Insights and Analysis from Enzoic
Spring is in the air1, and as usual that signals the arrival of the latest Verizon Data Breach Investigations Report. Over 31,000 security incidents are analyzed in this year’s installment, which absolutely clobbers last year’s record of 22,052. Anyone trying to get a grasp on the vast and shape-shifting cyber threat landscape knows how difficult it is to find truly comprehensive reporting, and this scale of collaborative data sourcing means the DBIR remains unquestionably the leader in both quantity and quality of data breach incident analysis.
This year’s theme is “the only constant is change”, attributed to the Greek philosopher Heraclitus. Most cybersecurity practitioners are probably nodding sagely at this description of the environment we find ourselves in each day. However, the report as a whole describes an interesting tension in the threat landscape between the state of constant change and the existence of seemingly immutable cybersecurity foundations, a balance that gets to the heart of understanding and confronting modern cybersecurity challenges. We’ll revisit this duality as we discuss the report, hopefully arriving at a tractable and practical view of how we can use this critical information meaningfully to help secure our computer systems from the prowling threats like ransomware and identity theft.
Once again, Enzoic is proud to be a contributor to the report, having provided data on password complexity and compromise rates.
A quick note: all following in-text citations and graphics/figures are from the 2026 DBIR unless otherwise stated.
Let’s start by looking at one of the most prominent year-on-year changes. Exploitation of vulnerabilities as an initial access vector took another giant percentage leap, similar to the one we saw between 2023 and 2024:
‘Exploitation of vulnerabilities’ (as opposed to credential abuse) refers to malicious actions that leverage a flaw in source code to cause unintended behavior, such as execution of unauthorized code, privilege escalation, data theft, or installation of ransomware. One recent example is the react2shell vulnerability in the popular website frontend library React, which allowed threat actors to execute code on a webserver running the vulnerable version. These types of weaknesses in code are a major way that hackers gain access to a system or network, i.e. the observed starting point for now over 30% of the reported attacks. Certainly some annual fluctuation is expected, but this multi-year upward trend is impossible to ignore, and sends us hunting for any causes we might be able to understand and mitigate.
The DBIR dives into a fascinating analysis of vulnerability management that reveals the challenge organizations are facing to keep up with remediation. Across the sample of over 13,000 organizations and hundreds of common vulnerabilities and exposures (known as CVEs), “the results are worse than last year. Only 26% of the CISA KEV vulnerabilities had been fully remediated, a considerable drop from last year’s 38%” (pg 17)2. Further analysis shows that the time for a vulnerability to be patched after detection has also increased from a median of 32 days to 43 days. This naturally raises the question ‘why are organizations getting worse?’ Another data point holds the answer: “The median number of KEV vulnerabilities that had to be patched by organizations has risen in 2025 to 16, where this figure was 11 in 2024. That is almost 50% more KEV vulnerabilities to patch in a year (pg 17)”. Patching and updates are not to be taken lightly, either…we all remember the chaos of the CrowdStrike patching issues from 2024. This is a really mammoth task that security and sysadmin/IT teams face. Organizations would be well served to note the gravity here. This points to severely overstretched and overtaxed resources, which is not a trivial, cheap, or quick problem to fix. Adequately resourced and staffed cybersecurity teams are a central component of resiliency and adaptability for an organization.
Now, we must be careful to not fall into the classic statistical trap of equating correlation and causation. It’s certainly not unreasonable to imagine that threat actors are able to exploit more vulnerabilities if the total issues requiring remediation have increased significantly, and the time to remediation has increased, but the data does not prove that causally. There could be other factors at play that we must consider as well, and more questions to raise. Why is the number of vulnerabilities increasing in the first place? Has something changed in threat actors’ ability or capacity to exploit vulnerabilities?
Certainly the amount of available attack surfaces continues to grow as services move online, and as the global population continues to grow and internet access increases. There’s another potential factor as well: ChatGPT was released in Nov 2022, ushering in an era of widespread awareness of “AI” and access to large language models (LLMs), providing both good and bad actors alike with powerful new tools. Are we seeing latent effects of this on the threat landscape? These questions provide a good segue to our next section…
Given the usual haze of alarmism and hyperbole that envelops most discussions of AI, it’s a relief to get some solid data on how widespread access to LLMs is affecting cybersecurity. The DBIR puts the central question clearly: “A key question in understanding AI-enabled cyberthreats is whether attackers are using LLMs to execute well-documented techniques more efficiently, or to pursue techniques that are rarely seen in practice (pg 27).”
Understanding this difference is integral to developing an effective security posture and allocating resources appropriately, and brings us back to our earlier discussion of change and stasis. Is AI fundamentally changing the threat landscape, or is it just making the same-old challenges even more critical? (Or both?) This year, the DBIR includes data directly from Anthropic3, which provides some evidence supporting the notion that AI is primarily being used to perpetrate already popular and common attacks, increasing reach and speed instead of variety and novelty.
“AI’s primary impact is currently operational: automating and scaling techniques defenders already know how to detect, not yet unlocking these novel or rare attack surfaces—which means defensive postures don’t need to be reinvented today, but they do need to keep pace with faster, more adaptive execution.” – DBIR pg 28
Looking at the data on initial access vectors (Figure 27, on the left), we see confirmed what many have suspected: the most common use of AI is in phishing. This makes sense partly because of the nature of large language models: phishing is a language-driven enterprise, so these tools are highly effective in that sphere. “Exploit” coming in at 32% of use cases is particularly concerning, though, in that it confirms the capability of LLMs to meaningfully assist in coding and attack chain development. While “the most common uses are well-trodden paths (pg 27), we should keep a very close eye on this as models’ abilities increase quickly, and given the already tenuous grasp on vulnerability management we discussed in the previous section.
Interestingly, we see “Credential abuse” on the scales with a solid 22%. It’s not completely clear what this refers to vis-a-vis the data from Anthropic; is AI being used to guess credentials, or to automate attacks like credential stuffing or password spraying? It may not occupy the top spot, but this is one to watch with regard to how LLMs may be applied. Enzoic, among others, is conducting research in this field; stay tuned for updates and publications as we move into this summer.
One of the most interesting risks of AI identified in the DBIR is that of the exploitation of old vulnerabilities. Modelling by the DBIR team on page 20 shows how the risk that a vulnerability will be exploited decreases with time, likely due to threat actor bandwidth- it’s just not possible to exploit all the vulnerabilities all the time: “This model behavior does align with the understanding that threat actors have to develop exploits and maintain infrastructure scanning for vulnerabilities, and there are only so many of those that can be done at the same time. However, this is a base assumption that the promise of increased automation of vulnerability discovery and exploit development from GenAI tooling could upend (pg 20).”
This is a serious dose of reality. While we tend to imagine AI-related exploits as being novel or complex and advanced, the truth is that they may not need to be. Many vulnerabilities remain unpatched, as shown on pages 19 and 20, due to the fact that they become less likely to be exploited as they age. This has been a sort of saving grace for vulnerability management: at least we can prioritize the newest, and focus on keeping up instead of catching up. If AI tooling allows the rapid expansion of attack infrastructure to include all of these old flaws, the consequences could be absolutely harrowing, especially given the already under-resourced state of vulnerability management. We, as an industry, need to seriously consider the potential ramifications of this, and soon.
It wouldn’t be a real Enzoic publication if we didn’t take a dive into the deep end of credential compromise. This falls mostly into the “unchanged” category, as we can see in the data below. Year after year, credentials remain a huge problem. Proportionally, “credential abuse” did fall relative to “exploitation of vulnerabilities” this year, down to 13% from22% last year, although there are some caveats: this year, ‘pretexting’ was calculated as a separate category from ‘credential abuse’, whereas it was previously included in the same; the report indicates that if this were included this year, the percentage would be 16%). There was also an absolute increase in credential abuse incidents included, possibly due to the increased sample size- this year saw about 3,100 (including pretexting) compared to roughly 2,200 last year.4
It’s getting pretty tough to discuss the security ramifications of credential compromise without committing serious equine cadaver desecration. Last year, we went into detail on stolen credentials’ role as an initial access vector, their role in attack chains, the enormous infostealer problem, and the possible connections to ransomware. Reviewing this year’s data, it looks like we wouldn’t be amiss just copy-pasting the entire section in from last year’s DBIR summary, which feels rather bleak. We have to take heart from this year’s percentage decrease in credential abuse, and hope that it’s an indicator of improved security postures in this area. We’d love to see this number get down to zero: threat actors go for the path of least resistance, and if we can make credential compromise useless to them, well, that’s the goal.
We see “use of stolen creds” remains the top action in Basic Web Application Attacks (as usual). Most web applications (email, social media, games, banking, Netflix) use a publicly accessible login page, which is the main target in this type of attack. Threat
actors obtain stolen credentials, frequently including a URL indicating where they are valid5, and use them to log in and take over the account. This is a serious source of fraud in its own right, but can be devastating when the accounts confer access to networks or provide opportunities for lateral movement and further compromise, often leading to serious crimes like data theft or ransomware deployment. There are few more direct arguments for having good password hygiene (i.e. using a strong, unique password, monitoring against a blacklist of compromised passwords, etc) than for defense against credential stuffing and password spraying.
“The analysis found that 27% of ransomware victims had no associated infostealer or credential leak occur within the year. But of the organizations that did, 50% of those ransomware victims had a credential or infostealer event occur within 95 days prior to falling victim to a ransomware attack” (pg 44).
Things get a bit dicier as we dig into system intrusion. Techniques like Kerberoasting or password dumping may require hash cracking, for which the best defense is good password practices as well. Unfortunately, data from scanned Active Directory accounts indicates that “users are more than four times more likely to use an already compromised password than a “weak” password” (pg 70)6, and that these percentages can be quite significant, as evidenced below. From an organizational perspective, it only takes one susceptible account to allow a threat actor access.
If you only take one thing away from the discussion on compromised credentials, it should be this: “Credential abuse is pervasive across various attack paths and is a legitimate mitigation target chokepoint (pg 16).”
So, as security practitioners, how do we face constant change? The answer of “return to the foundations” may seem counter-intuitive (especially as we keep repeating this advice year after year), but more than ever, the data in the DBIR shows that it’s not just a good idea, it’s our only hope.7 Strong credential security prevents a myriad of different attack types, and can stop attack chains in their tracks. Vulnerability management may face some severe tests in the future. Now is the time to strengthen teams, pay back remediation debt, and leverage automation where possible. Continuous education and development of cybersecurity habits in workforces remains lacking. We’ve probably all had to take a desultory anti-phishing online course, or click through a ‘quiz’ and some policies, but this is no substitute for a culture of security. Organizational leaders must demonstrate commitment to security practices, otherwise employees will always be torn between their work and security. In these days of AI-accelerated greed and obsession with short-term returns, this is unquestionably an uphill (and possibly Sisyphean) battle. As years of insufficient support start to come due, however, the financial consequences are becoming harder to ignore. Ransomware alone was estimated to have a financial impact of 57 billion in 2025.
Fortunately, there is a simple, easy, and inexpensive fix for all cybersecurity problems. Grab the nearest pair of scissors, snip whatever ethernet or fiber line supplies your office with internet, and put your feet up for a well-deserved rest. That is, after firing all your employees to avoid insider threats and accidental data exposures. And canceling your cellphone service to avoid phishing and smishing and vishing.
Okay, obviously total withdrawal isn’t a viable option (as much as we may want to hurl our phones into the sun and never check email again8), but facing the increasing complexity of staying safe in the digital age requires real fortitude….and there’s the rub: cybersecurity doesn’t need to be complex, but there’s no denying that psychological and financial buy-in are unavoidable (which is of course what everyone dearly wants to avoid). We want it convenient, and we want it free, and we want it safe.9 If we don’t prioritize secure practices, there is no free and easy solution.
The good news is, though, that there are many resources, both free and paid, to help us tackle these challenges. What it really takes is an interest and commitment from the user or organization: a willingness to deal with the cyber threat landscape as it actually exists, and not as we would like it to be.
We get it, it’s not something people want to deal with. It’s probably right up there with oil changes, dentist appointments, and cleaning the litterbox. Just like dental care, cybersecurity is built on good habits and preventative measures. Unfortunately, the dentist doesn’t send us a big check if we make it through a year with no cavities; no one wants cybersecurity costs on their balance sheets, or to walk into the C-suite to suggest expenditures for which there can be no concrete ROI. This collective aversion is ultimately very costly for everyone through rising cybercrime rates and insurance costs, and allows cybercriminals to thrive on low-hanging fruit.
Consequently, the first step to staying safe online is taking responsibility, and in doing so, reclaiming our agency in an ever-changing threat landscape. For ourselves, as individuals, and for leaders of organizations. Valuing cybersecurity is part of a culture of quality and care, and it starts where the responsibility begins.
If you’re asking this question, you already have. Without knowing the details of your particular situation and needs, it’s tough to make any specific suggestions. In general:
AUTHOR
Dylan Hudson
Dylan leads the Threat Research team at Enzoic, developing and implementing cutting-edge threat intelligence infrastructure to help protect users and organizations from cyberattacks. When not at work, he can be found hiking and biking in the Rocky Mountains or playing traditional Celtic music on various stringed instruments.
1 or it might just be the heat coming off a shiny new data center!
2 The CISA KEV is the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog.
3 Creators of the ‘Claude’ model
4 This is an estimate calculated from the total sample sizes and the percentages provided.
5 Thanks to the massive popularity of infostealer malware, this information is often obtained at the same time as the credential. Otherwise, threat actors known as access brokers will perform credential stuffing using massive credential datasets, and identify which ones authenticate successfully. These are often then batched together and sold.
6 A ‘weak’ password is one that does not conform to the organization’s complexity requirements (e.g. including a symbol, capital letter, etc). Compromised passwords have been found in previously exposed data. As people commonly re-use passwords (and choose the same passwords as others), hackers use lists of already-exposed passwords for credential attacks.
7 Turns out Princess Leia was actually asking Obi-Wan for cybersecurity advice
8 and go live in an off-grid yurt somewhere in the woods. Or on the moon. Assuming all the cheap lunar real-estate hasn’t been snapped up for data centers.
9 Pick any two.
Measure exposure across your organization and prevent identity persistence