Verizon released its 2026 Data Breach Investigations Report on May 19, 2026, the nineteenth edition of what has become the most widely cited empirical dataset on how organizations actually get breached. The 2026 report analyzed more than 31,000 security incidents and 22,000 confirmed data breaches across 145 countries โ the largest dataset in the reportโs history.
The headline finding is a significant structural shift: for the first time in 19 years, vulnerability exploitation has overtaken stolen credentials as the number one breach entry point. Nearly a third of all breaches โ 31% โ began with exploitation of an unpatched or zero-day vulnerability. Stolen credentials, which have held the top position since the DBIR began tracking entry vectors, now account for 26% of breach entry points.
This inversion reflects converging pressures: AI tooling is accelerating the speed at which attackers identify and weaponize vulnerabilities, organizationsโ patching velocity is declining rather than improving, and the third-party software supply chain has become so deeply embedded in enterprise environments that a single vulnerability in a widely deployed platform can affect thousands of organizations simultaneously.
This article breaks down the reportโs key findings and what they mean for compliance and security programs in 2026.
The Shift: Why Vulnerability Exploitation Overtook Credentials
The dominance of stolen credentials as a breach entry point over the past two decades reflected a rational attacker calculus: credentials are easier to acquire (through phishing, credential stuffing, dark web purchases) and easier to use (valid credentials bypass many defensive controls) than vulnerability exploitation, which historically required specialized skill and significant reconnaissance.
That calculus is changing, and the DBIR points to a specific accelerant: AI.
Threat actors are using AI tooling to accelerate vulnerability exploitation in several ways:
Automated vulnerability identification: AI-assisted scanning tools can identify vulnerable systems at scale with minimal manual effort. The attack surface analysis that previously required skilled reconnaissance can now be automated and run across large IP ranges in hours.
Rapid weaponization: Once a vulnerability is disclosed (via CVE publication, vendor security advisory, or security research), AI-assisted code generation is reducing the time required to develop working exploits from weeks or months to hours. This collapse in the โtime to exploitโ window is the most compliance-critical implication of the finding.
Phishing assistance for hybrid attacks: Even in breaches that originate with social engineering, AI is increasing the quality and volume of phishing attacks, creating a broader initial access surface for attackers who ultimately use obtained credentials to exploit authenticated vulnerability vectors.
The implication for defenders is stark: the window between a vulnerability being disclosed and it being exploited in the wild has shrunk dramatically. Patch timelines that were adequate when exploits took months to develop are not adequate in an environment where weaponized exploits may appear within hours of a CVE disclosure.
The Patching Crisis
The DBIRโs vulnerability exploitation finding is rendered more alarming by a second finding: organizations are patching known exploited vulnerabilities at a lower rate than in prior years.
Organizations patched only 26% of the vulnerabilities in CISAโs Known Exploited Vulnerabilities (KEV) catalog last year โ down from 38% in 2024. The KEV catalog is CISAโs authoritative list of vulnerabilities that have been confirmed to be actively exploited in the wild. It is not a list of theoretical vulnerabilities or emerging risks; it is a list of known, confirmed, actively exploited vulnerabilities where the attacker side of the equation is already solved.
Patching only 26% of the KEV catalog means that for every four actively exploited vulnerabilities an organizationโs systems are vulnerable to, three are going unaddressed. This is not primarily a technical failure โ it is a prioritization and organizational failure.
Several factors explain the declining patch rate:
Volume: The number of CVEs published annually has grown faster than most organizationsโ capacity to assess and remediate them. Security teams face a genuine triage problem โ there are more vulnerabilities than there is time to patch โ and the mechanisms organizations use to prioritize are often disconnected from actual exploitation risk.
Complexity: Modern enterprise environments involve hundreds of software products, cloud services, containers, and third-party integrations. Understanding the full scope of exposure for a given CVE in a complex environment requires asset inventory capabilities that many organizations do not have at the necessary fidelity.
Change management: Patching production systems requires downtime windows, testing, change control approvals, and coordination across multiple teams. In environments with rigid change management processes โ particularly regulated industries โ the time from patch availability to patch deployment routinely extends into weeks or months.
Legacy systems: A meaningful percentage of enterprise environments contain systems that cannot be patched, either because vendor support has ended or because the systems are too tightly coupled with production processes to be updated without significant operational risk.
The combination of more rapidly weaponized exploits and slower remediation creates an expanding window of exposure that the DBIR data reflects directly.
The Third-Party Risk Explosion
The 2026 DBIR finding on third-party involvement in breaches is among the most significant for enterprise risk and compliance programs: third-party involvement in breaches increased 60% year-over-year, reaching 48% of all confirmed breaches.
This means that nearly half of all confirmed data breaches in 2025 involved compromise through a third-party vendor, software component, or service provider. In 2024, that figure was approximately 30%.
This is not primarily a story about vendors being directly compromised and attackers pivoting to target customers โ though that vector is present. It is more broadly a story about the expanding attack surface created by software supply chain dependencies.
The relevant third-party risk vectors include:
Third-party software vulnerabilities: When a widely deployed software library, platform component, or enterprise application contains a vulnerability, every organization running that software is simultaneously exposed. The attacker does not need to target specific organizations; they scan for exposed instances of the vulnerable software and exploit at scale.
Managed service provider (MSP) compromise: MSPs and IT service providers have privileged access to client environments. Compromising an MSP can yield simultaneous access to dozens or hundreds of client organizations from a single intrusion.
SaaS supply chain: Organizations increasingly run core business processes on SaaS platforms. When a SaaS provider is compromised, customer data held in that platform may be accessed, and integration pathways can provide attackers with footholds in customer environments.
Open source component compromise: The 2025 period analyzed by the DBIR saw continued incidents involving compromised open source packages โ malicious code introduced into widely used libraries that propagates through the software supply chain when developers include those packages in their builds.
For compliance purposes, the third-party risk finding creates direct obligations under multiple frameworks:
HIPAA: Business associates that experience breaches affecting covered entity PHI trigger notification obligations that run upstream to the covered entity. Covered entities must have BAAs in place and must ensure those agreements include notification timelines and security requirements.
SEC cybersecurity rules: Publicly traded companies must disclose material cybersecurity incidents, and a breach originating with a third-party vendor is still a material incident for the affected company. The SEC has been explicit that material third-party incidents require disclosure.
SOC 2 and ISO 27001: Vendor risk management programs are assessed as part of SOC 2 audits and ISO 27001 certifications. Auditors are increasingly scrutinizing the depth of third-party security assessments, not just their existence.
EU GDPR and NIS2: GDPR requires controllers to ensure processors implement appropriate security measures. NIS2 extends incident reporting obligations and explicitly addresses supply chain security as a required element of cybersecurity risk management for in-scope entities.
Ransomware: Persistent and Increasingly Normalized
Ransomware was involved in 48% of confirmed breaches in the period analyzed โ up from 44% the prior year. The upward trend in ransomware prevalence has been consistent across multiple DBIR editions, and the 2026 data suggests continued growth.
Several findings within the ransomware data are noteworthy for compliance programs:
Median ransom payment declined to below $140,000: The decline in median payment does not reflect a decline in ransomware activity โ it reflects an increasing number of small and medium-sized targets being hit with lower ransom demands calibrated to what those organizations can actually pay. Large enterprise targets continue to face demands in the millions.
Only 31% of victims paid: The majority of ransomware victims are choosing not to pay. This reflects a combination of improved backup practices (enabling recovery without decryption), law enforcement advisories against payment, and growing recognition that payment does not guarantee data recovery or the deletion of exfiltrated data.
Manufacturing ransomware: Ransomware was involved in 61% of manufacturing sector malware breaches โ the highest rate of any sector. The combination of operational technology convergence, supply chain leverage, and legacy system exposure makes manufacturing particularly vulnerable to ransomware with operational impact.
Healthcare remains heavily targeted: Healthcare organizations continue to face disproportionate ransomware pressure. The combination of sensitive PHI, life-safety operational dependencies that create urgency around recovery, and complex legacy IT/OT environments makes healthcare an attractive target category.
Social Engineering: Mobile-Centric Attacks Gaining Ground
The DBIR found that 62% of breaches involved a human element, with social engineering accounting for 16% of breaches. Within social engineering, a significant trend is the shift toward mobile-centric attack vectors.
Mobile phishing attacks โ delivered via SMS (smishing) and voice calls (vishing) โ have a success rate 40% higher than traditional email phishing, according to the DBIRโs analysis. Attackers are pivoting to mobile channels for several reasons:
- Corporate email security controls (spam filtering, sandboxing, link rewriting) have matured and are reasonably effective at blocking known malicious emails
- Mobile SMS and voice calls receive fewer automated security controls
- Users are less conditioned to apply skepticism to SMS and phone contacts than to email
- Mobile attacks are harder to detect and report through traditional security monitoring channels
For enterprise security awareness programs, this finding has direct implications. Training programs that focus primarily on email phishing recognition are not preparing employees for the most effective current social engineering vectors. Training should incorporate smishing and vishing scenarios, and organizations should establish clear protocols for employees to report suspicious mobile contacts.
Compliance Implications: What the DBIR Requires of Security Programs
The 2026 DBIRโs findings translate into specific compliance posture requirements that organizations should assess against their current programs:
Vulnerability Management Program Maturity
The KEV patching rate finding โ 26% of actively exploited vulnerabilities addressed โ suggests that most organizationsโ vulnerability management programs are not structured to prioritize based on actual exploitation risk. A mature vulnerability management program in 2026 must:
- Monitor CISAโs KEV catalog as a primary prioritization input, not a secondary filter
- Establish aggressive remediation SLAs for KEV-listed vulnerabilities (48-72 hours for critical internet-exposed systems)
- Conduct asset inventory at sufficient fidelity to identify all instances of a vulnerable component across the environment
- Track remediation metrics (mean time to patch, KEV coverage percentage) and report them to security leadership
For organizations subject to regulated frameworks, the declining patch rate also creates specific compliance exposure. NIST CSF, HIPAAโs technical safeguard requirements, PCI DSS, and ISO 27001 all require effective vulnerability management. An organization patching 26% of KEV vulnerabilities cannot credibly claim effective vulnerability management.
Third-Party Risk Program Enhancement
A 60% year-over-year increase in third-party breach involvement means that vendor risk programs designed for prior-year risk levels are materially underpowered. Organizations should evaluate:
- Assessment depth: Are vendor security assessments reviewing actual security controls, or reviewing attestations and questionnaire responses? The former provides meaningful risk information; the latter is easily gamed.
- Software composition analysis (SCA): For organizations with development functions, does the software supply chain include tooling that identifies open source components and monitors them for newly disclosed vulnerabilities?
- Fourth-party visibility: Vendor security assessments increasingly need to include major sub-processors and fourth parties that have access to the organizationโs data.
- Contractual obligations: Do vendor contracts include security requirements, breach notification timelines, and the right to audit?
Incident Response Preparedness
The DBIR data reinforces that ransomware scenarios โ where attackers simultaneously exfiltrate data and encrypt systems โ are the most common severe incident type. Incident response plans and tabletop exercises should reflect this reality:
- Does your IR plan specifically address simultaneous data exfiltration and encryption?
- Are backup and recovery systems isolated from the primary network (so ransomware cannot encrypt backups)?
- Have you tested your ability to restore from backups within your recovery time objectives?
- Does your plan include the regulatory notification obligations that apply when a ransomware incident involves PHI, personal data, or SEC-reportable information?
Workforce Security Training
Given the mobile social engineering finding, security awareness programs should:
- Include smishing and vishing scenarios, not only email phishing simulations
- Establish and publicize clear channels for employees to report suspicious mobile contacts
- Train employees on multi-factor authentication bypass techniques โ attackers targeting MFA-protected accounts have shifted to real-time phishing (adversary-in-the-middle) and SIM swapping rather than credential theft alone
The AI Exploitation Timeline: A Planning Horizon Problem
The DBIRโs finding that AI is shrinking the exploitation window from months to hours creates a planning horizon problem for enterprise security programs.
Traditional vulnerability management programs are designed around patch cycles measured in weeks. Quarterly patching cadences, which remain common for non-critical systems, assume that a disclosed vulnerability remains unexploited long enough for scheduled patch windows to address it. That assumption is now false for a meaningful subset of newly disclosed vulnerabilities.
The response requires not just faster patching, but architectural changes that reduce the consequence of delayed patching:
Network segmentation: Systems that cannot be quickly patched should be isolated from internet exposure and from lateral movement pathways to high-value targets.
Compensating controls: Vulnerability patching is not always immediately possible. Web application firewalls, intrusion prevention systems, and network access controls can provide temporary mitigation for known exploitation patterns while patches are tested and deployed.
Zero-trust architecture: Limiting the lateral movement available to an attacker who has successfully exploited a vulnerability reduces the blast radius of unpatched systems. Zero-trust principles โ assume breach, verify explicitly, limit privilege โ are directly responsive to the DBIRโs exploitation findings.
Conclusion
The 2026 Verizon DBIR documents a security landscape that is shifting in ways that should prompt concrete program changes rather than incremental adjustments to existing practices.
Vulnerability exploitation overtaking credentials as the top breach entry point is not primarily a headline โ it is a signal about where attacker investment is going and where defensive investment needs to follow. The combination of AI-accelerated exploitation timelines and declining organizational patch rates is producing a structural gap that will continue to widen unless organizations fundamentally reconsider how vulnerability management programs are resourced and prioritized.
The third-party risk finding is equally significant. Nearly half of confirmed breaches involving a third party means that an organizationโs own security posture is necessary but not sufficient. The security posture of every vendor, software component, and service provider with access to the organizationโs environment is now material to its risk profile.
Neither of these is a new problem. Both appear in prior DBIR editions. What the 2026 data shows is that neither is improving at the scale the threat environment requires โ and that the consequences, measured in confirmed breaches, are still growing.
This article is provided for informational purposes only and does not constitute legal advice. Organizations should consult qualified legal counsel for guidance on their specific compliance obligations.
