What nearly two decades of the Verizon DBIR tell us about cyber risk
- 2 hours ago
- 3 min read
This guest article was contributed by Devin Magure, Senior Manager, Product Marketing, Cycode

A quick glance at the cybersecurity headlines suggests that the world continues to face a range of serious risks. High-profile breaches, attacks on financial institutions, cyber operations with geopolitical implications and newly discovered software vulnerabilities are all familiar themes for security leaders.
Interestingly, these were also the kinds of stories making headlines in 2008, when Verizon first published its Data Breach Investigations Report (DBIR). Back then, the industry was grappling with a major breach affecting one of the largest payment processors in the US, another involving the US military, a critical DNS vulnerability and Russian DDoS attacks. That could just as easily have been 2026.
In this context, the DBIR has become a valuable historical record and bellwether for the security ecosystem. The 2026 edition has recently arrived, and at an important time, as AI is now heavily influencing the approaches of defenders and threat actors alike.
A strong foundation in the face of change
The DBIR has always been about understanding how the threat landscape changes over time, and this year, its overarching theme is “keeping a strong foundation in the face of change”.
It will come as little surprise that the past year has seen more zero days and critical vulnerabilities come to light. The DBIR also points to the growing prevalence of AI-augmented malware and increasingly sophisticated forms of social engineering.
While cybersecurity and guarding against threats have “shifted in meaningful ways” over the past year, in many areas, “it is less a matter of change and more a matter of speed and scale.” There’s no doubt that AI may be accelerating various stages of the attack lifecycle, but many of the underlying challenges facing security teams remain very familiar.
AI is fundamental to the attack cycle
With all that in mind, what are the key 2026 takeaways? Firstly, there’s no escaping the fact that GenAI is now being employed across multiple stages of the attack lifecycle, from targeting and initial access to vulnerability research and malware development.
According to the report, the typical threat actor researched or used AI assistance in 15 documented techniques, with some using AI across 40 or 50 techniques. The main benefit to them is efficiency, with AI reducing the time and effort required to apply existing techniques.
This trend has implications far beyond phishing or malware, affecting the entire window between vulnerability discovery and exploitation. For security teams, the issue is not simply that attacks are becoming more sophisticated, but the time available to understand and respond to risk is shrinking.
For the first time, vulnerability exploitation has overtaken credential abuse as the leading initial access vector, accounting for 31% of breaches. Let’s be clear, the vulnerabilities were always present; there just wasn’t a tool that could find them at scale. Tools like Mythos, Daybreak, and MDASH are now discovering vulnerabilities in production software that human researchers missed for decades. At the same time, the median time-to-patch has increased from 32 to 43 days (+34% YoY).
This highlights the problem security teams are up against. It's no longer just a question of finding vulnerabilities, but understanding which ones are actually exploitable and how to remediate them quickly enough.
Combating complexity
If that wasn’t challenging enough, security teams face an extremely complex set of issues that are putting their skills and resources under severe pressure. For instance, third-party involvement was present in 48% of breaches in 2025, a 60% YoY increase. Indeed, many of the most prominent and damaging breaches over the past year involved third parties, as supply chain complexity has increased dramatically, with organizations now operating both software and agentic networks.
Modern applications also depend on cloud infrastructure, APIs, machine identities, CI/CD pipelines and a growing range of AI tools. Every connection creates another potential path for attackers and another layer of complexity for defenders.
The report also points to the growing issue of shadow AI. Nearly half (45%) of employees are now regular users of AI on corporate devices, while source code was the most common type of information submitted to external AI models.
At the same time, attackers are increasingly targeting identities rather than simply endpoints. Developer accounts, credentials, cloud identities and session tokens can all provide pathways into production systems.
In other words, modern attacks are rarely isolated events. They often include multiple systems, identities and dependencies. This creates an important shift for product security teams. Yes, visibility remains essential, but understanding how risks relate to one another is becoming equally important.
None of this means the rules of cybersecurity have been rewritten. Rather, it highlights how the environment in which those principles are applied is becoming increasingly complex. As Verizon pointed out when the report was launched, “While the velocity of cyber threats—driven by AI and faster vulnerability exploitation—is increasing, the foundational principles of security and strong risk management remain the most effective defense.”