Verizon 2026 DBIR: Pela Primeira Vez, Software Nao Corrigido Supera Senhas Roubadas como o Principal Vetor de Violacao

Verizon released its 2026 Data Breach Investigations Report this week, and the headline finding is one that should stop any security team in its tracks: for the first time in the report's 19-year history, vulnerability exploitation has overtaken stolen credentials as the leading initial access vector for confirmed data breaches. Unpatched software is now how attackers most commonly get in. And the gap between attackers' ability to exploit known vulnerabilities and organizations' ability to patch them is getting wider, not narrower.

The Numbers That Define the Shift

Vulnerability exploitation accounted for 31% of all confirmed breaches analyzed in the 2026 DBIR, up from 20% the year before. Stolen credentials, which had topped the list consistently for over a decade, now sit behind it. This is not a statistical noise fluctuation -- an 11-percentage-point year-over-year jump in a dataset of this scale reflects a genuine, structural change in attacker behavior.

The patching data makes the cause clear. The median time to patch vulnerabilities has increased from 32 days to 43 days -- organizations are taking longer, not shorter, to address known flaws. More damaging: only 26% of critical vulnerabilities in CISA's Known Exploited Vulnerabilities catalog were fully remediated in 2025, down from 38% the year before. The KEV catalog exists specifically to signal to organizations which vulnerabilities are being actively weaponized. A 74% non-remediation rate for that catalog is not a patching problem. It is a crisis.

AI Is Compressing the Exploitation Window

The DBIR documents AI's role in the shift in specific terms. Threat actors are using AI to accelerate the exploitation of known vulnerabilities, shrinking the window between public disclosure and active exploitation from months to hours. AI-driven tools are identifying vulnerabilities in production software that human researchers previously missed. The median threat actor in the DBIR dataset utilized AI assistance across 15 distinct attack techniques; some used it across 40 to 50 techniques.

This compression of the exploitation timeline makes the patching delay numbers even more consequential. When the window between disclosure and active exploitation was weeks or months, 43-day median patch times were painful but potentially survivable for many organizations. When that window is measured in hours, 43 days represents near-certain exposure for any known, unpatched vulnerability in internet-facing infrastructure.

The Shadow AI Tripling

One of the most alarming findings in the 2026 DBIR has nothing to do with external attackers. Employee use of unapproved "shadow AI" on corporate devices has tripled in a single year, rising from 15% to 45% of employees. The data type most commonly submitted to these unauthorized AI platforms? Source code -- entered through personal accounts with no enterprise governance, no data classification controls, and no logging.

The DBIR is blunt about the implication: from a data exposure standpoint, employees submitting proprietary source code to a personal ChatGPT or Gemini account through an unauthorized browser extension produces an effect functionally identical to data exfiltration. The code has left the organization's control. Whether the intent was malicious is irrelevant to the exposure. More than 15% of corporate users have unauthorized AI browser extensions installed -- browser plugins specifically designed to capture browsing context for model input, including internal systems and non-public data.

Third-Party Risk Has Become Breach Risk

The DBIR also documents a significant increase in breaches originating through third-party vendors and supply chain compromises. Attackers have recognized that targeting well-defended direct enterprise targets is often harder than targeting the vendors, contractors, and software providers those enterprises trust. The 2026 data shows this strategy paying off at an increasing rate, with third-party-initiated breaches becoming a statistically significant portion of the confirmed breach dataset rather than a niche concern.

The Defense Side

The DBIR's assessment of AI in defense is more measured. While AI tools are being deployed for threat detection, automated triage, and vulnerability scanning, the report notes that "AI is changing the economics of attack, but the same cannot yet be said for defense." Attack automation is ahead of defense automation. The tools that help defenders process alerts faster are also helping attackers generate more alerts. The net effect at this stage of adoption appears to favor offense.

What Security Teams Should Take From This

The shift from credential theft to vulnerability exploitation as the primary vector has direct implications for defensive prioritization. Organizations that have focused heavily on identity and access management -- multi-factor authentication, password policies, credential monitoring -- have not wasted their investment, but they may have under-invested in vulnerability management relative to the current threat environment. Reducing median patch time, improving coverage of CISA KEV remediations, and establishing controls around employee AI tool usage are the three areas where the 2026 DBIR data most clearly points to actionable gaps.

The shadow AI finding deserves particular urgency. Tripling of unauthorized AI usage in a single year is not a trend that responds to policy statements alone. Organizations that have not yet implemented technical controls -- browser extension allowlisting, data loss prevention rules for AI platform domains, enterprise AI usage monitoring -- are likely already experiencing the data exposure the DBIR describes, whether they know it or not.