I am a big fan of Verizon’s yearly Data Breach Investigations Report. I follow it closely, as it confirms what we are seeing in the field, and provides validation for defense strategies employed to protect against attacks. The 2026 Report was recently published, and as I have mentioned before, it is well worth reading.
At a high level, the tone is that attacks remain consistent with previous years, but threat actors are employing new methods, including the use of generative artificial intelligence augmented malware. The message is that although there are more zero day vulnerabilities, social engineering is increasingly successful and the speed of attacks has increased. Those defending systems know the landscape well and need to continue focusing on defending against the most common threats: system intrusion, social engineering, basic web application attacks, miscellaneous errors and privilege misuse.
The 2026 Report shows that in the last year credential abuse has decreased , which shows that users better understand how critical their credentials are in safeguarding systems. Although I have no data to back up this thought, it is logical to attribute that decrease to the increase in educating users about attacks using credentials, requiring password changes, and increasing knowledge and understanding of threat actors’ use of credentials —this is good news.
However, vulnerability exploitation rose, “now the most common initial access vector for breaches.” The 2026 Report notes that “[o]nly 26% of critical vulnerabilities…were fully remediated by organizations in 2025, a drop from the previous year’s 38%.” Further, the median time for full incident resolution went up to 43 days from 32 days, and “organizations had 50% more critical vulnerabilities to patch in this year’s reporting dataset compared to the previous year.” This means that cybersecurity professionals had to patch way more vulnerabilities than last year and weren’t able to finish the job—understandable to be sure. Nonetheless, organizations should consider strategies around addressing the increased number of vulnerabilities that need to be patched, and how to address that risk. The 2026 Report provides some sound strategies to consider.
Ransomware increased in 2025 and represented 48% of all breaches, but ransom payments declined. Significantly, “breaches with third-party involvement have increased by 60%” from last year and represented 48% of all breaches. This fact confirms how important third-party risk management is to an organization’s overall risk management program.
And then there’s the use of AI in attacks. Although the data is already dated, (such as citing reports from Anthropic in November 2025 and no mention of Mythos), nonetheless, the message is clear that threat actors are using AI to automate and scale well-known successful past techniques to lower the barrier for more threat actors to enter the landscape and create havoc. “The more novel cases include combining or chaining together multiple stages of the attack or taking more agentic approaches to the attack, where the agent makes executive decisions about the targets.” This is now the reality that defenders need to address and, if Mythos is released publicly, the “most powerful artificial intelligence to date” poses “a serious offensive cyberweapon.” It will be interesting to see how the threat landscape changes as AI tools become more powerful and their impact on next year’s Verizon Report.
Verizon provides a robust look at the threat landscape, offers practical and useful tips on how to respond, and urges all of us to work together to combat an ever widening and more sophisticated threat landscape. As always, it is well-done, thorough and thoughtful, and very useful to readers.