Verizon DBIR: Adversaries Weaponize AI in Stealth Attacks by Targeting Points of Exposure

by Amy Larsen DeCarlo, posted in Secure
A close-up portrait of a woman with light brown hair, wearing a black blazer and a light-colored turtleneck sweater, smiling softly against a light blue background.
Amy Larsen DeCarlo – Principal Analyst, Security and Data Center Services

Summary Bullets:

  • Bad actors are raising their intelligence quotient with AI, tapping it to find vulnerabilities faster and to power mobile-centric phishing campaigns.
  • Supply chains are a weak link with partner network weaknesses linked to nearly half of all breaches.

An already volatile threat landscape is becoming even more dangerous as threat actors tap AI to accelerate and improve the success of their attacks on enterprises. Verizon’s 2026 Data Breach Investigations Report (DBIR) reveals how effective adversaries have become in using AI to capitalize on enterprise weaknesses. Exploiting software vulnerabilities was the initiating factor in 31% of all breaches, notable because this is the first time in almost 20 years that it has overtaken compromised credentials as the most frequent entry point for an attack.

The 2026 DBIR examines 31,000 enterprise security incidents in 145 countries–22,000 of which are confirmed data breaches–highlighted how adversaries are both employing AI as an offensive weapon and leveraging security gaps in AI-driven applications to gain access to organizational resources. One finding is that staff are increasingly using unsanctioned AI tools to conduct business. These shadow AI tools are the third most frequent issue cited in data leakage, a quadruple increase over 2025. In just one year, the percentage of employees using shadow AI jumped from 15% to 45%. Of these users, 67% are connecting to shadow AI from non-corporate accounts running on their corporate devices.

Most frequently, employees are uploading source code to unauthorized GenAI models. Alarmingly, some (3%) employees are submitting research and technical documentation to shadow AI systems – in other words intellectual property.

Social engineering remains a popular criminal tactic as part of 16% of all breaches. Mobile-centric social engineering that targets text and voice messaging is a particularly effective technique with a click-rate 40 percent higher than email. Pretexting, in which an adversary creates a fictional situation to get a target to give out sensitive information, credentials, of funds, is represented in 6% of breaches.

The percentage of breaches (48%) that are part of ransomware climbed again – up four percent over last year. But organizations are paying less frequently, with only 31% submitting to the ransom demand. And they are paying less: the median ransom paid was $139,875 – down more than $10,000 from the prior year.

The interconnected nature of business opens up points of exposure along the supply chain. Third-party affiliated breaches shot up 60% from last year, accounting for nearly half (48%) of all breaches. With respect to third-party cloud exposure, these breaches are remedied at a snail’s pace with only 50% saying complete remediation of missing or under secured multifactor authentication (MFA) within a month.

Through a substantial dataset, this year’s DBIR demonstrates how critical it is for organizations to understand how threat actors are capitalizing on points of weakness with AI now in their arsenal. Enterprises need to tap into advances in both AI and automation to address vulnerabilities and accelerate remediation in the event of a breach.

Right now, time is not on the enterprise’s side.

Leave a Reply