Approximately 31% – close to a third – of all data breaches now begin with the exploitation of some form of software vulnerability by a malicious actor, surpassing credential theft as the number one network entry point for the first time.
This is according to the 19th annual Data Breach Investigations Report (DBIR) from US telecoms giant Verizon, and although the data were gathered and the report largely compiled prior to the industry-wide shakeup prompted by the release of Anthropic’s Claude Mythos frontier model, the firm’s analysts said the signal was clear – artificial intelligence (AI) is fundamentally remodelling cyber security before the industry’s very eyes.
Verizon said the rapid weaponisation of known vulnerabilities was creating a capacity crisis for cyber professionals, underscoring an “urgent need” to prioritise the fundamental tenets of cyber security and risk management.
“While the velocity of cyber threats – driven by AI and faster vulnerability exploitation – is increasing, the foundational principles of security and strong risk management remain the most effective defence,” said Daniel Lawson, Verizon Business senior vice president of global solutions. “The DBIR reinforces that these fundamentals still hold as organizations strive for resilience.”
As such, the 2026 DBIR – which can be downloaded in its entirety here – contains a number of recommendations tailored with AI in mind. These include taking steps to prepare for an influx of patches, integrating AI into secure-by-design frameworks, and leveraging AI within defence-in-depth strategies.
Patrick Münch, chief security officer at Mondoo – a supplier of vulnerability management services – said the DBIR confirmed pain points defenders are already feeling.
“31% of breaches now start with an unpatched vulnerability, overtaking stolen credentials as the number one way in. Only 26% of Cisa Kev vulnerabilities were fully remediated last year, and the median time to patch rose from 32 to 43 days,” he said.
“The industry has spent a decade improving at identifying and analysing problems [but] admiring the findings doesn’t help anyone. The breach happens in the gap between knowing and fixing, and that is where the work has to move.
“Our own research shows why that gap is widening. 62% of teams still run remediation manually, only 2% are fully automated, and just 9% are confident they can fix what matters in time. Verizon found that 60 to 70% of Cisa Kev issues remain open a week after detection, regardless of team maturity. You don’t close that gap with another scanner. You close it with transparent agentic AI: humans in the loop on decisions, AI automation on remediation and mitigation execution, and a clear audit trail from identifying the issue to verifying it’s fixed,” said Münch.
AI as agent of chaos
But it was not merely in the area of vulnerability discovery and exploitation that AI models are making their presence known.
This year’s edition of the Verizon DBIT also shared insight into how shadow AI usage in the workplace has surged, making unapproved AI tools the third most common non-malicious source of data leakage. As the number of employees who say they frequently use AI tools also grows, this highlights the potential for accidental data loss to become more prevalent going forward.
Verizon also fund that AI bots are also increasing in volume, with the number of automated internet crawlers growing by a fifth every month, compared to flat human-led traffic growth, heralding the possibility of more bot-led threats in the future.
EMEA trends
Acknowledging that by the nature of Verizon’s business, its data skew towards the North American theatre, the report’s authors said that they were attempting to rebalance their coverage in regions such as Europe, the Middle East and Africa (EMEA), with some success. It analysed 8,245 incidents between October 2024 and November 2025, with 6,060 of those resulting in confirmed data leakage, compared to 12,371 in North America and 5,229 in APAC.
Across EMEA, system intrusion accounted for 57% of breaches during the period, up from 53% last year. Breaches that arose from miscellaneous errors dropped from 19% to 14%, and social engineering held steady at 22%.
EMEA stood out for being the region that saw the heaviest use of malware, which occurred in 66% of all cases, but at the same time, 59% of all breaches involved some element of hacking, a little lower than the rest of the world. Verizon said neither of these stats were especially earth-shattering but pointed out that they are moving EMEA closer to the global average.
The most substantive difference vis-à-vis EMEA and the rest of the world was the prevalence of phishing, which shows up in 84% of social engineering intrusions. This may in turn reflect a slightly higher prevalence of nation state-linked intrusions, 23% of all EMEA breaches observed compared to 14% in the rest of the world, something Verizon’s analysts linked to the “complex current political landscape” in Europe and the Middle East.
