'%3e%3cpath%20d='M248.027%20159.993C292.176%20159.993%20328.105%20124.1%20328.105%2079.996C328.105%2035.892%20292.191%200%20248.027%200C203.863%200%20167.95%2035.892%20167.95%2079.996C167.949%20124.101%20203.878%20159.993%20248.027%20159.993ZM213.969%2045.973C223.069%2036.882%20235.155%2031.873%20248.027%2031.873C260.899%2031.873%20272.986%2036.882%20282.086%2045.973C291.186%2055.064%20296.2%2067.154%20296.2%2079.997C296.2%2092.84%20291.186%20104.93%20282.086%20114.021C272.986%20123.112%20260.899%20128.12%20248.027%20128.12C235.155%20128.12%20223.069%20123.111%20213.969%20114.021C204.869%20104.93%20199.871%2092.84%20199.871%2079.997C199.871%2067.154%20204.884%2055.063%20213.969%2045.973Z'%20fill='%23EE4323'/%3e%3cpath%20d='M150.16%200L57.6821%20159.993H94.5381L187%200H150.16Z'%20fill='%23EE4323'/%3e%3cpath%20d='M92.478%200L0%20159.993H36.856L129.334%200H92.478Z'%20fill='%23EE4323'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_296_834'%3e%3crect%20width='328.105'%20height='159.993'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
Verizon's 2026 Data Breach Investigations Report landed this week with the largest dataset in the report's 19-year history — more than 22,000 confirmed breaches across 145 countries, nearly double last year's count.
Verizon's 2026 Data Breach Investigations Report landed this week with the largest dataset in the report's 19-year history — more than 22,000 confirmed breaches across 145 countries, nearly double last year's count.
The headline finding getting the most airtime in 2026 is that vulnerability exploitation has overtaken credential abuse as the top single initial access vector, jumping to 31% from 20% the year before. The vulnerability management crisis driving this statistic is one of the most important stories in this year's data. But reading it as evidence that identity threats are receding would be a mistake, because the DBIR's own data tells a more complicated and more useful story when you look at the full picture.
Vulnerability exploitation has caught up with identity — not replaced it
The DBIR's headline comparison pits vulnerability exploitation (31%) against credential abuse (13%) as individual vectors. That comparison is accurate but incomplete, because the DBIR tracks identity-related initial access across three separate categories: phishing (16%), credential abuse (13%), and pretexting (6%). Before interpreting those numbers, there's a methodological wrinkle worth understanding.
This year's report added pretexting as a newly tracked initial access vector, reclassifying some incidents previously counted as credential abuse. The DBIR is transparent about the effect: without that change, credential abuse would have been 16% rather than 13%. On an apples-to-apples basis, identity-related initial access (phishing 16% + credential abuse 16%) comes to 32% — versus 31% for vulnerability exploitation.
To be precise about what moved: phishing held roughly flat year over year, but credential abuse saw a modest decline even on the adjusted basis (from 22% to 16%). Overall, the identity picture is broadly stable. The reason the two categories have converged is that vulnerability exploitation surged 55%, not that identity attacks meaningfully receded.
The taxonomy gap
It's also worth asking how much the DBIR's initial access taxonomy can tell us. The figure that everyone is citing — Figure 10 — is labelled "select enumerations," and the four tracked vectors (vulnerability exploitation, phishing, credential abuse, pretexting) add up to only 66% of initial access. A third of the picture isn't represented in the headline breakdown at all.
The cluster boundaries and where you draw them also changes the story. The DBIR classifies ClickFix under "baiting" — a category that covers malicious downloads and SEO poisoning — rather than phishing, even though the end goal is often the same: getting a user to execute something they shouldn't. Pretexting absorbed incidents that were previously credential abuse, shifting the numbers between categories. These are useful analytical clusters, but they aren't clean divisions of a neatly partitioned attack surface.
Some of the most consequential identity-based campaigns of the past 12 months don't map cleanly to any of these categories — the mass Salesforce campaign that compromised over 1,000 organizations via device code phishing, the Anodot breach chain that pivoted through stored OAuth tokens to reach Snowflake customers, ConsentFix abusing Azure CLI's OAuth flow to bypass MFA entirely.
These are identity attacks at scale, and it isn't clear where — or whether — they show up in the DBIR's initial access vectors. This lack of depth in identity and in-browser attack vectors is common in many defensive models, which is why we've created our own Browser and Identity Attacks Matrix.
That convergence at initial access also understates the role credentials play across full breach chains. The DBIR states plainly that credential abuse at any point in the breach progression — not just as the first action — appears in 39% of all breaches, making it the single most pervasive technique in the dataset. Credentials don't just open the front door; they unlock lateral movement, privilege escalation, and persistence throughout the attack chain.
The vulnerability treadmill
The vulnerability exploitation surge itself is driven by a structural capacity crisis rather than a shift in attacker preference. Edge devices and VPNs now account for 22% of vulnerability-exploitation breaches, up from 3% the prior year — a sevenfold increase. Organizations face 50% more CISA KEV vulnerabilities to remediate than a year ago, median remediation time has increased from 32 to 43 days, and the volume of vulnerability records in the dataset has grown roughly eightfold.
This trend was already visible in last year's DBIR, when vulnerability exploitation jumped from 15% to 20%. AI-assisted exploit development may be compounding the problem — the DBIR's own data shows 32% of AI-assisted initial access targeting vulnerability exploitation — but the structural capacity crisis was accelerating well before AI became a meaningful factor in the attacker toolkit.
The vulnerability treadmill is accelerating, and the DBIR's remediation data shows defenders losing ground. But this is an additive problem, not a substitution. Both attack surfaces are growing.
Phishing has left the inbox
41% percent of social engineering breaches now involve vectors other than email, with approximately a quarter coming from social media or phone-based channels. Voice phishing simulations show a 40% higher success rate than email phishing — a median click rate of 2% versus 1.4%.
The data is a little confusing. The DBIR draws a line between Phishing (asynchronous — send a message and hope for a click) and Pretexting (synchronous — someone interacting with you in real time). Voice phishing over a phone call is Pretexting in VERIS, not Phishing, even though most practitioners would call it phishing. Browser-based credential harvesting delivered via SEO poisoning or malicious downloads falls under "Baiting." So the 16% phishing figure probably understates the full scope of credential-harvesting social engineering as most defenders would define it.
Even within the email channel, the data confirms what browser-level detection data has been showing: credential harvesting dominates. The DBIR's email security gateway breakdown shows 80% of blocked attacks are credential or session phishing, with only 10% involving malware delivery, 5% callback phishing, and 3% BEC. If you're running an email security gateway, the vast majority of what it catches is credential phishing — and 41% of social engineering is arriving through channels it can't see at all.
The ClickFix detection gap
The DBIR reports ClickFix at only 2.7% of attacks detected at the browser level. For context, CrowdStrike reported a 563% increase in ClickFix lures over the same period and Microsoft identified it as the most common initial access point at 47% of observed attacks. Push's own data shows ClickFix at a significantly higher proportion of browser-level detections, with 4 in 5 delivered via search engines specifically.
The gap is striking, and the most likely explanation is a visibility one. ClickFix attacks result in a malware download or script execution on the endpoint — and without browser-layer context, that execution looks like any other malware delivery. If a contributing organization doesn't have visibility into the browser session that preceded the payload, they'd attribute the incident to "malware download" or "user execution" rather than ClickFix specifically. The DBIR's 2.7% probably reflects how often contributors could trace the chain back to a ClickFix page, not how often ClickFix was actually the delivery mechanism.
Stolen credentials are the ransomware on-ramp
One of the most powerful findings in this year's DBIR is the quantification of the relationship between credential compromise and ransomware outcomes. Fifty percent of ransomware victims had a credential or infostealer event occur within 95 days prior to the ransomware attack, drawing a causal line from credential theft to ransomware deployment.
The infostealer supply chain data reinforces the picture. Infostealers are surfacing an average of 2,362 breached corporate credentials per month from organizational email domains in stealer log datasets, and 54% of devices in Initial Access Broker logs had at least one infostealer installed. The 95-day median window is consistent with the known timeline from credential harvest to ransomware deployment.
That timeline reinforces an argument we've been making about where the intervention point needs to be: detecting credential compromise upstream — at the point of credential entry, session creation, or stolen credential reuse — rather than waiting for the ransomware deployment that follows weeks or months later.
Post-compromise tradecraft is shifting
The DBIR's post-compromise data adds another dimension. RMM tool abuse by threat actors showed a 240% increase over the prior year, while traditional backdoor and C2 malware usage fell 27%. Attackers are increasingly living off the land with the same remote access tools IT teams use. Post-compromise detection is getting harder, which makes catching the initial credential compromise upstream that much more valuable.
Your vendors are half the problem
Third-party involvement in breaches reached 48% this year, up from 30% — a 60% increase that follows a prior year where the figure had already doubled.
The DBIR's root cause analysis maps directly to identity security: insecure authentication — absent MFA, improper credential rotation — and lack of least privilege enforcement account for a substantial share of cloud-based third-party incidents. Only 23% of third-party organizations fully remediated missing or improperly secured MFA on cloud accounts, and weak password and permission misconfigurations took a median of 8 months to resolve 50% of findings.
Eight months. That's the median timeline for third-party vendors to resolve the identity hygiene issues that create the attack surface in their environments — environments that your data lives in.
Extend that posture gap across every vendor and third-party integration, and you start to see why the third-party breach figure keeps climbing. Visibility into OAuth consent flows and third-party integration sprawl is the starting point for getting ahead of a supply chain problem that is structurally getting worse.
AI is scaling known techniques — and creating new blind spots from the inside
The DBIR's AI analysis this year is grounded in a collaboration with Anthropic covering 793 threat actors who received enforcement action for violating acceptable use policy between March 2025 and February 2026. The findings are measured rather than alarmist: in the median case, actors sought AI assistance across about 15 distinct ATT&CK techniques, 44% of AI-assisted initial access was phishing-related, and less than 2.5% of techniques observed were classified as rare.
AI is currently an operational tool for attackers — automating and scaling known techniques rather than unlocking novel ones. Despite heavy AI-assisted focus on phishing, the DBIR's own incident dataset shows phishing as an initial access vector has barely changed year over year — suggesting AI may be uplifting less-experienced attackers to a higher baseline of lure quality without meaningfully increasing success rates against organizations that already have detection in place.
The more concerning number is the 32% of AI-assisted initial access targeting vulnerability exploitation — compounding the patching capacity crisis discussed earlier in a trend that was already accelerating before AI entered the picture.
Shadow AI is the bigger problem
The sharper AI risk for most organizations, though, is internal. Forty-five percent of employees are now regular AI users on corporate devices — up from 15%, a threefold increase — and 67% of them use non-corporate accounts. Shadow AI has become the third most common non-malicious insider action in DLP data, a fourfold increase over the prior year, with source code as the leading data type submitted to unauthorized AI platforms by a wide margin.
The browser extension angle is particularly relevant. More than 15% of users had unauthorized AI browser extensions installed, and the DBIR specifically notes that these extensions collect and retain browsing context from internal sites — creating a data exfiltration pathway that operates independently of traditional DLP controls.
This is moving faster than any previous shadow IT wave, and the data loss vector is the browser — where users interact with AI tools, where extensions collect context, and where OAuth consent grants connect AI services to corporate data. Visibility and control at that layer isn't a nice-to-have for AI governance; it's the minimum viable starting point.
What this means for defenders
The DBIR's 2026 data paints a picture of converging pressures rather than shifting priorities. Vulnerability exploitation surged, but identity-related initial access is broadly stable and credential abuse at 39% across full breach chains remains the single most pervasive technique in the dataset. Phishing is arriving through channels that email gateways can't see. The infostealer-to-ransomware pipeline now has longitudinal data behind it. Third-party involvement keeps climbing because vendor identity hygiene takes months to remediate. And shadow AI is creating data exposure pathways that most security stacks weren't designed to see.
The common thread across all of these findings is that the browser — where credentials are entered, sessions are created, OAuth consent is granted, AI tools are accessed, and extensions collect data — is the layer where these risks converge and where defenders need visibility and control if they're going to address them at the point of risk rather than after the fact.
Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required.
Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.
