We Read All 121 Pages of the 2026 Verizon DBIR So You Don't Have To

Every year the Verizon Data Breach Investigations Report lands and everyone quotes the same headline number before moving on.

This year we read all 121 pages.

Here's what actually matters.

1. Third-party breaches just became the dominant attack pattern

48% of all breaches in 2025 involved a third party. That number jumped 60% in a single year.

Let that sit for a second.

Nearly half of every breach investigated by Verizon's team traced back, at least in part, to a vendor, supplier, or external partner. Not a rogue employee. Not a sophisticated nation-state actor bypassing your firewall. A third party that had access to something they shouldn't have, or had legitimate access that nobody was watching.

The root cause is consistent across every case. A vendor gets onboarded. They receive access to a system, an application, an API. Time passes. The project ends, the contract changes, the contact leaves. The access remains.

HackerOne, which is a trusted security vendor, was compromised in a way that exposed sensitive vulnerability disclosures belonging to its own customers. The trust relationship was the weapon.

Oxford University was hit twice in 2026 through third-party connections. Same institution. Different vendors. Same result.

Rockstar Games was breached through Anodot, a third-party analytics provider. ShinyHunters didn't need to break down the front door. They walked through a vendor relationship nobody was monitoring.

The DBIR's finding isn't surprising to us. We see this pattern every week. What's alarming is the speed of acceleration. This problem isn't stabilising. It's compounding.

2. Vulnerability exploitation just became the #1 way attackers get in

For years, credential abuse was the dominant initial access vector. Stolen passwords, brute force, and credential stuffing. That's no longer true.

Exploitation of vulnerabilities jumped to 31% of breaches in 2025, up from 20% the year before. A 55% increase in a single year. It's now the most common way attackers get their foot in the door.

The reason this is happening isn't that attackers suddenly got smarter. It's because defenders are falling further behind.

Only 26% of critical vulnerabilities (those listed in CISA's Known Exploited Vulnerabilities catalogue) were fully remediated in 2025. That's down from 38% the year before. The median time to patch stretched to 43 days, up from 32.

And in the median organisation, there were 50% more critical vulnerabilities to patch this year than last.

The math doesn't work in the defenders' favour. Attackers scan continuously. They know which vulnerabilities organisations haven't patched yet. They're moving faster than remediation cycles allow.

The practical implication: prioritisation is everything. You cannot patch everything. The organisations getting this right are the ones focusing on what's actively being exploited, not just what's theoretically critical.

3. Shadow AI went from a policy headache to a breach risk

This is the finding that surprised us most.

67% of employees are accessing AI tools on corporate devices through personal, non-corporate accounts. That's not a rounding error. That's the majority of your workforce moving sensitive data through systems your security team has zero visibility into.

Shadow AI is now the third most common non-malicious insider action captured in DLP data, up fourfold in a single year.

The data types being uploaded to external AI models tell the real story. Source code is number one. Followed by images, structured business data, and in 3.2% of DLP violations, internal research and technical documentation.

Think about what that means in practice. An engineer pastes proprietary code into ChatGPT to debug a function. A sales director uploads a pricing model to get help with a presentation. A product manager drops internal roadmap documentation into an AI tool to generate a summary.

Vercel got breached this year because they trusted an AI tool too much.

None of them thinks they're doing anything wrong. Most of them aren't trying to. But the data is leaving your environment through a channel you didn't authorise and cannot monitor.

For organisations operating under UAE PDPL or handling data subject to DIFC regulations, this isn't just a security problem. It's a compliance exposure with real consequences.

4. Ransomware is everywhere, but the financial leverage is shifting

Ransomware appeared in 48% of all breaches in 2025, up from 44% the year before. It is, by a significant margin, the most common breach outcome in the dataset.

But there's a more interesting story inside that number.

69% of ransomware victims didn't pay. The median ransom paid dropped to $139,875, continuing a downward trend from $150,000 the previous year.

Organisations are getting better at resisting. Better backups, better incident response, less panic in the room when the encryption notice appears. The financial model that made ransomware so lucrative is starting to erode.

What hasn't changed is the entry point. The DBIR data consistently shows that ransomware chains begin with the same initial access vectors we've been discussing: unpatched vulnerabilities, compromised credentials, and increasingly, third-party connections that weren't being monitored.

Ransomware isn't a ransomware problem. It's an access problem. The encryption is just the invoice.

5. Attackers are calling your staff, and it's working

The human element appeared in 62% of all breaches in 2025. That number has barely moved in years. People remain the most consistently exploited variable in security.

What has changed is the method.

Mobile-centric attack vectors (voice calls and SMS) now have a 40% higher success rate than email phishing in simulations. Pretexting, where an attacker builds a trusted relationship through a fabricated scenario before making their ask, has become a primary entry point for ransomware chains.

The distinction between phishing and pretexting matters more than most security programmes acknowledge. Phishing is asynchronous. An email arrives, and the victim decides how to respond. Pretexting is live. An attacker is on the other end of the phone, adapting in real time, pushing back when the victim hesitates, escalating when they need to.

Training your IT helpdesk to spot a suspicious email is not the same as training them to handle a convincing caller who knows your internal systems, uses the right terminology, and sounds exactly like a vendor they've spoken to before.

The countermeasures are different. The training is different. Most organisations haven't caught up yet.

What this means if you're a security leader in the GCC

The UAE PDPL, NCA ECC, and DIFC frameworks are tightening accountability for exactly the exposures this report describes. Third-party access. Unmonitored vendor connections. Shadow SaaS and AI sprawl. Identity lifecycle failures.

The region runs on vendor relationships. Managed services, system integrators, cloud resellers, regional distribution partners. That's not going to change. But the visibility gap between who has access and who should have access is where attackers are operating.

The DBIR doesn't tell you what's connected to your environment right now. It just tells you why that question matters more than ever.

If you want to understand your own exposure, you can get a free SaaS snapshot to see all connections, and their actions here