Approximately 31% – close to a third – of all data breaches now begin with the exploitation of some form of software vulnerability by a malicious actor, surpassing credential theft as the number one network entry point for the first time.
This is according to the 19th annual Data breach investigations report (DBIR) from US telecoms giant Verizon, and although the data was gathered and the report largely compiled before the industry-wide shakeup prompted by the release of Anthropic’s Claude Mythos frontier model, the firm’s analysts said the signal was clear – artificial intelligence (AI) is fundamentally remodelling cyber security before the industry’s very eyes.
Verizon said the rapid weaponisation of known vulnerabilities is creating a capacity crisis for cyber professionals, underscoring an “urgent need” to prioritise the fundamental tenets of cyber security and risk management.
“While the velocity of cyber threats – driven by AI and faster vulnerability exploitation – is increasing, the foundational principles of security and strong risk management remain the most effective defence,” said Daniel Lawson, senior vice-president of global solutions at Verizon Business. “The DBIR reinforces that these fundamentals still hold as organisations strive for resilience.”
Patrick Münch, chief security officer at Mondoo, a supplier of vulnerability management services, said the DBIR confirmed pain points defenders are already feeling.
“31% of breaches now start with an unpatched vulnerability, overtaking stolen credentials as the number one way in. Only 26% of Cisa Kev vulnerabilities were fully remediated last year, and the median time to patch rose from 32 to 43 days,” he said.
The industry has spent a decade improving at identifying and analysing problems, but admiring the findings doesn’t help anyone. The breach happens in the gap between knowing and fixing, and that is where the work has to move
Patrick Münch, Mondoo
“The industry has spent a decade improving at identifying and analysing problems, [but] admiring the findings doesn’t help anyone. The breach happens in the gap between knowing and fixing, and that is where the work has to move,” he added.
“Our own research shows why that gap is widening – 62% of teams still run remediation manually, only 2% are fully automated, and just 9% are confident they can fix what matters in time. Verizon found that 60% to 70% of Cisa Kev issues remain open a week after detection, regardless of team maturity. You don’t close that gap with another scanner. You close it with transparent agentic AI: humans in the loop on decisions, AI automation on remediation and mitigation execution, and a clear audit trail from identifying the issue to verifying it’s fixed,” said Münch.
AI as agent of chaos
But it is not merely in the area of vulnerability discovery and exploitation that AI models are making their presence known.
This year’s edition of the Verizon DBIT also shared insights into how shadow AI in the workplace has surged, making unapproved AI tools the third-most common non-malicious source of data leakage. As the number of employees who say they frequently use AI tools also grows, this highlights the potential for accidental data loss to become more prevalent in the future.
Verizon also found that AI bots are increasing in volume, with the number of automated internet crawlers growing by a fifth every month, compared to flat human-led traffic growth, heralding the possibility of more bot-led threats in the future.
Read more about AI in cyber security
Cyber security companies have jumped on the AI bandwagon. We look at where artificial intelligence is a useful add-on and where it poses potential risks.
Agentic AI is touted as a helpful tool for managing tasks, and cyber criminals are already taking advantage. Should information security teams look to AI agents to keep up?
Current cyber risk assumptions may no longer be valid given the speed of advanced AI, warns the chief executive of Singapore’s Cyber Security Agency.
EMEA trends
Acknowledging that by the nature of Verizon’s business, its data skews towards the North American theatre, the report’s authors said they were attempting to rebalance their coverage in regions such as Europe, the Middle East and Africa (EMEA), with some success. Verizon analysed 8,245 incidents in the region between October 2024 and November 2025, with 6,060 of those resulting in confirmed data leakage, compared with 12,371 in North America and 5,229 in Asia-Pacific.
Across EMEA, system intrusion accounted for 57% of breaches during the period, up from 53% last year. Breaches that arose from miscellaneous errors dropped from 19% to 14%, and social engineering held steady at 22%.
EMEA stood out for being the region that saw the heaviest use of malware, which occurred in 66% of all cases. At the same time, 59% of all breaches involved some element of hacking, a little lower than the rest of the world. Verizon said neither of these statistics were especially earth-shattering, but pointed out that they are moving EMEA closer to the global average.
The most substantive difference vis-à-vis EMEA and the rest of the world is the prevalence of phishing, which shows up in 84% of social engineering intrusions. This may, in turn, reflect a slightly higher prevalence of nation-state-linked intrusions – 23% of all EMEA breaches observed compared with 14% in the rest of the world – which Verizon’s analysts linked to the “complex current political landscape” in Europe and the Middle East.
