Threat Management, Threat Intelligence

Verizon DBIR 2026: Vulnerability exploits top initial access as patching coverage falls

The Verizon 2026 Data Breach Investigations Report (DBIR), published Tuesday, revealed that vulnerability exploitation is now the top initial access vector for breaches, while organizations struggle to catch up with a growing volume of critical vulnerabilities.

Exploitation of vulnerabilities now makes up 31% of initial access vectors, a 20% increase from last year’s numbers. Vulnerabilities exceeded credential abuse and phishing for the first time during the DBIR 2026 data period between Nov. 1, 2024, and Oct. 31, 2025, with a total of more than 22,000 data breaches and 31,000 total incidents from that period analyzed for the report.

Phishing was the initial access vector for 16% of breaches throughout the report period and credential abuse granted access in 13% of breaches. At the same time that vulnerability exploitation rose to the top of the list, remediation of vulnerabilities from the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog fell from 38% of vulnerabilities fully remediated last year to just 26% in this year’s report.

While 56% of the KEV vulnerabilities were at least partially remediated, the volume of completely unremediated flaws rose from 12% to 16% year-over-year. Additionally, the median time from detection to full remediation increased from 32 days to 43 days.

“That gap is not just a patching problem. It’s a visibility and prioritization problem. Security teams are being asked to fix more critical issues, but they still need to know which ones actually create a path to compromise,” Jon Baker, vice president of threat-informed defense at AttackIQ, told SC Media in an email.

The 2026 DBIR noted that organizations aren’t just getting worse at patching in general, but are facing an unprecedented volume of vulnerabilities they need to address, said Baker. Verizon recorded about 68.7 million vulnerability instances in 2022 and by contrast recorded 527.3 million in 2025 — a nearly eight-fold increase. This is despite the number of organizations included in the dataset seeing literal variation over time.

“The picture it paints is that of a treadmill picking up speed,” the report authors wrote.

Patrick Münch, chief security officer at Mondoo, told SC Media that another part of the problem is that adoption of automated vulnerability remediation is not catching up to the increasing pace of vulnerability disclosures and exploitation — which is only likely to increase due to advancements in AI technology.

Mondoo’s 2025 State of Vulnerability Remediation Report, published in October 2025, found that 62% of security teams still used manual methods for remediation, while only 2% used fully automated methods. Just 9% of respondents reported feeling confident that important vulnerabilities could be remediated on time.

“Verizon found that 60-70% of CISA KEV issues remain open a week after detection, regardless of team maturity. You don’t close that gap with another scanner. You close it with transparent agentic AI: humans in the loop on decisions, AI automation on remediation and mitigation execution, and a clear audit trail from identifying the issue to verifying it’s fixed,” Münch wrote in an email.

Attackers use AI for over a dozen ATT&CK techniques, and shadow AI incidents rise

This year’s DBIR gives more attention to AI-enabled attacks and incidents than last year’s report, and Verizon partnered with Anthropic to study how threat actors used AI between March 2025 and February 2026. Anthropic provided information from accounts its Safeguards Team took action on, totaling 793 unique threat actors.

Verizon found that the median number of MITRE ATT&CK techniques attackers researched using Anthropic’s large language models (LLMs) was 15, with a handful of outliers researching up to 40 or 50 techniques. However, Anthropic noted that 99% of threat actors were rated as medium- or low-risk based on the technical sophistication of their AI use and frequency of use, and only 1% were rated as high- or critical-risk.

In terms of initial access methods assisted by LLMs, phishing was the most popular at 44%, followed by vulnerabilities exploitation at 32% and credential abuse at 21%. Additionally, the median number of tools known to support the ATT&CK techniques researched by threat actors was 55, suggesting AI would likely enable attacks already commonly seen in the wild rather than rare and novel capabilities.

“In other words, the most common uses are well-trodden paths. The techniques with the most existing software examples show actors are likely outsourcing basic tasks to AI, such as file obfuscation and forensic cleanup, whereas the ones with fewer software examples demonstrate more creativity,” the DBIR authors wrote.

Unauthorized AI use by non-malicious insiders, also known as “shadow AI,” was also noted as a growing problem. AI tools rose to the third most common data leak vector by non-malicious insiders, making up 12% of these incidents, a four-fold increase from last year’s report. File sharing sites were the most common vector at 32%, with personal webmail sitting at 20%.

Ransomware attack volume increases, but ransom payments fall

The 2026 DBIR also noted a continuing trend of increased ransomware attacks paired with decreasing ransom payments by victims. Ransomware was the most common attack type seen across about 13,700 system intrusion breaches, seen in 77% of such attacks. Overall, ransomware was seen in 48% of all breaches analyzed for the report, up from 44% the previous year.

However, ransom payment amounts keep falling, along with the percentage of victims willing to pay a ransom. The median ransom payment in 2025 was $139,975, down from $150,000 in 2024 and $177,614 in 2023. The percentage of organizations that refused to pay ransoms increased from 65% in 2024 to 69% in 2025. Additionally, the median percentage of publicized victims confirmed to have paid a ransom, per ransomware group, was just 9%, although the authors noted some victims may not have been publicized due to early ransom payment.

Another trend highlighted in the report is a 240% increase in the abuse of remote monitoring and management (RMM) software in system intrusion breaches year-over-year, corresponding with a 27% decrease in backdoor and command-and-control activity.

On the social-engineering front, email remained the most common social-engineering vector at 98%, and while phishing targeting phones only made up 1.1% of attacks, users were found to be 40% more likely to fall for mobile-based phishing lures than email lures in phishing simulations.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds