For the first time in 19 years, stolen credentials are no longer the number one way attackers get in. That headline of the 2026 Verizon Data Breach Investigations Report is getting a lot of coverage, but if you read it as a credential story, you’re missing the real story. This is a story of shifting economics.
Being objective is so hard. It requires hard answers to expensive questions, paid for by those under attack who can share their lessons. This sharing helps the industry better understand how to make the work of malicious actors harder, more expensive, more dangerous.
These lessons and observations are expensive because they are almost all retrospective case studies of attacks, compromises, and data breaches, which means legal red tape, investor relations, and painful PR cycles.
For over a decade, I have pointed back to the aviation community, sharing near misses, mistakes, and lessons learned through NASA’s ASRS, which is a self-reporting process where the industry shares with the intent of improving the system and protecting those in the clouds.
Verizon’s DBIR was the pioneering report that gave the cybersecurity professional grounding. It shares highly sensitive insights into how miscreants did their work, how our peers were impacted, mistakes made, opportunities for improvement, and key controls and capabilities required to defend more effectively. The folks who have stewarded this research and report are some of the highest conviction and greatest minds who’ve served the industry at large. While there is no way to thank the DBIR team for their hard work, we can honor their professionalism and execution by studying their work and analyzing their observations. I applaud their transparency in highlighting and challenging both human and data induced biases and related fallacies in their analysis, and appreciate the humor they bring to that work.
AI has compressed the lifecycle of miscreant workloads, and while it does not introduce new attack categories, it has significantly changed the time on target to achieve their outcomes.
Credentials dominated for nearly two decades because they were the cheapest, most reliable path in. Attackers followed the path of least resistance, and that path ran through usernames and passwords.
What the DBIR documents is a tipping point. AI has made vulnerability discovery and weaponization so fast and cheap that attackers no longer need a stolen password when a known, unpatched flaw gets them in faster. The window between a published CVE and active exploitation has collapsed from months to hours. This indicates a structural change, not an incremental one.
Vulnerability exploitation now accounts for 31% of all breach entry points. The implication is direct: any known, unvalidated vulnerability is now effectively an open door, and the time that door stays open is measured in hours, not quarters.
Security programs built around annual penetration tests or quarterly assessments were calibrated to a threat environment that no longer exists. I like to call these the “Christmas cards of security testing”—a yearly check-in that tells a very specific story in a single point-in-time. Those cadences assumed attackers needed time, time to discover, time to weaponize, time to execute. AI has compressed that timeline to near zero.
Point-in-time testing cannot keep pace with machine-speed exploitation. A vulnerability that didn’t exist in your environment last month may be present today, and an attacker with AI-assisted tooling is already closing the gap. Security budgets still anchored to annual assessment cycles are now structurally mismatched with how fast the threat actually moves.
The programs that will hold are built around continuous adversarial coverage, human researcher depth, and systematic triage. Not periodic snapshots. Response and patching velocity need to match that same tempo.
Third-party involvement in breaches jumped 60% year over year. Breaches involving a third party now account for 48% of all incidents. Nearly half of all breaches trace back to a vendor, supplier, or integration partner, not to something your team directly controls or tests.
The coverage problem extends well beyond your perimeter. Every external dependency, every API integration, every SaaS vendor, every managed service provider, is an attack surface that most security programs have no systematic adversarial coverage model for.
The reflex after a report like this is to procure more AI detection tooling. The data argues against it. No product closes that gap. Continuous, adversarial pressure across the full attack surface, including your third-party ecosystem, is how you find what attackers will find before they find it.
The DBIR’s most underreported finding may be its shadow AI data. Employee use of unapproved AI tools tripled in a single year, jumping from 15% to 45% of the workforce. Shadow AI is now the third most common non-malicious data leakage activity.
This matters because it has created a data exfiltration risk category that most security programs have no formal coverage model for. Employees feeding unapproved tools with sensitive business data, customer records, source code, financial projections, are generating a leakage surface that sits entirely outside conventional DLP and insider threat frameworks. The finding is quiet in the DBIR, but its consequences are not.
Verizon is explicit: the response to AI-accelerated threats is not to buy more AI detection tools. It is to get the fundamentals right at the speed the threat requires.
That means a few concrete things:
This distinction matters because AI has accelerated the window between those two states to near zero.
That is not a technical argument. It is a business liability argument, and it belongs in front of your board with the same urgency as any other time-sensitive operational risk. Every day a known vulnerability sits unvalidated is a day an attacker with AI-assisted tooling is closing the distance.
The DBIR’s 19-year streak ending is a signal worth taking seriously. Not because credentials no longer matter, they do, but because the threat has moved, and the programs designed to stop it need to move with it.
Bugcrowd connects organizations with security researchers to provide continuous adversarial coverage across their full attack surface, including third-party and supply chain exposure. For more on how Bugcrowd approaches the findings in the 2026 DBIR, contact us.