Verizon DBIR 2026: exploitation of vulnerabilities becomes the leading initial access vector

Verizon has published the Data Breach Investigations Report (DBIR) 2026, based on the analysis of more than 22,000 data breaches and 31,000 security incidents that occurred between November 1, 2024, and October 31, 2025.

Note: Unless otherwise specified, all statistics below compare this period to data from the DBIR 2025, which covered November 1, 2023, through October 31, 2024.

Key findings:

🛠 Exploitation of vulnerabilities has, for the first time, become the top initial access vector, accounting for 31% of all compromises. Only 26% of vulnerabilities from the CISA KEV catalog were fully remediated by surveyed organizations, and the median time for full resolution increased to 43 days (compared to 38% and 32 days respectively in DBIR 2025).

💰 Ransomware was involved in 48% of all data breach incidents. Victims are increasingly refusing to pay: 69% of organizations made no payments, while the median ransom dropped from $150,000 to approximately $140,000. The GTIG had previously reported declining ransomware revenues.

👤 62% of incidents involved unintentional user actions. The role of contractors and partners has also risen sharply — incidents involving third-party compromises increased by 60%, now representing 48% of all data breach related attacks.

📱 In phishing simulations, mobile scenarios (messaging apps, voice calls) showed a 40% higher click-rate than email-based phishing. Attackers are increasingly relying on pretexting (social engineering using fabricated scenarios) as an entry point for ransomware-related attacks.

🤖 In malware development, AI is still primarily used to reproduce existing techniques: the majority of samples replicated the functionality of known malware. Fewer than 2.5% of AI-generated samples involved new or rare techniques.

Verizon also presented data using the VERIS model (Vocabulary for Event Recording and Incident Sharing), which structures attack and incident information.

🥷 VERIS Actors: • 88% of attacks originated from external actors, 12% from internal ones (including both intentional insider actions and accidental errors).
• Among external actors, organized crime groups (87%) and state-affiliated groups (15%) dominate.
• Internally, regular users were most often involved (75%), followed by system administrators (19%) and developers (4.1%).
• The primary motive remains financial gain (88%), with cyber-espionage accounting for 13%.

⚔ VERIS Actions:
• Ransomware appeared in 48% of attacks, use of stolen credentials remained steady at 36%, and vulnerability exploitation rose to 31%.
• C2 functionality was observed in only 16% of cases. Attackers increasingly rely on standard user access paths, which are less visible to monitoring systems.

🖥 VERIS Assets: • The most targeted assets were web applications (54%), mail servers (30%), and employees (13%).
• In broader terms, servers (84%), people (23%), and network devices (5%) were the main attack targets.

📂 VERIS Attributes: • Data confidentiality breaches occurred in 82% of incidents, integrity impact in 64%, and availability issues in 53%.
• The most commonly stolen data were internal documents (67%), followed by credentials (28%) and personal data (23%).
• Highly sensitive personal information, such as Social Security numbers, was compromised in 1.7% of cases.

The report places notable emphasis on the problem of slow patching, which has become particularly critical as vulnerability exploitation leads initial access vectors for the first time. At the same time, the prominence of the human factor and insufficient protection of third parties persists — risks that cannot be fully mitigated by technical means. Consequently, fundamental security awareness and supply chain oversight remain essential components of defense.