The Verizon 2026 Data Breach Investigations Report (or just ‘the DBIR’ to us security nerds) isn’t just any industry report - it’s a juggernaut in a field where multiple industry reports often drop on the same day, all year long. It is particularly common for cybersecurity vendor marketing teams to put out annual reports1.

What makes the DBIR so special?

While this report is produced by Verizon, it’s decidedly not a typical ‘vendor’ report. Most vendor reports only include data from their own customers, whereas Verizon’s report includes data from over 100 partners and 145 different countries. The DBIR team isn’t a vendor marketing team that spends a month building an annual report every year, this report is the majority of what this team works on all year long.

The report is also awesome, because it teaches you to use it. Don’t skip pages 6-9, ESPECIALLY if you plan to publish something from this report2.

If there’s only one report you read with your own eyeballs, this should be the one. Don’t have an AI summarize it for you. AI doesn’t care about footnotes and footnotes are the best part of any report3.

Exploring the numbers

No other industry report comes remotely close to gathering and analyzing data on this scale. The 2026 report includes 31,850 incidents (a 31% increase over the 2025 report’s data set) and 22,624 confirmed data breaches (a 46% increase over the 2025 data set).

Data breaches are 71% of all incidents in this dataset, compared to 55% (just over half) in last year’s dataset. This report is a good, regular reminder of the big picture in cybersecurity:

1. Not all cybersecurity incidents are data breaches

2. Not all incidents and data breaches involve a malicious actor (12% of data breaches involved internal, not external actors)

3. Not all data breaches are ransomware (48% this year, more than ever)

Highlight #1 Exploited vulnerabilities are now the most common initial access vector

This agrees with nearly every other report I’ve read this year. Google Mandiant’s annual M-Trends report puts exploitation at 32% of initial access vectors, right in line with the 2026 DBIR’s 31%. Cybersecurity insurance claims reports, such as the 2026 report from Coalition confirm this as well:

Software exploits were the most common attack vector, observed in 38% of ransomware incidents

Users were never the weakest link, but now they’re not even the most targeted by attackers!

Pinto and I go deep into this on the podcast above (forward to 41:11). My concern with exploited vulnerabilities being the most common initial access vector is that companies will interpret this as a signal to double-down on vulnerability management and patching resources. This might be justified if we were seeing 20,000 different vulnerabilities being exploited, but that’s not the data we have.

Pinto’s advice, which I agree with, is to reduce attack surface, particularly at the edge, and prevent further lateral movement (isolation, segmentation, Zero Trust). We’ve had several years now where a handful of products have had an outsized impact. Verizon’s VCDB linked over 700 breaches to MoveIT DMZ vulnerabilities. The ransomware actor, Akira, has been linked to over 1400 breaches, with a high percentage of those linked to SonicWall devices - particularly CVE-2024-40766 (see the link to the Coalition report above for more details, or check out At-Bay’s claims report).

The refrain, “we can’t patch our way out of this one” is a saying that most folks will be sick of a year from now, but it captures the essence of the situation. We can’t simply patch faster when zero days exist for weeks before we know about them and edge devices go unpatched for years because they’re not in the CMDB.

Highlight #2: Why did things get worse?

The DBIR’s numbers don’t paint a rosy picture. Most show a peak in 2024 and then a decline in performance. To me, the numbers suggest that we might be hitting most companies’ limits in terms of patching/remediation capacity.

• Only 26% of CISA KEV were fully remediated by orgs in 2025, a drop from 38% in 2024.

• To be fair, the CISA KEV is growing, and the DBIR also notes that, on average, teams had to remediate 50% more critical vulnerabilities year-over-year.

• The median time for full remediation also got worse. The median was 43 days in 2025, almost 2 weeks longer than 2024’s 32 days4.

• The vulnerability burndown rate was significantly worse as well, until we hit the 6-9 month mark (figure 15 on page 18)

Just to scratch an itch, I put together my own quick analysis to see whether CISA KEV’s growth is flat or growing. It’s no hockey stick, but unfortunately, the trend line is showing roughly 10 more additions to CISA KEV per month in April 2026 when compared to April 2024. The outlook isn’t great, considering organizations seem to be struggling to get through even a quarter of CISA KEV.

This is bad news, because CISA KEV is the smallest vulnerability dataset I can recommend to my clients for prioritization. VulnCheck’s KEV, with 4899 entries, is over 3 times larger than CISA’s KEV.

Highlight #3: The data from Anthropic

Anthropic doesn’t hide the fact that their services are sometimes abused and their guardrails bypassed. My understanding is that the data they offered to Verizon (Alex Pinto explains this in more detail in the podcast above) isn’t linked to the main incident/data breach dataset in the DBIR. This is just an exploration of a dataset that Anthropic extracted from their systems and anonymized for the DBIR crew.

All that said, the results were interesting. It was smart for the Verizon folks to explore the nature of attackers’ use of Claude - are they automating basic stuff, or learning new tricks? In the DBIR folks’ words:

A key question in understanding AI-enabled cyberthreats is whether attackers are using LLMs to execute well-documented techniques more efficiently, or to pursue techniques that are rarely seen in practice. If LLMs are lowering the barrier to techniques that are less documented and rare, defensive postures will need to catch up.

Luckily, the answer was the less dramatic of the two. Again, in their words:

AI is primarily accelerating the operationalization of well-known, documented techniques— lowering the barrier to execute what was once out of reach for less-sophisticated actors.

Still, 32% of Claude abuse showed exploit development, which aligns with one of the biggest takeaways of this year’s DBIR.

Share

Where do we go from here?

This new world should require more focus, more agility, but does not necessitate an upheaval. Refinement, not revolution.

I have to disagree with this point from the DBIR’s executive summary. If we want to see significant improvement, we do need a revolution. Unless someone discovers the Konami Code of InfoSec that somehow gives defenders unlimited time to complete our Sisyphean checklists, the approach that got us to 22,624 confirmed data breaches isn’t going to make that number suddenly reverse direction.

I suspect the vulnpocalypse, where AI fuels accelerated vulnerability discovery, will waste a lot of time patching vulnerabilities no attacker will ever have interest in. Instead, the real vulnpocalypse is the one we’ve already been living with for the past two years, where attackers have a field day with unpatched edge devices and poorly-guarded NPM packages.

Radical change in how IT infrastructure is managed is necessary to make a dent in this trend. The problem is that security teams often have very little influence over IT infrastructure, and the incentives don’t currently exist to justify ‘revolutionizing’ IT and getting rid of decades of technical debt.

Final thoughts - attackers share, defenders hide

As we near hacker summer camp, where hundreds of talks will share the latest techniques for hacking into systems and using AI to speed up the process, defenders have never been in a position more distant from the state of offense. I plan to write more about addressing this issue in the near future, however, and the DBIR report is a great place to start for folks that want to help.

Bonus: Podcast with the Lead Author of the DBIR

I’m excited to share that I also got to interview Alex Pinto alongside Alexandre Sieira on the Alice in Supply Chains podcast! If you’d rather listen to us talk about the report than read my thoughts here on it, you can check out the recording below. The full page with show notes is here.