"keeping a strong foundation in the face of change," Verizon writes — and the 19th Verizon Data Breach Investigations Report (DBIR) gives that admonition weight: the team examined 31,000 security events, including 22,000 confirmed breaches from more than 145 countries, the largest set of breaches the DBIR has analyzed in a single edition.
Vulnerability exploitation overtakes stolen credentials
The headline shift in the 2026 DBIR is concrete: software vulnerabilities now account for 31% of breaches, overtaking stolen credentials for the first time. Ransomware figures in nearly half of all breaches (48%), though Verizon reports payouts are decreasing. Stolen credentials fell to 13% of breaches (16% when accounting for pretexting), a change experts say is driven less by improved identity controls than by the economics of attack.
As Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, summarized: "AI is making vulnerability discovery and weaponization so fast and cheap that attackers no longer need a stolen password when a known, unpatched flaw gets them in faster." Morey Haber, Chief Security Advisor at BeyondTrust, echoes the operational implication: identity controls still matter, but defenders must recalibrate to the fact that exploitation is now the primary initial access vector.
AI compresses the window to exploit and reshapes attack surfaces
Verizon flags 15 attack techniques being enhanced with generative AI. Multiple contributors to the report stress that AI has compressed the time between vulnerability disclosure and active exploit from months to hours — with some warnings that the trend is marching toward minutes. Matthew Hartman, Chief Strategy Officer at Merlin Group, said defenders "can't defend against that reality with periodic assessments and siloed tools," and recommended continuous visibility into vulnerabilities, vendors, and employee AI usage.
The DBIR also documents behavioral and traffic signals associated with AI: 67% of users employ non-corporate AI accounts ("Shadow AI") on corporate devices, and Shadow AI ranks as the third most frequent non-malicious insider data-loss action. Global traffic from AI bot crawlers and fetchers grew 21% month-over-month, with fetchers up 4% and crawlers up 32%. Mobile-centric phishing is now measurably more effective too — mobile phishing produces 40% higher successful "click" rates than email attempts.
Patching by reachability and compensating controls: a new operational playbook
Several experts pressed defenders to change not only tempo but method. Collin Hogue-Spears, Senior Director of Solution Management at Black Duck, argues "the losing strategy patches by volume. The winning one patches by reachability and contains the rest." He urges two concurrent layers: AI-augmented reachability analysis to separate exploitable flaws from theoretical ones, and compensating controls — egress restrictions, behavioral allowlists, identity-bound access — to buy time while triage and remediation proceed.
Black Duck and others stress prioritizing the CISA Known Exploited Vulnerabilities (KEV) catalog over blind reliance on CVSS scores: "CVSS tells you how bad a flaw can be. KEV tells you which flaws attackers already use." The DBIR cites Log4Shell as an illustrative case where containment and compensating controls proved essential when rapid patching was impractical.
Third-party exposure, continuous adversarial pressure, and the limits of tooling
Third-party involvement in breaches jumped 60% year-over-year and now touches nearly half of all breaches (48%). Trey Ford warns that "no product closes that gap," and that coverage problems extend into vendors, suppliers, and integration partners. He frames the solution as continuous adversarial coverage — adversary-like testing and persistent assessment rather than periodic snapshots — combined with "human researcher depth" and systematic triage.
Ram Varadarajan, CEO at Acalvio, and others call for model-aware detections and automated defensive layers, arguing that complexity and AI-driven code generation increase the likelihood of exploitable flaws and therefore demand tripwires and dynamic defensive responses.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: invest in continuous visibility, AI-augmented reachability analysis, compensating controls, and identity-bound access. Prioritize the CISA KEV catalog alongside practiced incident response and least-privilege enforcement, as urged by Morey Haber and Collin Hogue-Spears.
- Procurement and vendor management leaders: treat third-party coverage as an ongoing risk vector — continuous adversarial testing and stronger contractual requirements for visibility will be necessary, reflecting Trey Ford's and other contributors' emphasis on supply-chain exposure.
- End users and business leaders: Shadow AI and mobile usage are measurable sources of risk. Mika Aalto and Dana Simberkoff recommend building a culture and trust layer that governs approved AI use and makes secure choices easier for employees, rather than attempting blanket bans.
The DBIR's refrain is practical rather than apocalyptic: fundamentals still matter, but they must be executed at machine speed and in layered form. As multiple contributors put it, the defender's clocks now include triage and containment as the variables they can still control — not simply faster patch deployments. Whether organizations will pivot to reachability-based patching, invest heavily in compensating controls and continuous third-party assessment, and govern Shadow AI use will determine how many of the breaches in next year’s dataset were preventable.




