Estimated reading time: 6 minutes
Verizon’s 2026 DBIR Covers 22,000 Confirmed Breaches Across 145 Countries
For years, the answer to “how did they get in?” was the same: a stolen password. That answer changed in 2025. Verizon’s 2026 Data Breach Investigations Report, the 19th annual edition and the largest dataset the report has ever produced, finds vulnerability exploitation has overtaken credential abuse as the most common initial access vector in confirmed breaches. The shift isn’t subtle. Exploitation jumped from 20 percent to 31 percent of initial access vectors, a 55 percent increase. Credential abuse fell from 22 percent to 13 percent. The attack toolkit has evolved. The fundamentals fell behind.
The Record Dataset
The 2026 DBIR analyzed more than 31,000 real-world security incidents, of which more than 22,000 were confirmed data breaches in organizations across 145 countries. Those numbers represent the largest single-year dataset the report has produced. Last year’s edition analyzed 12,195 confirmed breaches. The near-doubling reflects an expanded contributor base and a surge in breach volume from large-scale ransomware and espionage campaigns. The dataset covers November 2024 through October 2025.
Vulnerability Exploitation Takes The Top Spot
Exploitation of vulnerabilities reached 31 percent of initial access vectors, up from 20 percent the year before. Several high-profile ransomware campaigns drove that shift, using unpatched flaws in edge devices as well as VPNs as their entry point. Patch management is not keeping pace. Only 26 percent of CISA Known Exploited Vulnerabilities were fully remediated across 13,000-plus organizations studied. That figure dropped from 38 percent the year before. Median remediation time rose to 43 days from 32. Organizations faced 50 percent more KEV vulnerabilities to patch in 2025 than in 2024. The report puts a hard ceiling on best-case performance: even top-performing organizations only remediate 30 to 40 percent of KEV instances in the first week after detection. At Day 7, between 60 and 70 percent of KEV vulnerabilities remain open regardless of organizational maturity.
Third-Party Breaches Up 60%
Third-party involvement in breaches grew 60 percent year over year, reaching 48 percent of all confirmed breaches. That figure now matches ransomware’s share of total breaches. As organizations add more external vendors and software dependencies, their exposure compounds with each new connection. Only 23 percent of third-party organizations fully remediated missing or improperly secured multi-factor authentication on cloud accounts. For weak passwords and permission misconfigurations, the time to resolve half of all findings stretched to nearly eight months. Black Kite’s 2026 Supply Chain Vulnerability Report, published this week, found parallel dynamics: mid-market vendors average 197 days to detect a vulnerability and 60 days to remediate. Third-party exposure is not a tail risk. It now makes up nearly half the breach landscape.
Ransomware: More Breaches, Smaller Payments
Ransomware appeared in 48 percent of all breaches, up from 44 percent. The frequency is rising. The financial return is falling. Sixty-nine percent of ransomware victims in the dataset did not pay. The median ransom paid fell to $139,875, down from $150,000 the year before. Victim organizations have been increasingly refusing demands. Attackers have responded by leaning harder on data theft and extortion rather than encryption alone. System Intrusion, the pattern that covers ransomware, accounted for 61 percent of breaches in the 2026 dataset. Its share has grown every year.
GenAI Enters The Attack Chain
Threat actors used generative AI assistance through multiple stages of attacks. The median threat actor used AI in 15 documented techniques. Some actors applied it to 40 or 50. Most AI-assisted malware development is mapped to established attack methods rather than novel ones. The report found that less than 2.5 percent of AI-assisted malware involved techniques with fewer than one known existing malware example. AI is making existing attacks faster and more scalable. Mobile-centric social engineering is accelerating alongside it. In phishing simulations, click rates for voice and text message vectors ran 40 percent higher than for email. The human element appeared in 62 percent of breaches, up slightly from 60 percent.
Get The Cyber Insurance News Upload Deliverd
Subscribe to our newsletter!
Shadow AI Adds An Internal Risk Layer
Sixty-seven percent of users accessed AI services on corporate devices through non-corporate accounts. Shadow AI is now the third most common non-malicious insider action in the report’s data loss prevention dataset, a fourfold increase from the year before. The most common data type submitted to unauthorized AI systems was source code. In 3.2 percent of DLP policy violations, employees uploaded research and technical documentation to external AI tools. That activity creates intellectual property exposure without any external attack required.
The SMB Reality: 96% Of Ransomware Victims
Small and medium-sized businesses recorded 7,152 confirmed breaches in the dataset. Ninety-six percent of ransomware victims where organizational size was known were SMBs. Third parties were involved in 55 percent of SMB breaches. The top initial access vectors for SMBs were vulnerability exploitation at 26 percent and credential abuse at 13 percent. System Intrusion, Social Engineering, and Basic Web Application Attacks accounted for all SMB breaches in the dataset. Financially motivated external actors drove every SMB breach case. The report’s conclusion is clear: attackers target SMBs opportunistically.
What The 2026 DBIR Means For Cyber Insurance
The 2026 DBIR describes a claims environment defined by three compounding pressures: vulnerability exploitation rising as the primary initial access vector, third-party breaches growing at 60 percent year over year, and remediation capacity falling further behind volume. For underwriters, the remediation data carries direct weight at renewal. Organizations fully remediating only 26 percent of their most critical known exploited vulnerabilities, and averaging 43 days on what they do patch, carry measurably higher breach exposure than their stated controls suggest. The third-party breach rate of 48 percent means nearly half of all losses now originate outside the insured’s own environment. The report’s overarching message is one underwriters should take seriously: speed and scale are increasing. The fundamentals have not.
FAQ – Verizon 2026 DBIR
Vulnerability exploitation overtook credential abuse as the most common initial access vector for confirmed breaches for the first time. It rose to 31 percent of initial access vectors from 20 percent the year before, a 55 percent increase.
Third-party involvement in breaches grew 60 percent year over year, reaching 48 percent of all confirmed breaches. Only 23 percent of third-party organizations fully remediated missing MFA on cloud accounts.
Ransomware appeared in 48 percent of all breaches, up from 44 percent. Sixty-nine percent of victims did not pay. The median ransom paid fell to $139,875, continuing a downward trend from $150,000 the year before.
The report recorded 7,152 confirmed SMB breaches. Ninety-six percent of ransomware victims where organizational size was known were SMBs. Third parties were involved in 55 percent of SMB breaches.
Only 26 percent of CISA KEV vulnerabilities were fully remediated, down from 38 percent. Median remediation time rose to 43 days from 32. Organizations faced 50 percent more KEV vulnerabilities to patch than in the prior year.
Threat actors used AI assistance in a median of 15 documented attack techniques, with some actors using it across 40 to 50 techniques. Mobile social engineering click rates ran 40 percent higher than email vectors in phishing simulations.
Related Cyber Insurance Posts
- One In Three US Businesses Hit By AI-Enabled Cyber Attacks
- AXA XL Expands Cyber Insurance for SMBs Amid Soaring Ransomware Threats – Key Hire Announced(Opens in a new browser tab)
- Cybersecurity Vulnerability: Companies Risk Governance Woes Over Delayed Security Fixes(Opens in a new browser tab)
- Cybercrime Report 2025 Reveals Shocking Black Market Economy(Opens in a new browser tab)
- Cyber Threat Surge Hits Manufacturing and Healthcare; Uptick in Attacks On Agriculture and Food Sectors(Opens in a new browser tab)
