securityweek.com web signal

Verizon DBIR: Exploits Dethrone Stolen Creds in Breaches

cybersecurity cybersecurity ai-threats

Key insights

  • Vulnerability exploitation surpassed stolen credentials as the top breach initial-access vector for the first time in Verizon DBIR history.
  • AI tooling is enabling adversaries to weaponize newly disclosed CVEs within hours, collapsing traditional defender patch windows.
  • Ransomware and third-party supply chain compromises both increased across the November 2024 to October 2025 reporting window.

Why this matters

AI-accelerated exploit development directly invalidates the assumption underlying most enterprise patch prioritization frameworks, which were calibrated to a days-or-weeks exploitation timeline, not hours. For founders building security tooling, this is a forcing function toward autonomous, continuous vulnerability response rather than periodic scanning cycles. For technical leaders, the simultaneous rise in supply chain compromise means the attack surface now includes every vendor dependency, not just internal systems, which materially changes how third-party risk programs need to be scoped and funded.

Summary

Verizon's 2026 Data Breach Investigations Report marks a structural shift in how attackers get in: vulnerability exploitation has overtaken stolen credentials as the leading initial-access vector in confirmed breaches, the first time that's happened in the report's history. AI is the accelerant. Adversaries are now weaponizing newly disclosed CVEs within hours of publication, collapsing what used to be a weeks-long window defenders relied on to patch before exploitation began. The report draws on one billion records from November 2024 through October 2025, a period that also saw ransomware deployments and third-party supply chain compromises climb in parallel. Essentially: (Verizon, security teams globally) are watching the attacker toolkit get faster while the defender timeline stays roughly fixed. - Vulnerability exploitation now leads confirmed breach initial-access vectors, surpassing credential theft for the first time. - Mean time-to-exploit has shrunk dramatically, with AI-assisted tooling enabling same-day CVE weaponization. - Ransomware and supply chain compromise are rising concurrently, compounding the exposure surface. The report reframes patch management from a best-practice checkbox into a near-real-time operational requirement that most enterprise security programs weren't designed to meet.

Potential risks and opportunities

Risks

  • Enterprises still running quarterly or monthly patch cycles face materially higher breach probability starting now, with regulated sectors like finance and healthcare at elevated regulatory exposure if exploitation precedes patching on known CVEs.
  • Vulnerability management vendors (Tenable, Qualys, Rapid7) face customer pressure to demonstrate real-time CVE-to-exposure correlation, and those that can't will lose renewals to faster-moving competitors within the next one to two budget cycles.
  • Third-party risk programs at large enterprises may be inadequate for the current supply chain threat volume, leaving procurement and legal teams exposed to contractual liability if a vendor breach cascades in 2026.

Opportunities

  • AI-native exploit detection and patch prioritization vendors (Horizon3, RunZero, Brinqa) are positioned to capture budget from enterprises whose legacy vuln management tools can't operate at the new exploitation timescale.
  • Managed detection and response providers with automated CVE-to-asset correlation (CrowdStrike, Huntress, Expel) can use this report as direct sales collateral to accelerate deals stalled on ROI justification.
  • Cyber insurers (Coalition, At-Bay, Resilience) can refine underwriting models to price faster exploit timelines into premiums, with the DBIR data giving actuarial cover for tighter patch-compliance requirements as policy conditions.

What we don't know yet

  • Which specific CVE classes or software categories showed the sharpest reduction in mean time-to-exploit during the report window, and whether AI tooling was directly attributed in post-incident forensics.
  • Whether the credential-theft decline reflects improved MFA adoption, a true attacker pivot toward exploits, or a measurement artifact from the cases Verizon had visibility into.
  • How third-party supply chain compromise incidents are being defined and counted, and whether the increase tracks with specific vendor categories such as SaaS, cloud infrastructure, or hardware suppliers.

Originally reported by securityweek.com

Read the original article →

Original headline: Verizon 2026 DBIR: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector as AI Accelerates Attack Timelines