For the first time in nineteen years of the Verizon Data Breach Investigations Report, exploiting software vulnerabilities has overtaken stealing credentials as the most common way attackers break in. The shift did not happen because defenders forgot how to manage passwords. It happened because AI made vulnerability exploitation faster, cheaper, and accessible to a far broader class of attackers than ever before.

The 2026 Verizon Data Breach Investigations Report, released on June 1, 2026, contains a result that took two decades to materialize. Vulnerability exploitation now accounts for 31 percent of all initial-access breaches studied, narrowly ahead of credential abuse at 13 percent. It is the first time in the 19-year history of the DBIR that exploits have ranked first (Cyber Readiness Institute, 2026; Swif.ai, 2026).

On its own, that statistic might describe a slow drift in attacker preference. Read alongside the other available evidence, it describes something faster and more consequential. CrowdStrike’s 2026 Global Threat Report finds that AI-enabled cyberattacks rose 89 percent year-over-year in 2025 (CrowdStrike, 2026). Google’s Threat Intelligence Group, in a May 11, 2026 report, identified the first known case of a threat actor deploying a zero-day exploit that GTIG analysts believe was developed with AI (Google Threat Intelligence Group, 2026). Anthropic’s own May 2026 disclosure of its Mythos Preview model documented an 80-fold improvement in autonomous exploit success against Firefox’s JavaScript shell over the previous generation, with 99 percent of the vulnerabilities the model discovered remaining unpatched at the time of disclosure (Project Glasswing disclosure, 2026).

The economic question is no longer whether AI is changing the offense-defense balance in cybersecurity. The question is which sectors of the economy are being hit hardest, what the actual cost is, and what risk-management responses survive contact with reality.

The Data: AI Is Compounding Every Category of Attack

The chart below summarizes year-over-year growth rates in major attack categories from the 2026 CrowdStrike and KELA reports, alongside the ransomware incident distribution across critical sectors.

Four numbers carry most of the weight.

The 89 percent annual increase in AI-enabled attacks is the headline figure. CrowdStrike attributes the growth to specific named threat actors: Russia-nexus FANCY BEAR deploying its LAMEHUG LLM-enabled malware to automate reconnaissance and document collection; cybercrime group PUNK SPIDER using AI-generated scripts to accelerate credential dumping and erase forensic evidence; and DPRK-nexus FAMOUS CHOLLIMA leveraging AI-generated personas to scale insider operations (CrowdStrike, 2026).

The 266 percent increase in state-nexus cloud-conscious intrusions is the most alarming category. China-nexus intrusions rose 38 percent overall in 2025, with logistics targeting up 85 percent. DPRK-linked incidents rose more than 130 percent. CrowdStrike named 24 new adversary groups in 2025, bringing the total tracked to 281 (CrowdStrike, 2026).

The 42 percent year-over-year increase in zero-day exploitation prior to public disclosure tells a different story about timing. Zero-days are vulnerabilities exploited before the vendor has issued a patch, which means the gap between attacker capability and defender awareness is widening, not narrowing. Sixty-seven percent of vulnerabilities exploited by China-nexus adversaries in 2025 delivered immediate system access. Forty percent of those exploited vulnerabilities targeted internet-facing edge devices such as VPNs, firewalls, and gateways, which typically lack comprehensive monitoring (CrowdStrike, 2026).

The 22-second handoff window is the figure that has changed how incident responders work. Mandiant’s M-Trends 2026 report found that the median time between an initial-access broker compromising a system and handing it off to a follow-on operator has fallen from over eight hours in 2022 to just 22 seconds in 2025 (Swif.ai, 2026). The implication is that human defenders no longer have time to react before the attack has moved into a different operator’s hands.

How AI Lowers the Bar for Exploitation

The Google Threat Intelligence Group’s May 2026 report is the most detailed primary-source analysis available on how AI is actually being used to develop and deploy exploits. Six observations from that report are particularly significant.

First, AI lowers the discovery threshold. GTIG identified a specialized GitHub repository called “wooyun-legacy” that integrates a distilled knowledge base of more than 85,000 real-world vulnerability cases collected by the Chinese bug bounty platform WooYun between 2010 and 2016. The repository is designed as a Claude code skill plugin that uses in-context learning to steer the model toward expert-level vulnerability analysis. A junior attacker who five years ago could not have identified a complex semantic logic flaw in production code can now load the wooyun-legacy plugin and ask an AI to do the analysis (Google Threat Intelligence Group, 2026).

Second, AI changes what is detectable. GTIG documents the first confirmed cyber-crime zero-day developed with AI assistance, a 2FA-bypass implemented in Python and aimed at a popular open-source system administration tool. GTIG’s high-confidence attribution to AI rests on indicators that would have been invisible without trained analysts: abundant educational docstrings, a hallucinated CVSS score, structured textbook Pythonic format, detailed help menus, and a clean ANSI color class. As GTIG notes, “While frontier LLMs struggle to navigate complex enterprise authorization logic, they have an increasing ability to perform contextual reasoning, effectively reading the developer’s intent to correlate the 2FA enforcement logic with the contradictions of its hardcoded exceptions” (Google Threat Intelligence Group, 2026).

Third, AI compresses the exploitation timeline. Anthropic’s own researchers, in the May 2026 disclosure of their Mythos Preview model, observed that “the same improvements that make the model substantially more effective at patching vulnerabilities also make it substantially more effective at exploiting them.” Mythos Preview converted a known kernel vulnerability into a working privilege escalation exploit in under a day, at a compute cost of less than $2,000. The previous generation of Claude could produce working exploits against Firefox’s JavaScript shell less than 1 percent of the time. Mythos Preview succeeded 72.4 percent of the time, an 80-fold improvement in a single generation (Project Glasswing disclosure, 2026).

Fourth, attackers are now industrializing AI access. GTIG documents the threat cluster UNC6201 using a publicly available Python script to automate registration, immediate cancellation, CAPTCHA bypass, and SMS verification for premium LLM accounts. Cluster UNC5673, with overlaps with TEMP.Hex targeting government sectors in South and Southeast Asia, uses tools called Claude-Relay-Service and CLI-Proxy-API to aggregate multiple Gemini, Claude, and OpenAI accounts for cost-sharing and account-ban evasion. The same report describes this as “industrializing their adversarial workflows while subsidizing their operations through trial abuse and programmatic account cycling” (Google Threat Intelligence Group, 2026).

Fifth, AI is creating an entirely new attack surface within the AI ecosystem itself. GTIG documented a March 2026 cluster of supply-chain compromises by TeamPCP (also known as UNC6780) that targeted GitHub repositories associated with Trivy, Checkmarx, LiteLLM, and BerriAI. Initial access vectors included compromised PyPI packages and malicious pull requests. The malware deployed was a credential stealer called SANDCLOCK that exfiltrated AWS keys and GitHub tokens. The same actor monetized through partnerships with ransomware groups. The compromise of LiteLLM, an AI-routing library, particularly highlights that AI development platforms have become attack surfaces in their own right (Google Threat Intelligence Group, 2026).

Sixth, the cost-benefit math has changed. CrowdStrike observed that adversaries used legitimate generative AI tools at more than 90 organizations in 2025 by injecting malicious prompts to generate commands for stealing credentials and cryptocurrency (CrowdStrike, 2026). When the marginal cost of producing a working exploit drops by two orders of magnitude, the population of attackers willing to attempt sophisticated attacks expands by approximately the same factor. This is the core economic argument behind the rise in vulnerability exploitation that the 2026 DBIR documented.

Which Sectors Are Being Hit Hardest

The economic damage from this shift is not distributed evenly. KELA’s October 2025 ransomware analysis found that 50 percent of all global ransomware attacks in 2025 targeted critical infrastructure sectors, a 34 percent year-over-year increase in attacks on essential industries (KELA via Industrial Cyber, 2025). The distribution of those attacks reveals where AI-augmented adversaries are concentrating effort.

Manufacturing was the hardest-hit sector in 2025, with ransomware incidents jumping 61 percent year-over-year from 520 to 838 (KELA, 2025). The economic logic is direct. Manufacturing facilities operate on tight just-in-time inventories. Every hour of production stoppage costs more than the typical ransom demand. Ransomware operators have learned to time attacks for periods when leadership pressure to pay is highest. The collective economic exposure across global manufacturing now exceeds, by some industry estimates, $1 trillion in annual production value.

Healthcare ranked second, with the average breach cost reaching $9.77 million between 2022 and 2024, the highest of any industry (SentinelOne, 2026). Healthcare presents the worst combination of incentives for an attacker: extremely high-value data (medical records, insurance identifiers), extreme regulatory pressure to maintain operations (HIPAA, patient safety), and historically underinvested security infrastructure. As AI lowers the technical barrier to discovering exploits in healthcare-specific software, the per-attacker economic return rises.

Financial services continues to absorb a disproportionate share of credential-abuse and phishing attacks. Microsoft’s 2025 Digital Defense Report observed that AI-driven phishing is now three times more effective than traditional campaigns, with deepfake and AI-generated identity forgeries growing 195 percent globally and now sophisticated enough to defeat selfie checks and liveness tests (Microsoft, 2025). For banks, payment processors, and fintechs, the threat is no longer a poorly worded email. It is a synthetic video call that convincingly impersonates a known executive instructing an urgent wire transfer.

The technology sector itself faces a particular dynamic. Microsoft’s report identified government, IT, and academic research as the most affected by total cyber-attacks in 2025, with adversaries specifically targeting organizations that store PII and authentication tokens that can be reused in follow-on attacks (Microsoft, 2025). The implication is recursive: the same technology firms developing AI capabilities are now among the most-targeted organizations using those capabilities defensively.

Logistics emerged as the largest year-over-year increase in 2025 targeting, up 85 percent according to CrowdStrike. China-nexus adversaries appear to be deliberately concentrating on the transportation and warehousing infrastructure that supports US and allied supply chains, a pattern consistent with strategic intelligence collection rather than monetary motivation alone (CrowdStrike, 2026).

Energy and transportation rounded out the most-targeted critical-infrastructure sectors. Disruption costs in these sectors are not just financial; they are systemic. A successful attack on a regional grid operator or a major airport scheduling system can cascade across dozens of dependent industries within hours.

Expert Advice: What Defenders Are Saying

The volume of expert commentary on AI-augmented cyber threats has grown substantially over the past year. Three voices stand out for the directness and specificity of their recommendations.

Jake Williams, IANS Faculty and a widely cited former NSA analyst, has argued that CISOs need to “have honest conversations about autonomy risk before setting unrealistic expectations.” Williams’ practical recommendation is that organizations stop trying to ban generative AI tools and instead provide vetted, sandboxed alternatives: “Your employees want to use generative AI tools, especially chatbots. If you don’t provide access to vetted and approved tools, employees will find ways to expose your data to unapproved tools” (IANS, 2025).

Microsoft’s 2025 Digital Defense Report recommends four concrete defensive moves: applying AI to defensive tactics (threat analytics, detection validation, and automatic remediation); securing the AI attack surface itself (adversarial prompts, data poisoning, model manipulation); developing public-private intelligence-sharing capacity, since 4 percent of attacks are motivated by espionage and 96 percent are criminal; and treating identity infrastructure as a primary battlefield, since AI-driven phishing is three times more effective than traditional campaigns (Microsoft, 2025).

The Google Threat Intelligence Group recommends a more structural approach. GTIG’s May 2026 report concludes with four specific defensive priorities: harden internet-facing systems and detect automated reconnaissance attempts; treat AI-enabled attack automation as part of national cyber defense planning rather than a private-sector concern; train security teams specifically to recognize AI-assisted attack patterns and compressed intrusion timelines; and shorten exposure windows through rapid patching, credential hardening, and external attack-surface reviews. The most quoted line from the GTIG report: “Public-sector defenders should assume capable attackers now use AI copilots for exploit development and operational scaling” (Google Threat Intelligence Group, 2026).

The Cloud Security Alliance’s 2026 AI Vulnerability Storm report frames the same problem in CISO-operational terms. Their recommended program priorities for the next 12 months: AI policy and governance frameworks; multi-vendor AI strategy with stronger data and operational guardrails; AI-driven security operations to keep pace with AI-enabled threat actors; and identity assurance as the foundation of every other control (Cloud Security Alliance, 2026).

Concrete Mitigation: Five Priorities That Actually Work

Drawing from the consensus across the CrowdStrike, GTIG, Microsoft, IANS, KELA, and Cloud Security Alliance reports, five mitigation priorities emerge that have evidence of operational effectiveness.

Patch faster. The 22-second handoff window means that vulnerability windows that used to be measured in weeks now must be measured in hours. The Verizon 2026 DBIR notes that 245 new known-exploited vulnerabilities were added to the CISA KEV catalog in 2025, of which 41 percent were zero-days at the time of exploitation (Swif.ai, 2026). Organizations with a documented 24-hour patch cycle for KEV-listed vulnerabilities experience materially fewer breaches than those operating on the traditional 30-day cycle.

Treat third parties as part of your attack surface. The DBIR reports that third-party breaches grew 60 percent year-over-year and now account for 48 percent of all breaches (Cyber Readiness Institute, 2026). Multi-factor authentication enforcement across all third-party connections, with auditable termination procedures when vendors are removed, is no longer optional.

Move identity defense to the front. Microsoft reported a 32 percent rise in identity-based attacks in the first half of 2025, with 97 percent of those attempts taking the form of password spray or brute force (Microsoft, 2025). Phishing-resistant MFA, conditional access policies, and continuous identity verification are the defensive primitives most likely to compress the gap between attacker capability and defender response.

Train against voice and SMS phishing specifically. The 2026 DBIR found that voice and SMS phishing now outperform email phishing in success rate, with phishing via text and phone calls achieving a 40 percent higher success rate in simulations than email (Cyber Readiness Institute, 2026). Vishing alone appeared in 11 percent of Mandiant investigations where the initial vector was known. Annual email phishing simulations are no longer sufficient. Voice-based and AI-deepfake simulation exercises must be added.

Provide vetted AI tools rather than banning them. The most cost-effective single intervention available to most organizations is to deploy approved, sandboxed AI tools (Microsoft Copilot, Google Gemini for Workspace, or Anthropic’s enterprise Claude) and prevent employees from routing sensitive data through unapproved consumer AI. Williams of IANS has made this case publicly. Microsoft, Google, and Anthropic have built enterprise governance frameworks specifically for this purpose. The economic argument is straightforward: an organization that bans AI loses the productivity benefits and still experiences shadow-AI data leakage; an organization that provides vetted AI captures both the productivity and the audit trail.

The Bottom Line

References