PP113: Patch Gaps, Pretexting, and AI Use for Crimes and Crimefighting: 2026 Verizon DBIR Highlights

The episode opens with a brief listener shoutout about the book 'Krakatoa' by Simon Winchester before transitioning to the main topic: the 2026 Verizon Data Breach Investigations Report (DBIR), now in its 19th year. The hosts note the report covers incidents from November 2024 through October 2025, a distinction they flag as relevant given subsequent AI developments like 'Mythos.'

The most significant shift in this year's report is that vulnerability exploitation has overtaken credential abuse as the number one initial access vector, now accounting for 31% of incidents — more than doubling year-over-year. The hosts attribute this to the rising volume of unpatched vulnerabilities, particularly in internet-facing devices like VPNs, firewalls, and RDP. They discuss that only 26% of critical vulnerabilities from the CISA Known Exploited Vulnerability (KEV) catalog were fully remediated in 2025, down from 38% the prior year, with median resolution time rising from 32 to 43 days. The hosts emphasize that partial remediation (58% of vulnerabilities) covers a wide range of outcomes and shouldn't be equated with full resolution.

Ransomware remains pervasive, appearing in 48% of all breaches. However, fewer victims are paying ransoms — 69% did not pay — and median payouts dropped to just under $140,000, down roughly 6.75%. The hosts speculate on reasons for declining payments, including legal deterrents in some jurisdictions, improved disaster recovery practices, and distrust of ransomware actors to honor agreements. They note that publicly available data on ransom payments may undercount instances, as non-public companies aren't required to disclose.

Third-party involvement in breaches rose sharply from 48% to 60%, which the hosts highlight as a major concern given the inadequacy of most third-party risk management programs, which typically rely on self-reported questionnaires rather than independent audits. They reference CMMC and PCI DSS as examples of more rigorous third-party validation frameworks, while noting these are neither cheap nor universally applicable.

Pretexting — a social engineering technique involving real-time, synchronous interaction (phone calls, live chats, texts) to manipulate victims — has been added as a distinct initial access vector in this year's report. The hosts note it is harder for users to detect than traditional phishing, with mobile-centric attack success rates 40% higher than email. They suggest organizations update security awareness training to address pretexting specifically.

On threat actor demographics, 88% are external, with 87% of those being criminal gangs and 15% state-affiliated. Of the 12% who are insiders, 75% acted inadvertently through misconfiguration or mistakes rather than malicious intent. The report notes black market prices for user credentials: approximately $700 for a regular account and $1,300 for an admin account. The hosts also highlight a buried finding that 1 in 500 employees accessed high-risk compromising material on enterprise devices, making them more susceptible to coercion or blackmail.

The AI section, developed in partnership with Anthropic, analyzed interactions on Anthropic's own tools that violated acceptable use policies. Findings show threat actors are primarily using AI to scale and automate existing attack techniques rather than discover novel ones, with less than 5% of observed malicious queries involving truly novel tactics. The analysis was mapped against the MITRE ATT&CK framework. On the defensive/enterprise side, 67% of employees are using non-corporate AI accounts on corporate devices, creating significant data leakage risks. Source code accounted for 28% of data leaked through shadow AI. The hosts also flag AI-enabled browser extensions as a significant and underappreciated risk vector.

The episode wraps with brief mentions of additional report sections: memory safety issues accounting for 89% of vulnerability root causes, DDoS attacks increasing 200% over prior years, VPNs representing 44% of initial access broker entry points, and industry-specific breakdowns for healthcare, financial services, and retail.