Verizon DBIR: AI shrinks attacker window from months to hours

TL;DR:

  • Verizon’s 2026 Data Breach Investigations Report finds vulnerability exploitation now exceeds stolen credentials as the leading initial-access vector, with 31% of all 31,000+ analysed breaches starting that way.
  • AI is “fundamentally reshaping” cybersecurity by accelerating attacker time-to-exploit on known vulnerabilities — shrinking the defender’s response window from months to hours, according to the report.
  • Shadow AI” — unauthorised employee use of AI tools — is now the third most common non-malicious insider action in data-loss incidents, with employees pasting source code and structured data into external tools.

The annual benchmark from Verizon arrives at a moment when the AI threat narrative is shifting from speculative to operational. Verizon’s review of more than 31,000 incidents shows attackers using generative AI across every stage of the kill chain — targeting, initial access, malware development — and getting faster at converting known software flaws into deployed exploits.

Verizon’s caveats matter

The report is careful: AI’s primary impact, the authors say, “is currently operational: automating and scaling techniques defenders already know how to detect, not yet unlocking novel or rare attack surfaces”. The shift is in speed and volume, not novelty. But Verizon flagged that the assessment could be obsolete quickly as AI capabilities advance — and notably noted that the data does not yet cover incidents involving Anthropic’s Mythos model, deployed under the controlled Project Glasswing initiative to which Verizon is a participant.

Mythos, which Anthropic announced on 7 April, has raised separate cybersecurity concerns because of its coding ability and the speed at which it can identify and weaponise vulnerabilities. The CrowdStrike global threat report earlier this year had already found that AI-enabled adversaries increased attacks by 89% year-on-year in 2025 — and that AI both “elevated less sophisticated threat actors and amplified the most advanced ones”. Verizon’s chief information security officer Nasrin Rezai’s framing — “we need to fight AI with AI” — is now the dominant message from large enterprise CISOs.

Looking forward

For UK readers, the Verizon findings sit naturally alongside QBE’s UK supply-chain cyber research released this week, which found 75% of UK firms worried about supplier AI risk but only 28% auditing suppliers. The combined picture is faster attackers, wider supply-chain exposure, and a UK control gap that operates as the most likely point of failure. For UK cyber-insurance pricing, exploit-window compression is the harder underwriting question than insider Shadow AI. Watch how the NCSC’s Cyber Assessment Framework refresh and the Cyber Security and Resilience Bill — which received its first reading earlier this year — incorporate these vulnerability-management expectations. The DBIR figure of 31% of breaches initiated via vulnerability exploitation is the kind of number that gets written into regulatory expectations within twelve months.