Verizon 2026 DBIR: 6 key takeaways for CISOs

Vulnerability exploitation overtakes stolen credentials

Exploiting vulnerabilities became the most common method threat actors use to gain initial access to victims' networks -- accounting for 31% of attacks, up from 20% in 2024 -- displacing credential abuse as the longstanding leading vector.

Organizations are clearly struggling to remediate flaws, with the DBIR reporting that only 26% of CISA's Known Exploited Vulnerabilities (KEVs) were fully remediated in 2025, down from 38% the previous year. To make matters worse, the report noted, median remediation time increased from 32 days to 43 days, perhaps in part because the median number of KEVs was 16 in 2025, up from 11 in 2024.

Because the report's data set spans October 2024 through November 2025, it predates the release of Mythos, suggesting future reports could see even higher levels of vulnerability exploitation.

Credential abuse dropped to 13% from 22%, partially attributed to the addition of pretexting as an initial access vector (more on that below).

Vulnerability management and patching advice

• How to build a better vulnerability management program
• Benefits of risk-based vulnerability management over legacy vulnerability management
• Enterprise patch management best practices
• How to conduct security patch validation and verification

Bad news and good news on ransomware

Ransomware proved yet again that it's the threat that keeps on threatening. Nearly half of all incidents (48%) involved some form of ransomware, up from 44% in the previous reporting period.

On the somewhat positive side, 69% of victims did not pay the ransom, and the median ransomware payment decreased from $150,000 to $139,875.

Ransomware advice

• How to prevent and protect against ransomware
• Top ransomware targets by industry
• How to remove ransomware: Step by step
• Ransomware payments: Considerations before paying

Shadow AI becomes a major insider risk

Despite a slight year-over-year decline, use of noncorporate GenAI accounts on corporate devices remains widespread, with 67% of users still relying on them to access AI services. AI adoption among employees has accelerated: 45% are now regular users of AI tools, authorized or otherwise, compared with just 15% in 2024.

Shadow AI was named the third most common nonmalicious insider risk detected in the DBIR's data loss prevention (DLP) data set, a 400% increase from 2024. The DBIR found users commonly leak source code, images and other structured data to GenAI models, and that 3.2% of DLP policy violations involve employees leaking intellectual property, such as research or technical documentation, to LLMs.

AI security advice

• Shadow AI: How CISOs can regain control
• How to craft an effective AI security policy for enterprises
• How to create an AI acceptable use policy, plus template
• How to secure AI infrastructure: Best practices

Third-party attacks account for almost half of all breaches

Breaches involving third parties increased by 60%, accounting for 48% of all breaches in 2025 compared to 30% in 2024.

The DBIR breaks supply chain breaches into three categories:

• Vendor in an organization's software supply chain. The initial access vector was under the organization's control. This could be a vulnerability in a vendor's product, for example, the SolarWinds breach.
• Vendor hosting an organization's data in its environment. Initial access was against a vendor that stores the organization's data. For example, the Snowflake attack.
• Vendor with a connection to an organization's environment. Initial access is on the vendor, with lateral movement into the organization. For example, the Target breach.

The report noted that "at first glance, there doesn't appear to be anything that could have been done to prevent these from the victim organization's perspective," but closer analysis of the root causes of many incidents involving third parties boils down to "insecure authentication -- absence of MFA, improper credential rotation -- or lack of least privilege enforcement for users or service accounts."

Third-party and supply chain security advice

• Counter third-party risk with continuous vendor monitoring
• How to build an effective third-party risk assessment framework
• How to create a third-party risk management policy
• How to manage third-party risk in the cloud

Social engineering tactics shift slightly

While email phishing remains the social engineering vector of choice, many threat actors today target victims on their mobile devices -- and are possibly seeing greater success. The DBIR noted that mobile-centric voice- or text-based scams achieved a 40% higher click-through rate in phishing simulations than email-based campaigns. The report proposed that attackers are trying to circumvent traditional enterprise phishing defenses by infiltrating users' devices.

Also, pretexting was separated from credential misuse in this year's DBIR, accounting for 6% of initial access vectors. While the same percentage as the previous report, the DBIR justified its addition as an initial access vector due to its use in high-profile ransomware breaches analyzed for the report.

Phishing scams, the report explained, involve asynchronous social actions that result in a victim sharing credentials, downloading malicious files or clicking spoofed links, for example. Pretexting involves a synchronous component -- such as an attacker establishing a trusted relationship with the victim before manipulating them into sharing sensitive data or transferring money.

"If there is someone on the other side of the proverbial line interacting with you to do something you shouldn't, that's pretexting," the report noted.

Social engineering and phishing advice

• How to avoid and prevent social engineering attacks
• Phishing prevention: How to spot, stop and respond to scams
• CISO's guide: How to prevent business email compromise
• BYOD security risks and how to prevent them

AI is changing how attackers attack

DBIR researchers collaborated with Anthropic to uncover how threat actors use AI platforms for malicious purposes. Classified against the Mitre ATT&CK framework, DBIR and Anthropic researchers found that attackers used AI across 15 ATT&CK techniques, with some using as many as 40 or 50.

For example, threat actors use GenAI to develop malware, target victims, gain initial access and perform basic tasks such as file obfuscation or forensic cleanup. The researchers found that less than 2.5% of the AI-assisted actions involved uncommon techniques. In other words, attackers often use AI to automate and scale well-known techniques rather than create novel or rare attacks.

"But who knows? Given the rate of change in AI capabilities, this assessment might be obsolete by the time this report is finally published," the report said.

The report and its findings also precede the news surrounding Mythos and Glasswing, developments that could reshape how threat actors use AI.

AI security advice

• How AI malware works and how to defend against it
• AI-powered attacks: What CISOs need to know now
• How AI is making phishing attacks more dangerous
• Lessons in the new era of AI-enabled cybercrime

Sharon Shea is executive editor of TechTarget Security.