Notifications
Clear all
Topic starter
27/06/2026 1:39 pm
TL;DR: Verizon’s 2026 DBIR reports that the human element was involved in 62% of breaches, third-party compromise appeared in 48% of incidents, and only 26% of known exploited vulnerabilities were remediated in 2025, showing attackers are blending social engineering, vendor trust, and exposed infrastructure. The practical takeaway is that identity, workflow, and remediation controls now need to be managed as one attack surface, not separate programmes.
NHIMG editorial — based on content published by Abnormal AI: analysis of the 2026 Verizon DBIR and breach trends
By the numbers:
- 62% of breaches., t was involved in 62% of breaches.
- Third-party compromise appeared in 48% of breaches, a 60% year-over-year increase.
- Only 26% of known exploited vulnerabilities were remediated in 2025, down from 38% the prior year.
Questions worth separating out
A: Treat third-party access as a governed identity perimeter, not a one-time integration.
Q: Why do behavioural signals matter more than links in contextual social engineering attacks?
A: Because the sender, channel, and message can all be legitimate while the request is still malicious.
A: When a vulnerability is publicly exploited, internet-facing, or connected to high-value identity paths, it should move ahead of routine backlog work.
Practitioner guidance
- Unify vulnerability and identity remediation queues Track exposed assets, privileged accounts, OAuth grants, and vendor access in the same risk workflow so one finding cannot be remediated while the other remains exploitable.
- Inventory external trust paths end to end Map every SaaS integration, contractor account, and third-party OAuth connection to an owner, privilege scope, and revocation route, then review those relationships on a fixed cadence.
- Tune detection for workflow anomalies Prioritise signals such as unusual request timing, approval path changes, vendor impersonation patterns, and identity behaviour that deviates from established baselines.
What's in the full report
Abnormal AI's full report covers the operational detail this post intentionally leaves for the source:
- Breakdown of the DBIR findings by attack class, including where vulnerability exploitation, credential abuse, and third-party compromise overlap
- Examples of pretexting patterns and behavioural indicators that help distinguish legitimate business workflows from abuse
- Additional context on how AI is being used across phishing, malware development, and vulnerability research
- Source-linked threat intelligence references that practitioners can use to compare their own telemetry and incident trends
👉 Read Abnormal AI’s analysis of the 2026 DBIR and identity trust trends →
DBIR 2026: what the rise in third-party compromise means?
Explore further
27/06/2026 3:04 pm
Identity trust is now part of the attack surface. The DBIR’s numbers show that breaches are no longer cleanly separable into “identity” problems and “infrastructure” problems. Vulnerability exploitation, third-party compromise, and pretexting now reinforce one another across the same intrusion path. Practitioners should treat trust relationships, not just credentials, as governed security assets.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: What should teams do when trusted workflows start looking slightly unusual?
A: Escalate it as a governance signal, not just a helpdesk issue. Unusual approval chains, unexpected payment requests, or vendor behaviour that deviates from normal history can indicate pretexting or account abuse. Teams should verify the business context, inspect linked identities, and preserve evidence before the workflow completes.
👉 Read our full editorial: DBIR 2026 shows identity trust is now an attack surface
