Verizon DBIR 2026 — Attackers Outrun Remediation

Source: Verizon Business, 2026 Data Breach Investigations Report (19th edition), local copy .raw/papers/verizon-dbir-2026.pdf. The report’s own title names its three headline themes: “Breakthroughs in vulnerabilities, AI-assisted cyber attacks and social engineering.” Figures below are read from the primary PDF and carry high confidence.

Key Claim

Vulnerability exploitation is now the single largest initial-access vector for breaches, and remediation moved the wrong way over the same period: the share of known-exploited critical vulnerabilities fully patched fell from 38% to 26%, and the median time to full resolution rose from 32 to 43 days. Threat actors use GenAI across targeting, initial access, and malware development, but almost entirely to reproduce well-understood techniques. Fewer than 2.5% of AI-assisted malware observations involved genuinely uncommon techniques.

Methodology

The 2026 DBIR analyzed more than 31,000 security incidents and more than 22,000 confirmed data breaches across 145 countries, covering October 2024 through November 2025, the largest breach corpus in the report’s history. It is observational: it counts what contributing organizations and public disclosures reported, not a controlled study. The contributor base expanded this year with ransomware-payment and extortion-campaign data sources, which the report flags as a factor in several year-over-year shifts. Anthropic appears among the named research partners.

Notable Findings

Vulnerability exploitation leads initial access

  • Exploitation of vulnerabilities reached 31% of initial-access vectors, up from 20% the prior year (a 55% increase), and is now the most common vector (Figure 10, n=20,023). This is the first DBIR in which it tops the list.
  • Credential abuse fell to 13%, down from 22% in the 2025 DBIR. Part of the drop is methodological: the report added Pretexting to its tracked initial-access vectors this year, which absorbed some share; without that addition credential abuse would read 16%. Credentials remain pervasive — counting any point in the breach progression, credential abuse still sits on top at 39%.

Remediation moved backward

  • Only 26% of critical vulnerabilities — defined as entries in the CISA Known Exploited Vulnerabilities (KEV) catalog — were fully remediated in 2025, down from 38% the prior year.
  • The median time for full resolution rose to 43 days, almost two weeks longer than the prior year’s 32 days.
  • In the median case, organizations had 50% more critical vulnerabilities to patch than the year before. The report’s framing: too many vulnerabilities, not enough time to patch them.

System Intrusion and ransomware

  • The System Intrusion pattern accounts for 60% of breaches and has been the top breach pattern since 2022; the report attributes its growth largely to ransomware. Within System Intrusion breaches, ransomware appears in 77%, and the two leading initial-access vectors — use of stolen credentials and exploit of vulnerability — are tied at 39% each.
  • Ransomware was involved in 48% of all breaches, up from 44%. Monetization continued to weaken: 69% of ransomware victims did not pay, and the median ransom paid fell to $139,875 from $150,000. About 96% of ransomware victims were small and medium businesses, often compromised opportunistically through stolen credentials (38%) or unpatched edge-device vulnerabilities (29%).

Third-party exposure

  • Breaches with third-party involvement rose 60% year over year, reaching 48% of total breaches. Third-party remediation lags badly: only 23% of third-party organizations fully remediated missing or misconfigured MFA on cloud accounts, and for weak passwords and permission misconfigurations the time to resolve half of all findings approached eight months.

GenAI in attacks — widespread but not yet novel

  • Threat actors are using GenAI across attack stages: targeting, initial access, and malware and tool development. The median observed actor researched or used AI assistance across 15 documented techniques, with some using as many as 40 or 50.
  • The capability is mostly applied to known techniques, not new ones. AI-assisted malware had a median of 55 existing known malware examples performing the same function, and fewer than 2.5% of AI-assisted malware observations involved uncommon techniques with one or fewer known prior examples.

Social engineering

  • The human element appeared in 62% of breaches, up from 60%. Social Engineering was the third most common breach pattern at 16% of breaches. Phishing held at 16%; Pretexting reached 6% and is increasingly the initial action in ransomware and extortion. In phishing simulations, the median success (“click”) rate for mobile-centric vectors such as voice and text was 40% higher than for email.

2025 events the report flags

  • March 2025: a cascading GitHub Actions supply-chain breach exposed secrets across more than 23,000 repositories, corroborating the CI/CD exposures in AI-Era Supply Chain Hardening.
  • December 2025: mass exploitation of React2Shell (CVE-2025-55182), an RCE in React Server Components, reached 39% of cloud environments; the report also notes VoidLink, a malware framework written in six days by an AI agent.

Strengths and Weaknesses

Strengths. The DBIR is the field’s most-cited breach-telemetry source, and the 2026 edition rests on the largest corpus it has assembled. It is the first edition to place vulnerability exploitation above credentials for initial access, a breach-grounded counterpart to the benchmark-derived speed claims elsewhere in the wiki (MOAK, Glasswing). The remediation figures (26% KEV patched, 43-day median) quantify the defender side of the gap that benchmark sources leave directional.

Weaknesses. Several year-over-year shifts are partly methodological: the credential-abuse drop reflects the new Pretexting category, and the ransomware and third-party figures benefit from an expanded contributor base, which the report states plainly. DBIR figures reflect a contributor base that skews toward organizations with mature logging. The GenAI findings are framed cautiously and should not be read as evidence of widespread novel AI-generated malware; the report’s own data points the other way.

Relations

  • Supports VulnOps — independent breach-telemetry evidence that periodic, manual vulnerability management is structurally outmatched. The 26%-patched / 43-day-median pair is the strongest non-vendor, non-benchmark quantification of the defender-side bottleneck the function exists to address.
  • Supports Zero Day Clock — corroborates the exploitation-velocity story from breach data rather than red-team benchmarks.
  • Supports AI-Era Supply Chain Hardening — the 48% third-party-involvement figure (+60% YoY) and the March 2025 GitHub Actions breach are direct quantitative and case anchors for the supply-chain scope.
  • Tempers SDLC in the AI-Attacker Era — confirms widespread offensive GenAI use while showing it is concentrated on known techniques, which bounds the “novel AI malware” claim.

Breach telemetry confirms the inversion; remediation is going backward. Prior wiki evidence for the discovery-to-remediation inversion came from capability benchmarks (MOAK 97.8% KEV exploitation) and a vendor coalition (Glasswing). The DBIR 2026 grounds it in observed breaches: across 22,000+ confirmed breaches, vulnerability exploitation (31%) now outranks credentials (13%) for initial access. The sharper signal is on the defender side: the share of KEV criticals fully patched fell from 38% to 26% and the median resolution time rose from 32 to 43 days. As attackers got faster, defenders measurably slowed.

GenAI: widespread assistance, negligible novelty

The report’s GenAI finding cuts against the “AI writes novel malware at scale” narrative. AI assistance is broad (median actor across 15 techniques) but almost entirely reproduces known techniques (median 55 prior examples; under 2.5% uncommon). Open question for the wiki: is this a 2025 snapshot that the 2026 forward-looking indicators (VoidLink, North Korea’s AI-offensive unit) will overturn, or a durable ceiling on autonomous malware development?