Organizations increased patching activity and improved remediation efforts in 2025 but still fell behind attackers, according to Verizon’s 2026 Data Breach Investigations Report, which analyzed more than 22,000 confirmed breaches and 31,000 security incidents across 145 countries.
The report found threat volume expanding faster than security improvements, with several shifts standing out from prior years.
Vulnerability exploitation overtook stolen credentials
Exploitation of vulnerabilities became the leading initial access vector for the first time in the report’s history, accounting for 31% of cases, up from 20% a year earlier. Credential abuse fell to 13%, though Verizon noted some of the decline reflected methodology changes after pretexting was separated into its own category.
Will Baxter, head of product at Team Cymru, said the findings quantify a broader change in how attacks increasingly develop.
“The 2026 DBIR captures something security teams have felt for years but struggled to quantify: the attack surface has moved outside the enterprise,” Baxter said.
“With vulnerability exploitation now the leading initial access vector and RMM abuse up 240% year over year, attackers have perfected operating within the tools and infrastructure organizations already trust.”
Baxter said security teams increasingly need visibility into infrastructure attackers build before campaigns begin.
The shift has played out in a steady run of attacks against exposed systems and edge infrastructure. In 2025, security researchers and incident responders repeatedly tied ransomware activity to zero-days, VPN flaws and internet-facing systems that gave attackers a faster route into corporate networks than phishing or password theft.
Recorded Future said attackers exploited 161 distinct vulnerabilities in the first half of 2025, exceeding the number listed in CISA’s known exploited vulnerabilities catalog during the same period.
Patch activity increased but remediation lagged
Organizations proactively remediated 63.7 million vulnerability instances in 2025, up about 30% from the prior year.
The volume of vulnerability instances reached 527 million, up from 296 million a year earlier. Median time to fully remediate vulnerabilities listed in CISA’s Known Exploited Vulnerabilities catalog rose to 43 days from 32 days.
Verizon also found that 60% to 70% of known exploited vulnerabilities remained open seven days after detection, a figure that changed little despite years of process improvements.
Third-party exposure continued climbing
Third-party involvement appeared in 48% of breaches, up from 30% a year earlier and roughly 15% two years ago.
John Watters, chairman and CEO of iCOUNTER, said the findings point to broader exposure across connected environments.
“The DBIR’s finding that third-party involvement reached 48% of breaches this year, following a 60% year-over-year increase, should fundamentally change how organizations think about cyber risk and systemic exposure,” Watters said.
Watters said security teams face increasing pressure to act on intelligence quickly enough to reduce downstream risk across suppliers and partners.
The Salesloft Drift compromise showed how quickly that risk can move through interconnected cloud services. Zscaler said it suffered a data breach after attackers compromised Salesloft’s Drift platform and abused its Salesforce integration to steal OAuth and refresh tokens.
Zscaler said its own infrastructure was not directly compromised, underscoring the DBIR’s point that third-party access can turn a vendor integration into a customer breach pathway.
Shadow AI expanded sharply
Generative AI use on corporate devices tripled in Verizon’s dataset, rising to 45% of employees from 15% a year earlier. The increase pushed “Shadow AI” — unauthorized use of AI services — into the top tier of non-malicious insider risk. Verizon said it is now the third most common non-malicious insider action detected in its data loss prevention dataset, a fourfold increase from the prior year.
The concern is not only that employees are using AI tools at work. It is what they are putting into them. Verizon found that source code was the most common type of data submitted to external AI models, followed by images and structured data. Research and technical documentation appeared in 3.2% of DLP policy violations involving unauthorized AI systems, raising concerns about intellectual property exposure.
The report also found that 67% of users accessing AI platforms from corporate devices used non-corporate accounts, leaving security teams with less control over authentication, retention and audit trails. Verizon said the average company also had more than 15% of users with unauthorized AI browser extensions installed, creating another path for internal data to leave managed environments.
Scale became the advantage
Ransomware appeared in 48% of breaches, up from 44% a year earlier, while 69% of victims declined to pay. The median ransom payment fell to $139,875 from $150,000, according to Verizon.
The lower payment rate does not mean ransomware is weakening. It suggests attackers are adapting the business model. When victims refuse to pay for decryption, stolen data, credentials and operational intelligence can still be monetized through leak sites, resale, coercion and follow-on attacks.
The access economy also matured. Verizon found that half of ransomware victims with a prior credential or infostealer leak had that exposure occur within 95 days before the ransomware attack. Some ransomware groups also relied on initial access brokers that sell already-compromised access, allowing operators to focus on lateral movement, privilege escalation and payload deployment.
AI adds another scaling layer. Verizon’s analysis of Anthropic enforcement data found 793 malicious actors sought AI assistance across cyber techniques, with the median actor using AI across 15 distinct MITRE ATT&CK techniques. Some used it across 40 to 50 techniques.
