Verizon DBIR: Vulnerability exploitation is the dominant initial access vector

Vulnerability exploitation has overtaken stolen credentials as the most common way attackers gain initial access to target networks, according to the 2026 Verizon Data Breach Investigations Report.

This is the first time credential theft has been knocked off the top spot in the report’s 19-year history, the company noted.

Known initial access vectors over time (Source: Verizon 2026 DBIR)

What is Verizon DBIR?

Published annually, Verizon’s DBIR is based on the analysis of real-world data breaches and security incidents from the previous year. For the 2026 edition, that means incidents that happened between November 2024 and October 2025.

Verizon aggregates this data from many contributing organizations: law enforcement agencies, incident response firms, information sharing and analysis centers (ISACs), and computer emergency response teams (CERTs) worldwide.

This latest DBIR surfaced many crucial findings and confirmed already observed trends, such as the rise of third-party involvement in breaches.

Verizon 2026 DBIR findings

The rise of AI-assisted vulnerability research performed by threat actors might sound like the most likely explanation, but the analyzed data predates this “explosion”.

The problem is that organizations aren’t patching known vulnerabilities quickly (and sometimes not thoroughly) enough.

Only 26% of the CISA “known exploited” vulnerabilities – arguably the most critical-to-address flaws, since they are actually leveraged by attackers – had been fully remediated by the 13,000 polled organizations. In the year before, that percentage reached 38, so this is a considerable drop, Verizon analysts noted.

“There is also a worse result for the median time elapsed for a vulnerability to be fully patched by detection,” they added. “Our new median time is 43 days, almost two weeks longer than last year’s 32 days.”

What was the reason for this deterioration? Verizon blames it on the drastic increase of the number of vulnerabilities, including those in CISA’s Known Exploited Vulnerabilities catalog, making patching prioritization a bigger problem than before. Unfortunately, the use AI for vulnerability discovery – whether by researchers or attackers – is expected to add to the burden.

Verizon also noted more worrying statistics.

Despite third-party involvement in breaches jumping 60% year-on-year and now accounting for nearly half of all breaches, remediation is slow.

MFA gaps in third-party cloud accounts are typically resolved within a month, but only 23% of third-party organizations fully remediated their MFA issues at all. Weak passwords and permission misconfigurations take close to eight months to fix for half of all findings.

Social engineering, ransomware and extortion

Verizon found that phishers, in general, are having more success in targeting users via voice and text messaging than email.

Pretexting, which is a social engineering technique where an attacker fabricates a scenario to manipulate a target into handing over information or access, has also become a more common initial access vector to ransomware and extortion attacks.

This approach has been popularized by attack groups like Lapsus$ and Shiny Hunters, who often perform the attack via phone call. (And there are now phishing kits out there that are turbocharging vishing attacks.)

“Ransomware grew again to 48% of all breaches, up from 44% from the previous year. However, ransom payments have continued to decline among our dataset, as 69% of ransomware victims didn’t pay,” Verizon noted.

Infostealers are serving as a pipeline to ransomware attacks: half of ransomware victims who had a prior credential leak experienced it within 95 days of the attack, and stolen credentials are being packaged and sold by initial access brokers, allowing ransomware operators to simply buy their way in and concentrate their efforts on lateral movement, privilege escalation, deploying the ransomware, and extorting organizations.

The AI threat

Aside from AI-assisted vulnerability discovery, AI adds to organizations’ risk in other ways.

“Shadow AI is now the third most common non-malicious insider action detected in our data loss prevention (DLP) dataset in 2025, a fourfold increase in percentage from the previous year,” the researchers noted.

But LLMs and AI agents are also helping attackers every step of the way: they are using them to create exploits and malware, execute well-documented techniques and scale them more efficiently, get help with phishing, and more.

Advice for CISOs

“The 2026 DBIR makes clear that attackers continue to prioritize the most reliable paths to compromise, such as exploiting unpatched vulnerabilities, leveraging compromised or weak credentials, and scaling social engineering with speed and efficiency,” said Phyllis Lee, Vice President of CIS Security Best Practices Content Development.

“Organizations that focus on proven, prioritized security controls and timely remediation are better positioned to reduce risk and disrupt these common attack patterns.”

Verizon also pointed out the urgent need to prioritize fundamental security and risk management practices.

CISOs and cybersecurity progessionals are advised to prepare for the onslaught of patches, integrate AI into “secure by design” frameworks, and use AI themselves for their defense-in-depth strategies.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!