The 2026 Verizon Data Breach Investigations Report (DBIR) has sparked widespread industry reaction, with security leaders warning that AI-enabled attacks, vulnerability exploitation, and third-party risk are reshaping the threat landscape faster than many organisations can respond.
For the first time in the report’s history, vulnerability exploitation overtook stolen credentials as the leading initial access vector, a shift many experts say reflects both AI acceleration and growing operational strain on defenders.
Collin Hogue-Spears, senior director of solution management at Black Duck, said the findings show traditional patching strategies are no longer enough. “Vulnerability exploitation topped the DBIR because AI-accelerated attacks outrun patching. AI did not create that gap. AI erased the head start defenders used to have,” he said.
Hogue-Spears argued organisations should prioritise “patching by reachability” rather than attempting to remediate every vulnerability equally. “The losing strategy patches by volume. The winning one patches by reachability and contains the rest,” he explained. “Reachability analysis separates the flaws attackers can actually exploit from the ones that only look dangerous.”
He also warned against relying purely on CVSS severity scores. “CVSS tells you how bad a flaw can be. KEV tells you which flaws attackers already use,” he said, urging security teams to prioritise the CISA Known Exploited Vulnerabilities catalogue alongside compensating controls such as egress restrictions and behavioural allowlists.
While vulnerabilities dominated headlines, several experts cautioned against overlooking the continued importance of credential-based attacks. Mike Greene, CEO at Enzoic, noted that credential abuse still played a role in 39% of breaches. “The headline will be that vulnerabilities overtook credentials, but that’s a dangerous misread,” Greene said. “Users are four times more likely to be using an already-compromised password than a weak one.” He added that organisations have focused too heavily on password complexity while ignoring password exposure. “Companies are winning the complexity battle but losing the exposure war,” he said.
Greene also pointed to ransomware trends identified in the DBIR, noting that “three out of four victims had a prior credential leak,” often occurring within three months of the attack. “The Dark Web is well established as the Amazon Prime for reselling compromised credentials to cybercriminals,” he added.
Brian Higgins, security specialist at Comparitech, said the report should influence both security strategy and budget allocation. “The DBIR is always a useful publication,” Higgins said. “A study of results and trends should inform a lot of budget allocation and decision making in the coming periods.” He highlighted three major themes from the report: the rise of vulnerability exploitation, growing risks associated with unauthorised AI use, and the continued surge in third-party attacks. “Third party and supply chain attacks now account for almost half of all reported breaches,” he said. “It’s more vital than ever to have a plan for when things go sideways.”
The role of AI emerged as a recurring concern throughout industry commentary, with several experts warning that organisations are struggling to keep pace with AI-driven attack capabilities. Damian Skeeles, senior manager of solution engineering at Filigran, described the report as “the ominous darkening skies and distant rumble of an approaching AI-enabled storm.” Scott Dowset, senior solution engineer at Filigran, added: “The newly released 2026 DBIR reveals a chilling shift: vulnerability exploits have officially dethroned stolen credentials as the number one breach entry point.”
KnowBe4’s lead CISO advisor Javvad Malik argued that the findings reflect operational and organisational challenges as much as technical ones. “The spike in vulnerability exploitation says more about institutional discipline than it does about cutting-edge exploits,” Malik said. “It is increasingly a story of organisations unable to patch what they cannot find, whilst security teams juggle AI-accelerated threats and undocumented supply chains.” He added that security basics must become a board-level priority. “If we are serious about closing this gap, we must stop treating basic hygiene as a back-office task and give it strategic priority,” he said.
Anna Collard, CISO advisor at KnowBe4, said defenders are facing a growing “capacity crisis” as AI, supply chain complexity, and expanding attack surfaces converge. “The statistic that 31% of breaches now involve vulnerability exploitation reflects how quickly attackers are operationalising known flaws, often faster than organisations can patch them,” she said. Collard also warned that modern organisations now operate within highly interconnected ecosystems. “Every supplier, SaaS platform, API, or AI-enabled workflow potentially extends the trust boundary,” she said. “That makes cyber resilience not just a technical issue, but increasingly a governance, visibility, and ecosystem-trust challenge.”
Darren Guccione, CEO and co-founder of Keeper Security, said the report demonstrates how rapidly AI is changing cybercriminal operations. “For the first time in the report’s 19-year history, vulnerability exploitation has overtaken stolen credentials as the leading initial access vector,” Guccione said. “AI is driving that change, compressing the time it takes for attackers to weaponise known flaws from months to hours.” He warned that many organisations still lack sufficient visibility into credential misuse and privileged access abuse. “Nearly three quarters of organisations reported they are not detecting credential misuse or unauthorised privileged access in real time,” he said.
Guccione also pointed to the rise of “shadow AI” usage, noting that frequent use of unapproved AI tools by employees has tripled to 45% of the workforce in a single year. “Supply chain exposure and mobile social engineering round out a picture of an attack surface that is not only growing, but fragmenting in ways that traditional controls were not designed to address,” he added.
Across the industry, the consensus is clear: the 2026 DBIR reflects a threat landscape increasingly shaped by AI acceleration, widening supply chain dependencies, and shrinking response windows for defenders. Many experts believe organisations must now prioritise resilience, visibility, and operational discipline if they are to keep pace with the speed and scale of modern cyber threats.
