposed to the internet — a website, an API, an EAD environment — it is worth reviewing today how long it takes between a patch being released and it being applied. At Agathas Web, that is the first number I look at in any audit. Want help mapping your vulnerabilities before the attacker's AI does it for you? Talk to us.