Every time I think I have seen it all with Software Flaws Are Now the, something new emerges. For years, hackers made money the easy way: steal a password, replay it somewhere else, walk straight into a system. That era is over. The 2026 Verizon Data Breach Investigations Report shows attackers now prefer exploiting unpatched software over everything else.
They reviewed more than 31,000 incidents, and 31 per cent of breaches began with attackers exploiting a known software flaw. That puts vulnerability exploitation ahead of stolen credentials for the first time on record. The report’s verdict is blunt: AI is fundamentally reshaping cybersecurity.
This matters to anyone running a business or handling customer data. AI is shrinking the gap between a vulnerability going public and it being weaponised from months to hours. Criminal groups and nation-state actors now use generative AI to pick targets, write custom malware, and turn research into attacks at machine speed. The barrier to entry hasn’t just dropped; it has collapsed.
The CrowdStrike data quoted in the report only confirms the trend: AI-assisted cyber attacks rose 89 per cent year-on-year in 2025. Less sophisticated actors suddenly punch above their weight because AI does the intelligence gathering, language translation, and tool building that used to require a specialist crew.
The insider angle is just as worrying. Verizon now cites unauthorised AI use as the third most common non-malicious insider action leading to data loss. Employees are routinely pasting source code, customer lists, and commercially sensitive documents into consumer AI tools that keep, analyse, and sometimes leak that data. Shadow AI is no longer a buzzword. It is an active data loss pathway, and most businesses have no idea it is happening.
Here is what you can do today:
- Cut patch delays to hours, not weeks. Enable automatic updates on every system you control.
- Audit AI access. Know which tools your staff use and whether sensitive data is leaving your environment.
- Require multi-factor authentication everywhere. It is still one of the few controls that works against both credential theft and AI-enhanced social engineering.
- Upgrade logging and alerting. Assume breaches will happen. Detect them faster by knowing what normal looks like.
Regulators are already moving. In early June, the White House issued an executive order asking CISA, the Treasury, and the National Security Agency to strengthen defences against advanced AI threats and develop voluntary benchmarks for frontier AI models. Financial regulators are separately pushing tighter controls over agentic AI in banking and payments. Privacy rules are following opinion, not leading it.
The uncomfortable truth is that AI is a threat multiplier, not just a business convenience. Hackers who adopt it first will outpace defenders who do not. The time to close that gap is before the breach notification letter arrives.
“We need to fight AI with AI. We need to incorporate them into our practices. We need to bring them into our software development life cycle, in our testing processes, in our cyber defense processes at a scale that we have never done before.” — Nasrin Rezai, Verizon CISO