Something just happened in cybersecurity that should make every CISO in Australia sit up and pay attention. For the first time in the history of Verizon’s annual Data Breach Investigations Report, vulnerability exploitation has overtaken stolen credentials as the number one way attackers break into organisations.
And it’s not a small shift. The 2026 DBIR, released this week, reviewed over 31,000 incidents and found that 31% of all breaches now start with vulnerability exploitation. Stolen credentials, which held the top spot for years, have been pushed into second place. The reason? Artificial intelligence.
AI Is Shrinking Your Patching Window to Hours
Here’s what should really worry you. Verizon says AI is accelerating the time to exploit known vulnerabilities, shrinking the window for defence from months to mere hours. That means the patch you deployed last Tuesday might already be too late. Attackers are using AI to scan for unpatched systems, identify the most valuable targets, and craft custom exploits at machine speed.
This isn’t theoretical. The report found that AI is being used at every stage of the attack chain, from initial reconnaissance to malware development. Threat actors are automating the boring parts of hacking, which means they can spend more time on the creative, damaging stuff.
Shadow AI Is Your Biggest Insider Threat
There’s a twist in this report that should terrify anyone running a business. Shadow AI, the use of unauthorized AI tools by employees, is now the third most common non-malicious insider action in data loss incidents.
Think about that for a second. Your marketing team is feeding customer data into unapproved AI tools. Your developers are pasting source code into free coding assistants. Your finance people are uploading spreadsheets to AI analysis tools. Every single one of those actions is a potential breach waiting to happen.
The Verizon report specifically calls out employees submitting source code and structured data via images and other formats. They don’t even realise they’re creating a vulnerability.
The Numbers Don’t Lie
Let’s put some hard numbers on this. CrowdStrike reported earlier in 2025 that AI-enabled adversaries increased their attacks by 89% year-over-year. Combine that with Verizon’s finding that AI is automating attack techniques at scale, and you’ve got a threat landscape that looks nothing like it did two years ago.
Verizon’s Chief Information Security Officer Nasrin Rezai put it bluntly: “We need to fight AI with AI. We need to incorporate them into our practices at a scale that we have never done before.” That’s not marketing speak. That’s a warning.
The Mythos Question
Here’s something the report doesn’t cover, but probably should. Verizon’s DBIR data doesn’t include the impact of Anthropic’s Mythos model, which has raised serious cybersecurity concerns due to its advanced coding and vulnerability-identification capabilities. Verizon is part of a controlled initiative called “Project Glasswing” that allows select organisations to use Mythos for defensive purposes. But the offensive capabilities are already out there.
What You Need to Do Right Now
Stop thinking about cybersecurity as a patching problem. It’s now an AI problem. Here’s where to start:
Audit your Shadow AI usage. You need to know exactly which AI tools your team is using, authorized or not. If you don’t have an AI governance policy, write one this week. Not next month. This week.
Cut your patching cycle to days, not weeks. If your mean time to patch is measured in weeks, you’re already behind. AI-powered attackers will find and exploit your unpatched systems before your next maintenance window.
Deploy AI-powered detection. If you’re still relying on signature-based detection, you’re bringing a knife to a gunfight. You need security tools that can recognise AI-generated attacks and respond in real time.
Train your people on AI risks. Your employees don’t know they’re creating vulnerabilities. Make sure they do. Regular training on what data can and cannot go into AI tools is non-negotiable.
The gap between attackers using AI and defenders using AI is widening. The organisations that survive the next twelve months will be the ones that stop treating AI security as a future problem and start treating it as today’s emergency.
Related Reading: