Every year, Verizon provides a valuable service by releasing the Data Breach Investigations Report (DBIR). And every year, consistent themes emerge.
The 2026 report is no different. As new technologies like AI and AI agents continue to evolve, the report once again demonstrates that sound cybersecurity fundamentals, defined by strong controls and automated solutions, offer the best opportunity to mitigate threats and lower risks for organizations of every size.
Here are 5 key themes from the 2026 DBIR and Delinea’s advice on what organizations should do to address the associated risk.
Starting at the top: Exploitation of vulnerabilities is now the leading initial access vector, a position credential abuse has traditionally held throughout the report’s history back to 2008. The latest report found that 31% of breaches are tied to known vulnerabilities, while credential abuse was down 13% this year, dropping to third place on the breach list behind phishing (16%), but ahead of pretexting (6%).
This year’s report added pretexting to the tracked list of initial attack vectors, reflecting its growing role as a common initial attack vector to ransomware and extortion attacks. Pretexting is a social engineering technique in which an attacker builds trust through fabricated scenarios via phone, email, or text to trick the target into divulging sensitive information.
The Verizon DBIR notes that there is often overlap between pretexting actions, credential abuse and phishing attacks. The addition of pretexting to the list of initial attack vectors plays a role in the lower percentage we see for credential abuse on this list.
For those expecting a new class of problems or breaches, bad news: There is none to report. In 2026, the DBIR highlights the same categories of risk that have appeared year after year. This means companies must continue pushing their proven approaches and controls to mitigate risks from known breach classes, and resist the trap of chasing new threat vectors driven by emerging technologies, like AI.
As AI adoption accelerates, the identities and credentials tied to AI systems represent an expanding attack surface that requires the same proven controls organizations have applied to human and machine identities for years. Securing AI is not a distraction from the fundamentals. It is the fundamentals, extended to a new class of identity.
The DBIR continues to highlight third-party risk as a significant concern. This year’s data shows that only 23% of third parties fully remediated missing or improperly secured MFA for their cloud resources, and it took them up to a month to secure these vulnerabilities.
If your company integrates with third parties and their cloud resources, which all companies do, you need to carefully review the security posture and controls your third-party partners have in place to ensure you are not opening your company up to additional risks.
A gap in a third-party’s environment is a gap in yours.
Generative AI (GenAI) provides attackers with more creative, interactive tools they can develop and use, exploiting fringe areas where traditional defenses are nonexistent or rare. When those fringe techniques go mainstream, the industry will need to respond quickly. But, looking at the DBIR data for where generative AI-assisted techniques are being applied today:
Phishing leads AI-assisted attacks at 44%
Exploitation of known vulnerabilities follows at 32%
Credential abuse is third at 21%
These attack vectors are not new. AI is simply making them easier to exploit.
What’s interesting to note: In malware attacks, less than 2.5% of those assisted by AI involved techniques that could be classified as rare (e.g., one or fewer known software examples available), demonstrating that the trend is to use AI to facilitate attacks against known vulnerabilities rather than to create new ones.
This reinforces a central message: Threat actors take the path of least resistance, and AI is lowering that resistance further. Organizations that have not secured their human and machine identities remain the easiest targets, and AI identities are rapidly joining that exposure surface.
Ransomware is still on the rise, but payouts are declining:
48% of all breaches were ransomware-related, up from 44% the prior year
69% of ransomware victims did not pay, a continued downward trend
Companies are finding it harder to trust that paying a ransom will result in their data being returned, or that it won’t still end up on the dark web. While ransomware remains a concern, organizations have shifted their approach: Fewer companies are treating ransom payment as a viable resolution. Again, what's old is new, but at the same time, companies' approaches to addressing old threats continue to evolve.
Another key area that the DBIR examines is credential abuse. As highlighted in the first theme we discussed, credential abuse fell behind the exploitation of vulnerabilities this year in initial attack vectors. However, it remains pervasive across attack paths when you consider that 39% of breaches involved credential abuse in the attack chain.
The authentication and authorization layers matter enormously here. Ransomware groups are purchasing VPN, RDP, and remote access credentials, and prices continue to rise. The 2026 DBIR notes that on the open market, admin accounts cost $1,300 each, twice as much compared to $700 for standard user accounts, based on median values. Credential abuse persists because attackers choose the path of least resistance: logging in with valid credentials.
The continued prevalence of credential abuse highlights the need for strong identity security controls that help organizations mitigate this identity-related risk. The 2026 DBIR highlighted growth of regular AI use by employees, rising from 15% to 45% this year, as Shadow AI remains prevalent: 67% of users access AI services from non-corporate accounts on their corporate devices.
This further supports the need for visibility, governance, and strong controls across all identities, including human, machine, and AI identities.
Every year, the Verizon DBIR delivers deep insight into trends and risks that every organization should be aware of and actively working to mitigate. This year, while the breach classes have fluctuated, the risks themselves remain consistent. Even as AI adoption accelerates, the breach classes threat actors rely on are the same ones that have appeared in this report year after year.
As highlighted in this blog, there is much work to be done to mitigate cybersecurity risks, and while technologies evolve, companies cannot lose site of the need to still focus on the areas the DBIR has documented over time. Do not fall into the trap of chasing the securing of new technologies while leaving established vulnerabilities and risks behind.
A strong security posture anchored by a strong identity security platform that accounts for all identities, human, machine, and AI, and all risks, old and new, provides the best opportunity to reduce risk and mitigate the threats highlighted in this year’s report. The answer is not a choice between securing AI and securing everything else. The same identity security controls that protect human and machine credentials must extend to AI identities.