"Volume certainly plays a big part in it," said Daniel Lawson, senior vice president of global solutions at Verizon Business.
Vulnerability exploitation: one-third of breaches
The 2026 Data Breach Investigations Report (DBIR) from Verizon finds that bugs were the leading initial vector last year: one-third of known breaches began with vulnerability exploitation. Credential abuse accounted for 13% of attacks, with phishing and social engineering trailing further behind. The DBIR's dataset covers more than 31,000 real-world security incidents that produced confirmed data breaches across 145 countries from Nov. 1, 2024, through Oct. 31, 2025, and includes more than 22,000 confirmed breaches, defined as verified disclosure of data to an unauthorized party.
Patch management: slower rollouts and shrinking coverage
The report documents a striking decline in patching performance. Organizations fixed roughly a quarter of critical vulnerabilities last year — down from 38% the year before — and took 43 days on average to patch, up from 32 days the prior year. Even top-performing organizations remedied only 30% to 40% of actively exploited hardware and software bugs within the first week after detection. Verizon attributes the backlog largely to sheer volume: security researchers collectively discovered more than 48,000 vulnerabilities in the reporting year, an 18% increase, while the number of critical vulnerabilities rose by about half.
Ransomware rises, linked to third-party services and infostealers
Ransomware-related activity was present in 48% of breaches last year, up from 44% the prior year. The report notes that 69% of identified victims did not pay a ransom; when ransoms were paid, the average payment fell to roughly $140,000 from about $150,000 the prior year. Researchers tie part of the ransomware increase to supply-chain dynamics: roughly half of all data breaches involved some type of third‑party service. The use of information‑stealing malware is common in those campaigns — half of all breach victims showed signs of a credential or infostealer event within 95 days of the initial intrusion linked to a ransomware attack.
Agentic AI, Claude Code and Mythos: automation and weaponization
The DBIR flags rapid change since its cutoff date, noting an early surge in breaches tied to tools such as Claude Code and an increased role for "agentic AI" systems. The U.S. Secret Service, cited in the report, warned that agentic AI can automate reconnaissance, phishing, data theft and even laundering stolen assets. Verizon and DBIR authors say they are “keenly aware” of AI-augmented vulnerability research and weaponization in 2026.
Yet the report also offers a counterintuitive detail: when attackers used generative AI to generate malware, fewer than 2.5% of resulting samples "involved less‑common techniques with one or fewer known malware examples," suggesting that much AI‑generated malware so far resembles established patterns. The DBIR cites both the accelerating capability of AI to chain vulnerabilities and the continuing question of how those capabilities will perform against layered enterprise defenses.
What this means for technologists, policymakers, and enterprise leaders
- Technologists and security teams: Expect a growing queue of unique critical vulnerabilities and slower patch timelines; the report shows remediation rates dropping and average patch times lengthening. Third‑party cloud misconfigurations are slow to resolve — only 23% of third‑party organizations fully remediated missing or improperly secured multifactor authentication, and half of all findings were resolved within a month.
- Policymakers and regulators: The DBIR’s numbers — >31,000 incidents, >22,000 confirmed breaches, and the role of third parties in roughly half of breaches — underline systemic exposure tied to external services and supply chains, as well as the difficulty of translating vulnerability discovery into rapid remediation at scale.
- Enterprise procurement and risk leaders: The report highlights long remediation tails for weak passwords and permission misconfigurations; time to resolve 50% of those findings approached eight months. That latency, combined with the prevalence of third‑party involvement in breaches, elevates the importance of contractual and operational controls over vendors and cloud providers.
The DBIR closes with a pragmatic refrain: while AI and faster exploitation increase the velocity of attack, fundamental security practices remain essential. "The foundational principles of security and strong risk management remain the most effective defense," Daniel Lawson said, and the report echoes that counsel: refinement, not revolution. As the volume of vulnerabilities and the use of agentic AI rise, the record compiled by Verizon — from FBI and CERT‑EU partners to Britain's National Crime Agency and vendors — leaves a clear, if stark, prescription: scale the basics or accept that attackers will continue to win time and leverage.
https://www.govinfosecurity.com/verizon-breach-report-vulnerability-exploitation-surges-a-31719




