25 May 2026 Threat Intelligence

Verizon DBIR 2026: Exploitation Has Overtaken Credentials — What Australian Businesses Need to Act On

Verizon's 2026 Data Breach Investigations Report — the most comprehensive annual study of breach data ever compiled — has delivered a finding that should recalibrate how security teams and Australian small-business owners prioritise their defences: for the first time in the report's 19-year history, vulnerability exploitation has overtaken stolen credentials as the leading initial access method used by attackers. Drawing on analysis of over 22,000 confirmed breaches, the 2026 edition documents a threat landscape where patches are applied too slowly, supply chains are increasingly weaponised, and ransomware is present in nearly half of all incidents — figures that closely mirror what Australia's own ACSC reported domestically for the same period.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

The Headline Finding: Exploitation Is Now the Top Breach Vector

For 18 consecutive years, stolen or phished credentials held the top spot as the most common way attackers gained initial access to their targets. The Verizon 2026 Data Breach Investigations Report has ended that streak. Vulnerability exploitation now accounts for 31% of initial access vectors across the 22,052 confirmed breaches the report analysed — while credential abuse dropped to just 13%. It is the first time in the DBIR's 19-year history that credentials have been knocked off the top spot, and the shift carries significant implications for how defenders allocate limited security resources.

The report covers incidents that occurred between 1 November 2024 and 31 October 2025, drawing on data from 97 contributing organisations across 145 countries. The volume of confirmed breaches — over 22,000 — represents the largest dataset in the DBIR's history, giving the exploitation trend considerable statistical weight. This is not a marginal blip; exploitation has grown its share steadily over several editions as attackers have industrialised the process of turning disclosed vulnerabilities into working weapons.

The drivers behind this shift are well understood in the security research community. Artificial intelligence-assisted scanning tools have dramatically compressed the window between a CVE being published and mass exploitation beginning. Proof-of-concept code for critical vulnerabilities now routinely appears on GitHub within hours of disclosure, and automated scanners sweep the internet continuously for vulnerable instances. For some high-severity flaws in 2025, researchers recorded exploitation attempts within 24 hours of the NVD entry going live.

Ransomware figures reinforce the seriousness of the exploitation pathway. Ransomware was present in 48% of all breaches analysed — up from 44% in the previous edition — underscoring that initial access via unpatched vulnerabilities frequently leads directly to extortion. The one moderately positive data point: 69% of ransomware victims declined to pay the ransom demand, a figure that suggests the "don't pay" messaging from organisations like the ACSC and CISA is gaining traction, even as the overall prevalence of ransomware continues to grow.

Espionage-motivated breaches also rose, climbing to 17% of total incidents. That figure is driven primarily by nation-state activity targeting government, defence, and critical infrastructure sectors — a concern that Australian agencies have flagged repeatedly in domestic threat reporting.

What the DBIR Numbers Mean for Australian Organisations

The DBIR's global findings land with particular force when read alongside Australia's own domestic cyber statistics. The ASD's ACSC Annual Cyber Threat Report 2024–25, published in October 2025, recorded 84,700 cybercrime reports in the financial year — one report every six minutes. The ACSC responded to over 1,200 cyber security incidents, an 11% year-on-year increase, and notified entities more than 1,700 times of potentially malicious activity, up 83% from the prior year.

The financial impact on Australian businesses is stark. The average self-reported cost of cybercrime for an Australian business rose 50% to $80,500, consistent with the DBIR's global picture of escalating financial harm. For small businesses — the segment that makes up the overwhelming majority of Australian enterprises — a single significant breach now risks exceeding the operational cost of a quarter's trading. The ACSC also recorded more than 42,500 calls to its cyber security hotline, a 16% increase.

Critical infrastructure is bearing the sharpest end of the threat. The ACSC notified critical infrastructure entities of potential malicious activity over 190 times — a 111% increase — and the number of ransomware incidents against the healthcare sector doubled year-on-year. These figures align with the DBIR's observation that ransomware operators increasingly target sectors where operational disruption creates maximum coercive pressure.

Two regulatory developments give the DBIR's patch-management findings specific legal weight in Australia. First, Australia's mandatory ransomware and cyber extortion payment reporting regime — which took effect on 30 May 2025 — requires businesses with annual turnover above $3 million to report any ransom or extortion payment to the Department of Home Affairs within 72 hours. The DBIR's finding that nearly half of all breaches involve ransomware means many more Australian businesses will trigger this obligation in 2026 than anticipated when the law was drafted.

Second, the Cyber Security Act 2024 strengthened minimum standards for critical infrastructure operators. Taken together, these regulatory obligations create a compliance imperative that runs parallel to — and reinforces — the operational advice the DBIR provides: patch faster, monitor third-party access, and maintain an incident response plan that includes a mandatory notification workflow.

Three Structural Shifts in How Breaches Are Happening

The Patching Crisis: Defenders Are Losing Ground on Speed

The DBIR's patching data is the most alarming section for any organisation that relies on a periodic vulnerability management cycle. In 2025, the median time to fully remediate a vulnerability rose to 43 days, up from 32 days in the prior period. At the same time, the volume of critical vulnerabilities organisations were expected to address was 50% higher in the median case than in the previous year's dataset.

The combination — more vulnerabilities, slower remediation — is a mathematical formula for exploitation. The DBIR found that across the CISA Known Exploited Vulnerabilities (KEV) catalogue, organisations patched only 26% of listed flaws in 2025, down from 38% the prior year. The KEV catalogue is specifically curated to include only vulnerabilities that have confirmed in-the-wild exploitation, making it the highest-confidence priority list available to defenders. Patching less than a third of confirmed-exploited vulnerabilities is not a resource problem; it indicates a prioritisation failure.

The practical implication is that attackers who need only exploit one unpatched KEV-listed vulnerability to gain initial access are operating in an environment where they have a 74% chance, statistically, that their chosen target hasn't applied the relevant fix. This directly explains the DBIR's headline finding.

Supply Chain Risk Is Now a First-Order Concern

Third-party involvement in confirmed breaches increased 60% year-on-year and now features in 48% of all incidents — nearly half. This figure represents a structural shift rather than an anomaly. Attackers have learned that targeting the supply chain — software vendors, managed service providers, SaaS platforms — delivers access to dozens or hundreds of downstream organisations from a single compromise.

The DBIR notes that MFA gaps in third-party cloud accounts are typically resolved within a month when flagged, but only 23% of third-party organisations fully remediated those issues at all when notified. Weak passwords and permission misconfigurations in third-party environments took close to eight months to remediate in half of all assessed cases. Australian businesses that rely on managed service providers or cloud-hosted SaaS tools inherit their vendors' security posture as a de facto part of their own attack surface.

Shadow AI: A New Attack Surface Most Organisations Haven't Mapped

For the first time, the 2026 DBIR dedicates significant analysis to artificial intelligence as a contributing factor in both attack capability and organisational exposure. The data is striking: 67% of employees who access AI services on corporate devices are using personal (non-corporate) accounts rather than corporate-sanctioned ones. The proportion of employees who are regular AI users has grown from 15% to 45% in a single year.

The security risk is not primarily that AI tools are being used — it is that sensitive business data, customer records, internal documentation, and source code are being fed into personal AI accounts that sit outside corporate data loss prevention controls, logging, and contractual protections. The DBIR explicitly flags shadow AI as an emerging risk category that most organisations have not yet incorporated into their threat models or acceptable-use policies.

What Australian SMBs Should Do Right Now

The DBIR's findings are not a counsel of despair. They are a prioritisation guide. The shift to exploitation-as-primary-vector means that the single highest-value action an Australian business can take this week is not buying a new security product — it is auditing which of its existing systems are running software with known exploited vulnerabilities.

Start with the CISA KEV catalogue. The CISA Known Exploited Vulnerabilities catalogue is freely available and updated continuously. It lists only vulnerabilities that have confirmed, real-world exploitation — not theoretical flaws. Treating any KEV-listed patch as Priority Zero — more urgent than regular monthly patching cycles — is the most direct response to the DBIR's headline finding. Most enterprise patch management tools can import KEV data directly.

Map your essential eight maturity. The ACSC's Essential Eight framework provides Australian organisations with eight mitigation strategies ranked by effectiveness. Even achieving Maturity Level 1 across all eight strategies significantly reduces exposure to the most common attack techniques. The DBIR's patching finding maps directly to Essential Eight Strategy 3 (patch applications) and Strategy 4 (patch operating systems).

Secure remote work and off-site connections. The DBIR's exploitation data has a specific implication for remote workers and hybrid teams. An attacker who has identified a vulnerable remote-access service or VPN appliance on your perimeter is likely to move fast — often within hours of a PoC becoming public. But the risk runs both ways: employees working from home or public networks are also exposed to ISP-level traffic monitoring and network interception.

Australia's mandatory data retention laws require internet service providers to store two years of metadata about every connection you make — including which services you connect to and when. For remote workers handling sensitive client data, a VPN that encrypts traffic end-to-end provides meaningful protection against network-level interception on public Wi-Fi and reduces the data footprint available to ISP logging. NordVPN encrypts traffic using AES-256 before it leaves the device, operates a verified no-logs policy audited by external firms, and routes DNS through its own private servers — mitigating the DNS hijacking and traffic exposure risks that unprotected home or café connections carry.

Build a third-party software inventory. Given that 48% of breaches now involve a third party, organisations need to know what software they are running, who supplies it, and how quickly that supplier patches critical vulnerabilities. Requesting a software bill of materials (SBOM) from key vendors is a reasonable ask for any business that relies on software-as-a-service for critical functions.

Prepare your 72-hour notification workflow. If your business has annual turnover above $3 million and you experience a ransomware incident, Australia's mandatory reporting regime requires you to notify the Department of Home Affairs within 72 hours. That window is short enough that it must be rehearsed before an incident, not improvised during one. Document who makes the call, what information needs to be captured, and who has authority to authorise notification.

Layered Defences: Aligning with the DBIR's Own Prescriptions

The DBIR does not just document how breaches happen — it consistently points toward a cluster of controls that, when applied in combination, address the most common attack patterns. For Australian organisations, these recommendations map well onto the ACSC's Essential Eight framework, which should serve as the primary implementation guide.

Multi-factor authentication across every account with internet-facing access. The DBIR reports the human element present in 62% of breaches, with phishing and credential theft still playing supporting roles even as exploitation takes the top spot. MFA does not prevent exploitation of unpatched systems, but it closes the credential-theft pathway that remains present in the majority of incidents. Administrative accounts, email systems, cloud platforms, and remote-access services should be the first priorities.

Application control to limit execution of unapproved code. Ransomware deployments — present in 48% of DBIR breaches — require the ability to run attacker-controlled executables. Application allow-listing (Essential Eight Strategy 1, ML2 or higher) prevents unauthorised code from running even if an attacker achieves initial access via exploitation. It is one of the most effective controls available and is increasingly practical to deploy even in SMB environments.

Network segmentation to contain blast radius. The DBIR's supply chain and third-party findings reflect an uncomfortable reality: in a well-segmented network, a compromised third-party tool or vendor account cannot pivot freely to core business systems. Flat networks — where every device can reach every other device — remain alarmingly common in Australian SMBs. Separating guest Wi-Fi, IoT devices, point-of-sale systems, and administrative workstations onto distinct network segments reduces the blast radius of any single exploitation event.

Formalise your AI usage policy before shadow AI becomes a data breach. The DBIR's shadow AI data — 67% of corporate-device AI users operating via personal accounts — points to an exposure most organisations have not yet addressed. A practical response does not require banning AI tools; it requires cataloguing which tools are approved, mandating that sensitive work uses corporate accounts with contractual data protections, and classifying which data types should never be shared with external AI services.

Conduct a vendor security review annually. Given that third-party breaches now feature in nearly half of all incidents, the annual vendor review has moved from a compliance box-tick to a genuine risk management exercise. Key questions: Does this vendor have a published vulnerability disclosure policy? How quickly did they patch their last critical CVE? Do they support MFA on every administrative account? Can they provide an SBOM? Vendors who cannot answer these questions clearly deserve elevated scrutiny.

The DBIR's core message, repeated across 19 editions, remains consistent: most breaches are preventable. The 2026 edition updates the priority order — patch unpatched known-exploited vulnerabilities before anything else — but the fundamentals of MFA, application control, segmentation, and regular patching remain the bedrock. The threat landscape has changed; the defensive principles have not.