I’ve been writing about cybersecurity for years, and every time Verizon drops its annual Data Breach Investigations Report, I sit up and pay attention. This year’s report, released yesterday, contains a finding that should make every business owner in Australia stop what they’re doing and listen.
For the first time in the report’s 19-year history, software vulnerabilities have overtaken stolen credentials as the number one way attackers get into your systems. And AI is the reason why.
The Numbers That Should Scare You
The 2026 DBIR analyzed over 31,000 security incidents and 22,000 confirmed breaches across 145 countries. The headline finding: vulnerability exploitation was the initial attack method in 31% of all breaches. That’s a massive shift. For nearly two decades, stolen passwords and credentials were the top way in. Not anymore.
Here’s why. AI has compressed the time between discovering a vulnerability and weaponizing it from months to just hours. What used to require a team of skilled researchers now takes a single attacker with a large language model and a few spare hours. The economics have fundamentally changed.
As Trey Ford from Bugcrowd put it: “The DBIR’s 19-year credential streak ending is not primarily a credential story. It is an economics story. AI is making vulnerability discovery and weaponization so fast and cheap that attackers no longer need a stolen password.”
Shadow AI: Your Biggest Internal Threat
But here’s the part that really got me. The report found that employee use of unapproved AI tools tripled in just one year, from 15% to 45% of the workforce. That means nearly half your staff are uploading company data, source code, and confidential information to external AI models you don’t control.
This isn’t a hypothetical risk. This is happening right now, in your organisation, whether you know it or not. Every time someone pastes a client email into ChatGPT, or uploads a spreadsheet to an AI tool without IT approval, they’re creating a data exposure risk that traditional security tools can’t see.
The report calls this “shadow AI” and it represents what experts are calling a massive internal coverage gap that most enterprises remain completely blind to.
The Patching Problem Is Getting Worse
The volume of vulnerabilities is exploding. Security researchers found 48,000+ vulnerabilities last year, an 18% increase. The dataset grew from 68.7 million records in 2022 to 527.3 million in 2025. That’s an eightfold increase in just three years.
And organisations are falling further behind. Only 26% of critical vulnerabilities were fully remediated in 2025, down from 38% the year before. The average time to patch critical vulnerabilities increased to 43 days, up from 32. Even the best-performing organisations can only patch 30-40% of critical vulnerabilities in the first week.
What You Should Do Right Now
Here’s my practical advice, based on what the report recommends:
First, audit your shadow AI usage. You need to know what AI tools your team is using. Run a network audit, check browser histories, and have the conversation with your staff. This isn’t about banning AI, it’s about understanding your exposure.
Second, prioritise patching based on active exploitation, not severity scores alone. The report shows that the probability of exploitation drops after 30 days, 90 days, and about 9 months. If something is being actively exploited in the wild, patch it today, regardless of what CVSS score it has.
Third, invest in automated vulnerability management. The human bottleneck is real. You need tools that can detect, contextualise, prioritise, and remediate without waiting for a human to approve every step. As one expert put it, the defenders who close the gap will be the ones who use AI agentially, not as a co-pilot, but as autonomous workflows.
Fourth, review your supply chain. Supply chain attacks surged 60%, with vendor vulnerabilities now accounting for 48% of all breaches. Every third-party tool, every SaaS platform, every cloud service is a potential entry point.
The Bigger Picture
What strikes me about this report is how it confirms what I’ve been saying for months. AI is a double-edged sword. It’s making us more productive, but it’s also making attackers faster, cheaper, and more effective. The organisations that will survive are the ones that stop treating cybersecurity as an IT problem and start treating it as a business survival issue.
The 48% ransomware figure is also worth noting. Nearly half of all breaches now involve some form of ransomware action, up from 44% the prior year. And 50% of ransomware breach victims showed signs of an infostealer event within 95 days of intrusion. The attack chain is getting longer and more sophisticated.
The cybersecurity landscape has fundamentally shifted. AI hasn’t just changed the tools attackers use, it’s changed the economics of attack. When vulnerability exploitation becomes cheaper and faster than stealing credentials, every unpatched system becomes a sitting duck. The question isn’t whether you’ll be targeted, it’s whether you’ll be ready.
Related Reading