We're so back (to the fundamentals): Our take on the Verizon 2026 Data Breach Investigations Report

The 2026 Verizon Data Breach Investigations Report is the year vulnerability exploitation became the #1 way attackers gain access. It's also the year the report calls out that CVEs were never the whole story. Both things can be true, and the gap between them is where the rest of security teams live day-to-day.

That gap is where the real story lives: the exposure surface beyond CVEs, the misconfigurations no scanner catches, the way AI is amplifying the same handful of old issues. The 2026 DBIR spells it out, and it all points to asset intelligence as the layer that makes any of this manageable.

CVEs are a measurement, not the exposure surface

The headline numbers in the 2026 DBIR earn their reach. Exploitation of vulnerabilities now drives 31% of the initial access vector in breaches, up from 20% last year. And, CISA KEV remediation (patching) got worse; only 26% of CISA KEV vulnerabilities were fully remediated in 2025, down from 38% the year prior. In raw volume, open vulnerability instances climbed 8x in the past year. 

That said, Verizon itself flags the methodological constraint of focusing solely on CVEs:  

"We know there are exploited vulnerabilities with no CVE assigned and also the larger discipline of exposure management, but we need to be able to compare apples to apples here across disparate datasets." 

What does that mean? The report is anchored on CVEs because data sources can be normalized to CVEs — not because CVEs describe the full attack surface. That distinction matters. When the industry treats CVE counts as a proxy for exposure, it inherits the measurement constraint as a worldview. But, “Exposure” is the broader concept. 

A CVE is a known vulnerability with an assigned identifier; an exposure is any condition that gives an attacker a usable path. Misconfigurations are exposures. Over-permissioned service accounts are exposures. Identities accumulating access that no one reviews are exposures. End-of-life software installed on a server still reachable from the internet is an exposure. None of those appear in a CISA KEV catalog. All of them appear in the 2026 DBIR.

Why 83% of privilege escalation bypasses CVEs entirely

The clearest evidence is in the DBIR's deep dive on privilege escalation. As Verizon puts it: "What is a threat actor but an unapproved (and malicious) administrator?" 

83% of privilege escalation incidents in the dataset involved no CVE exploitation at all. erizon mapped every MITRE ATT&CK technique attackers use to move from low-privilege user to domain admin, then sorted the mitigations into four categories:

The third-party section makes the same point on a larger scale. Breaches involving a third party reached 48% of the dataset, up from 30%. The high-profile cloud campaigns of 2025 — Salesloft Drift, the Snowflake-era credential incidents — were not CVE stories. They were OAuth token stories and missing-MFA stories. 

Verizon's new dataset on third-party cloud posture is bleak: only 23% of third-party organizations fully remediated cloud MFA gaps, weak passwords and permission misconfigurations took a median of nearly eight months to resolve, and 37% of organizations had at least one admin IaaS account with MFA disabled.

The DBIR also notes that 26% of organizations still had privilege escalation vulnerabilities from 2021 in their environments, and 11% from 2018.

Each of these is a different shape of the same structural issue. The exposure surface is wider than any scanner's view. The scanner reports on what it can see, the way it sees it, on the schedule it runs. Everything outside that frame is invisible by default. CVE-anchored programs inherit that blind spot.

AI is amplifying the same exposures, not creating new ones

On AI, the 2026 DBIR is refreshingly grounded in reality. Verizon collaborated with the Anthropic Safeguards Team to analyze 793 threat actors flagged for misuse between March 2025 and February 2026. The median threat actor used AI assistance across 15 distinct MITRE ATT&CK techniques; extreme cases stretched to 40 or 50. Of AI-assisted initial access specifically, 44% mapped to phishing and 32% to exploiting vulnerabilities.

The verdict: AI is a force multiplier on known craft, not a paradigm shift. Verizon's own framing backs that up. AI's primary impact right now is operational — automating and scaling techniques defenders already know how to detect, not unlocking new attack surfaces.

The Year in Review names the cases. LameHug used Alibaba's Qwen LLM to generate polymorphic malware on demand. PromptLock emerged as the first AI-powered ransomware. VoidLink, a malware framework written in six days by an AI agent, is the one the DBIR says "marked a point of no return for automated threat development." 

Each one attacked the same web of unpatched edge devices, exposed identities, and over-permissioned cloud accounts that the rest of the report describes. The asset surface didn't change, but the cadence against it did.

The call is coming from inside the office

The big AI exposure story in the 2026 DBIR is about employees signing into AI tools on company-owned devices, but with personal accounts (sound familiar?). 45% of employees are now regular AI users on corporate devices, up from 15% last year — a 3x jump in twelve months. 67% are signing in with non-corporate accounts. Shadow AI is now the third most common non-malicious insider DLP trigger. 

The data those tools absorb? Source code, by a wide margin. Then structured data. Then, in 3.2% of DLP events, research and technical documentation. That's intellectual property leaving through a Chrome extension nobody approved, attached to an identity nobody governs.

This is the cleanest illustration in the report of why exposures are bigger than CVEs. None of it is a vulnerability. All of it is an asset visibility gap. An unsanctioned tool, an ungoverned identity, an unmonitored data flow. The shape of the problem is the same as the third-party section, the privilege escalation section, and the EOL device section. The exposure surface is wider than any scanner's view.

The Verizon DBIR 2026 is an asset intelligence story

If you read the 2026 DBIR with the CVE filter off, every section is telling a version of the same story. Defenders can't act on what they can't see, and what they can't see has expanded faster than scanners can keep up. Privilege escalation, third-party cloud posture, shadow AI, EOL devices repurposed as attacker relays, identities accumulating permissions no one reviews — these are the same asset intelligence gap viewed from different angles.

This is the part where vendors usually start shouting about platforms. I'll skip the shouting. The real art is reconciling what every tool in your stack already sees into one model that's trustworthy enough to act on: scanner findings, identity posture, configuration drift, software lifecycle, sanctioned-versus-shadow AI usage, all sitting next to the assets they touch and the owners accountable for them. That's what asset intelligence does. 

This thesis is immediately recognizable to us at Axonius. Aggregation alone doesn't fix the exposure problem.  Pulling data from dozens of tools is the starting point, not the destination. What turns aggregation into asset intelligence is the reconciliation layer above it: the part that sorts out which source to trust when two tools disagree about the same asset, and catches when something drifts from the state everyone assumed it was in.

Without that layer, every program downstream — exposure management, identity governance, CMDB hygiene, third-party risk — inherits the same incomplete picture.

The cybersecurity foundations are mentioned explicitly in the 2026 DBIR’s intro: "clear visibility into assets and third parties, disciplined patch management, and well-practiced response plans." All three are asset intelligence outcomes. 

Verizon's own closing line is refinement, not revolution. The fundamentals still win in the AI era, exactly the way they did before it. The catch is that "the fundamentals" now include a lot more than the CVE list. They include every asset type across devices, SaaS, IoT/OT, and cloud that your inventory wasn’t built to know existed, and every real exposure your scanners weren't built to discover. 

The 2026 DBIR is 121 pages of evidence that the exposure surface is wider than the CVE catalog. Asset intelligence is how you act on that fact instead of waiting for next year's report to remind you.