Verizon DBIR 2026: AI Changed the Game of Breaches

The Verizon DBIR 2026 has arrived with a message that shakes infrastructure managers: for the first time in 19 editions, exploitation of unpatched vulnerabilities has overtaken credential theft as the primary entry point for data breaches. As a developer who has managed Linux servers for over 15 years, I read the entire report and separated what really matters for Brazilian companies — no alarmism, just the numbers on the table.

TL;DR

• The DBIR 2026 analyzed 31,000 incidents and confirmed over 22,000 breaches — nearly double the previous year.
• Vulnerability exploitation became the number one vector (31%), ahead of credential abuse (13%).
• Artificial intelligence shortened the time from vulnerability discovery to attack from months to hours.
• Shadow AI exploded: employees using unauthorized AI jumped from 15% to 45% in one year.
• Ransomware appeared in 48% of breaches, but only 31% of victims paid the ransom.

What is the DBIR 2026 and why it matters

The DBIR (Data Breach Investigations Report) is the annual data breach investigation report published by Verizon Business. Released on May 19, 2026, this is the 19th year of the study, considered the most respected reference in the information security industry. It is not opinion: it is statistics based on real incidents.

This year's edition covers the period from November 1, 2024 to October 31, 2025 and analyzed 31,000 security incidents, of which over 22,000 were confirmed breaches — practically double the 12,195 confirmed cases in the previous edition. This jump does not only mean the world has become more dangerous; it also means data collection has improved and more organizations are reporting incidents.

For me, the value of the DBIR 2026 lies in turning headlines into decisions. When the report points to a growing attack vector, it becomes a priority for patching, budgeting, and internal policy the following week. It is the difference between reacting to the next news scare and planning defense based on what actually brought down other companies in the past year.

Vulnerability exploitation surpasses stolen credentials

The historic shift in the DBIR 2026 is this: 31% of breaches began with exploitation of an unpatched software vulnerability, compared to only 13% that involved credential abuse. For nearly two decades, stolen passwords were the preferred path for attackers. Now, the forgotten flaw on your server is the invitation.

Why this is happening

The answer is uncomfortable: companies patch slowly. The DBIR 2026 shows that the median time to patch a vulnerability rose to 43 days, compared to 32 days in the previous survey. Worse: of the flaws listed in the CISA KEV catalog (known exploited vulnerabilities), only 26% were patched on time — a drop from 38% last year.

In practice, the attacker has over a month of open window while the IT team pushes the patch to the next sprint. I see this up close in the EAD environments I manage: an outdated Moodle or an abandoned plugin is exactly the kind of target the DBIR 2026 describes.

How AI changed the speed of attacks

Here is the point that connects the DBIR 2026 to everything I write about artificial intelligence: AI did not invent a new attack, but it accelerated old ones in a brutal way. The report points out that the time between the publication of a vulnerability and its active exploitation dropped from months to hours.

Attackers today use AI models to scan code, identify flaws, and generate exploits at scale. Verizon documented the use of AI in at least 15 distinct attack techniques. The result is that the defense window — that interval between "the patch is out" and "I am protected" — has become a matter of hours, not weeks.

This changes the math of defense. It is no longer possible to treat security updates as a monthly task. Those working with systems exposed to the internet need patch automation and continuous monitoring, because the speed of the automated attacker does not wait for business hours.

AI also plays on the defense side

For balance: the same DBIR 2026 that shows AI accelerating attacks also records defenders using AI to detect anomalies, prioritize fixes, and respond to incidents faster. The difference is maturity. Attackers adopted automation first, without approval committees and without fear of error. Security teams, bound by processes and audits, take longer to incorporate the same technology. The report's message is not "fear AI," but "use it before it is used against you" — in detection, alert triage, and exposure management.

Shadow AI: the internal threat that grew from 15% to 45%

Perhaps the most underestimated data point in the DBIR 2026 is the explosion of Shadow AI — the use of AI tools not approved by the company. The proportion of employees who are regular AI users jumped from 15% to 45% in just one year. And 67% access AI services on corporate devices using personal accounts.

The problem is not AI itself. It is the silent leak: someone pastes a contract, source code, or customer database into a public chatbot, and that data leaves the security perimeter without a trace. No firewall catches this because the traffic looks legitimate.

The lesson from the DBIR 2026 is not to ban AI — that would be futile and counterproductive. It is to offer official tools with corporate accounts and clear policies, so employees do not need to resort to the pirated version in the browser. AI governance has become a security issue, not just a productivity one.

Ransomware in 48% of breaches — but fewer people pay

Ransomware remains dominant: it was present in 48% of confirmed breaches in the DBIR 2026, up from 44% in the previous cycle. The good news is that the crime business model is under pressure. The median ransom demand dropped to less than US$140,000, and only 31% of victims paid.

This decline in payments suggests that the "don't pay" message has finally caught on. Companies with tested backups and recovery plans can say no. Those that pay are generally the ones that discovered too late that their backup did not work.

It is worth remembering why paying is bad business: there is no guarantee the criminal will return the data, the payment funds the next wave of attacks, and it marks the company as a willing target — an invitation for recurrence. The money that would go to the ransom yields much more invested in immutable backup, network segmentation, and an incident response plan that someone has actually tested in a simulation.

DBIR Metric	Previous Edition	DBIR 2026
Breaches via vulnerability exploitation	Less than credentials	31% (1st place)
Breaches with ransomware	44%	48%
Third-party involvement	30%	48%
Median patch time	32 days	43 days
Employees regular AI users	15%	45%

The weakest link remains third parties

One of the most alarming growths in the DBIR 2026 is third-party involvement in breaches: it jumped from 30% to 48% — an increase of 60%. Nearly half of breaches today go through a supplier, partner, or software dependency.

This is the supply chain attack in the vein. I have written about the infected NPM packages by Shai-Hulud and about the malicious extension that leaked 3,800 repositories on GitHub — both cases are exactly what the DBIR 2026 measures: the attacker does not knock on your door; he enters through your supplier's door.

The aggravating factor: only 23% of third-party organizations fully remediated MFA (multi-factor authentication) on cloud accounts. In other words, you may have done your homework and still be compromised by the weakest link in the chain. Therefore, supplier risk management is no longer compliance paperwork but concrete defense: it is worth mapping which third parties have access to your data, requiring MFA evidence, and reviewing integration permissions and tokens as often as you review your own.

Social engineering and the human factor

Technology does not fail alone — people make mistakes. The DBIR 2026 shows that 62% of breaches involved a human element, and 16% started with phishing. The new detail is the channel: phishing attacks via mobile devices had a success rate 40% higher than those via email.

It makes sense. On a cell phone, the screen is small, the URL is hidden, and the person is distracted, walking on the street. The same link that would be ignored on a desktop becomes a click on a smartphone. Worse: scams via WhatsApp and SMS arrive looking like personal messages, bypassing corporate email filters that took years to mature. This directly ties into the defenses I commented on in the post about Android 17's security news, where the system started delaying app access to SMS verification codes.

Team training, therefore, is no longer an HR item — it is a first-line security control.

What Brazilian companies should do now

The DBIR 2026 is global, but the translation to the Brazilian reality is direct. Here is what I recommend prioritizing:

1. Automate patch management. If the attack window is hours, manual monthly updates do not protect. Monitor the CISA KEV catalog and treat exploited flaws as emergencies.
2. Implement MFA everywhere — and demand it from suppliers. It is not enough to protect your own house if 48% of breaches come from third parties. Require MFA contractually.
3. Create an official AI policy. Offer approved tools with corporate accounts to kill Shadow AI before it leaks your data.
4. Test your backup for real. The drop in ransomware payments comes from those who can restore. A backup that has never been tested is just hope.
5. Train against mobile phishing. Simulations on cell phones, not just corporate email.

None of these measures are expensive. All of them, according to the report itself, are what separates compromised companies from those that resist.

Conclusion: the basics done well win

The message from the Verizon DBIR 2026 is almost uncomfortably simple: attacks have become faster with AI, but defenses remain the same as always — up-to-date patches, MFA, data governance, and trained people. As Daniel Lawson, Senior Vice President of Global Solutions at Verizon Business, summarized, while the speed of threats increases, the fundamental principles of security remain the most effective defense.

If your company has systems exposed to the internet — a website, an API, an EAD environment — it is worth reviewing today how long it takes between a patch being released and being applied. At Agathas Web, that is the first number I look at in any audit. Want help mapping your vulnerabilities before the attacker's AI does it for you? Talk to us.