Verizon warned that artificial intelligence is beginning to reshape the cybersecurity environment, with attackers using generative AI to scale familiar tactics as companies struggle to patch vulnerabilities, control employee use of AI tools and manage third-party exposure.
In its 2026 Data Breach Investigations Report, the telecom giant said it analyzed more than 31,000 real-world security incidents, including more than 22,000 confirmed data breaches across organizations in 145 countries, the largest breach sample the company has examined in a single DBIR.
The report’s dataset covers incidents from late 2024 through 2025, while also including forward-looking observations on AI-assisted attacks seen in early 2026.

Vulnerability exploitation overtakes credentials
One of the report’s most notable findings is that exploitation of vulnerabilities has become the most common way attackers gain initial access to breached organizations, rising to 31% of known initial access vectors in the 2026 dataset.
Credential abuse, long one of the most common entry points, fell to 13 percent, although Verizon cautioned that stolen or misused credentials remain deeply embedded across many attack paths.
The shift creates a growing pressure point for companies as attackers move faster and defenders fall behind on patching. Verizon said only 26 percent of critical vulnerabilities listed in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog were fully remediated, down from 38 percent in the previous year’s report. The typical resolution time for those vulnerabilities also rose to 43 days from 32 days.
The report also said that organizations faced almost 50 percent more critical vulnerabilities in this year’s dataset, suggesting that the issue is not only weak security discipline but also the volume of flaws competing for attention.
GenAI helps attackers scale familiar tactics
Verizon said threat actors are now increasingly using generative AI at different stages of attacks, including targeting, initial access, vulnerability research, malware development and tooling.
The report found that a typical threat actor researched or used AI assistance across 15 documented techniques, while some actors used AI across as many as 40 or 50 techniques.
That does not mean AI is creating new kinds of cyberattacks. Verizon said most AI-assisted malware still mirrors techniques security teams already know, with about 55 existing malware examples typically performing similar functions for each technique. Less than 2.5 percent of AI-assisted malware observations involved rarer techniques with one or fewer known malware examples.
The finding suggests AI is less a source of entirely new attack methods than a force multiplier for speed and scale, helping threat actors build tools, sharpen social engineering and research vulnerable targets more efficiently.
Shadow AI becomes an insider risk
The report also shows that AI is creating risk inside organizations, not just from external attackers. Verizon said 45 percent of employees are now regular users of AI tools on corporate devices, up from 15 percent in the previous year, while 67 percent of users accessing AI services on work devices are doing so through non-corporate accounts.
That trend, often called Shadow AI, has become a data-loss concern. Verizon said unauthorized generative AI use is now the third most common non-malicious insider action detected in its data loss prevention dataset, marking a fourfold increase from the previous year.
The most common type of data submitted to external AI models was source code, followed by images and structured data, while research and technical documentation appeared in 3.2 percent of policy violations.
For businesses, the issue is no longer whether employees are using AI, but whether companies can put approved tools, clear policies and monitoring in place before sensitive code, documents or customer data flows into external systems outside corporate control.
Mobile social engineering gains ground
Human behavior remained a central breach factor, with Verizon saying the human element was present in 62 percent of breaches, up from 60 percent in the previous year, while Social Engineering represented 16 percent of all breaches. The report also found that mobile-centric vectors, including voice and text messaging, had success rates 40 percent higher than email in phishing simulations.
That finding fits the broader AI-risk picture, as generative tools make it easier for attackers to write convincing messages, mimic tone and personalize outreach, raising concerns around voice and mobile-based attacks as well as pretexting in ransomware and extortion cases.
Ransomware and third-party breaches keep rising
Ransomware remained one of the most disruptive breach types in the report, rising to 48 percent of all breaches from 44 percent in the prior dataset. Still, Verizon said 69 percent of ransomware victims did not pay, while the median ransom payment declined to $139,875 from $150,000.
The report also flagged third-party exposure as a major and worsening problem. Breaches involving third parties increased by 60 percent from last year’s dataset, reaching 48 percent of total breaches, as companies continue to rely heavily on outside software, cloud services, vendors and managed platforms.
Verizon said many cloud-based third-party incidents came down to familiar weaknesses, including missing multifactor authentication, weak credential rotation and excessive permissions.
That point becomes more important as companies adopt AI agents and automated workflows that may require access across internal and external systems. Verizon warned that authentication and authorization controls, especially around service and machine accounts, will matter even more in what it described as a potential agentic AI future.
Old security basics still define the AI era
The report’s broader message is that AI is changing the speed and scale of cyber risk, but not the fundamentals of defense. Attackers are using new tools to exploit old weaknesses, employees are adopting AI faster than policies can catch up, and third-party systems continue to widen the attack surface.
For companies, Verizon’s findings suggest that the AI security race will not be won only through new defensive tools. It will depend on whether organizations can patch faster, enforce access controls, monitor AI use, train employees against more convincing social engineering and reduce exposure across vendors.
In a threat landscape increasingly shaped by automation, the basics are becoming more urgent, not less.






