The 2026 Verizon Data Breach Investigations Report carries one finding that stands out above everything else. For the first time in the report’s nineteen-year history, vulnerability exploitation has overtaken stolen credentials as the single most common breach entry point. Thirty-one percent of all confirmed breaches in 2025 started with an attacker exploiting an unpatched flaw, up from 20% the year before.
That shift has real implications for how security teams in the UAE should be prioritising their time and budget right now.
The report itself is the largest the DBIR has ever published, covering more than 31,000 security incidents and 22,000 confirmed breaches across 145 countries. The confirmed breach count is nearly double last year’s figure. Some of that reflects improved reporting. Most of it reflects a threat environment that is genuinely accelerating, driven in large part by AI tools that have put sophisticated attack capabilities in the hands of a much wider pool of threat actors.
Attackers Are Moving Faster Than Patching Cycles Were Designed to Handle
The reason vulnerability exploitation has climbed to the top of the DBIR rankings is not that new vulnerability classes have emerged. It is that the time between public disclosure and active exploitation has collapsed. SonicWall’s 2025 threat data found that 61% of attackers weaponise newly disclosed vulnerabilities within 48 hours of public release. AI-powered scanning tools now allow threat actors to identify exposed systems at scale and match them against known CVEs faster than most security teams can even assess the risk, let alone deploy a fix.
This is already playing out in the UAE specifically. The UAE Cyber Security Council’s 2025 report found that nearly 50% of vulnerabilities being actively exploited in the country are more than five years old. While global attackers are exploiting CVEs within two days of disclosure, a significant portion of UAE organisations are still running systems with well-documented weaknesses that have existed since before their last infrastructure refresh. Attackers do not need sophisticated capabilities to compromise those environments. They need patience and an automated scanner.
The 2026 DBIR adds another layer to this. Only 26% of critical vulnerabilities listed in CISA’s Known Exploited Vulnerabilities catalogue were fully remediated in 2025, down from 38% the year before. Security teams are falling further behind on patching known, actively exploited flaws, not because they are careless, but because the volume of incoming CVEs, over 140 published daily at current rates, has exceeded the capacity of manual prioritisation processes.
The organisations managing this well are the ones that have moved away from scheduled patching cycles and toward continuous vulnerability management, where known exploited vulnerabilities are treated with a fundamentally different urgency than theoretical risks. Vulnerability management and penetration testing are no longer once-a-year exercises. They are ongoing programmes that reflect how attackers actually operate.
Third-Party Breaches Have Doubled in Two Years. Vendor Questionnaires Won’t Solve This.
Third-party involvement in confirmed breaches increased 60% in 2025. Nearly half of all breaches in the DBIR dataset now involve a vendor, supplier, or external service provider somewhere in the chain. Two years ago, that figure was around 15%.
Most organisations know third-party risk is a problem. Most also rely on annual vendor questionnaires and contract clauses to manage it, which tells you what a vendor’s written policies are while telling you almost nothing about whether those policies are being followed or whether the access that vendor holds into your environment could be abused.
The DBIR data shows the consequences of that gap clearly. Only 23% of third-party cloud organisations had fully remediated missing or improperly secured MFA on their own accounts. When an attacker compromises a vendor’s environment and pivots into a client network through poorly governed integration access, the defences they encounter at the vendor level are often weaker than what exists inside the client organisation itself. The entry point was trusted by default. That trust was not verified.
For enterprises operating under DIFC or ADGM regulatory frameworks, or those subject to UAE PDPL obligations, third-party risk management is a named compliance requirement. Meeting that requirement on paper and actually reducing the exposure are different things. The difference shows up in whether your penetration testing scope extends to vendor access paths, privileged integrations, and the controls protecting third-party connections into your environment, not just your own perimeter.
Shadow AI Has Created a Data Leakage Problem Most DLP Architectures Cannot See
One of the more significant findings in the 2026 DBIR that has received less coverage than it deserves is the growth of shadow AI usage inside organisations. The report found that 45% of employees are now regular AI tool users, up from 15% the previous year. Sixty-seven percent of those users are accessing AI services from corporate devices using personal, non-corporate accounts.
That means the organisation has no visibility into what data is being submitted to those platforms, what the provider’s data retention policies are, or whether sensitive information has already left the environment. Nobody doing this considers themselves to be creating a security risk. A finance team member summarising a contract. A developer debugging code in a public model. A project manager cleaning up a client-facing document. These are ordinary work habits today, and they are happening at a volume that conventional data loss prevention tools were not designed to detect.
The UAE PDPL, which came into force in January 2026 with a compliance deadline of January 2027, requires organisations to demonstrate control over where personal data is processed and stored. If employees are regularly submitting personal data to unvetted AI platforms, that is a demonstrable control gap with regulatory consequences. It is also a security gap that sits entirely outside the visibility of most perimeter-focused monitoring programmes.
Cloud security assessments that map actual data flows, including SaaS usage patterns and AI platform access from corporate devices, are becoming a necessary part of understanding where an organisation’s real exposure sits.
Ransomware Remains in Nearly Half of All Confirmed Breaches
Ransomware was present in 48% of confirmed breaches in the DBIR dataset, up from 44% the previous year. The median ransom payment dropped below $140,000, which sounds like progress. What it actually reflects is that ransomware operators have scaled their model, accepting smaller payments from a higher volume of victims rather than pursuing large single payouts.
The 69% of victims who declined to pay did not avoid financial impact. They absorbed recovery costs, operational disruption, and in many cases reputational damage that outlasted the incident itself. Getting better at recovery is meaningful progress. It does not change the fact that the breach occurred.
The more important detail for UAE security teams is where ransomware is getting in. The most common initial access vector for ransomware in 2025 was not phishing. It was unpatched vulnerabilities, connecting directly back to the DBIR’s headline finding. An organisation with a significant patch backlog and untested network segmentation is carrying ransomware risk whether or not it recognises that connection.
For sectors the UAE Cyber Security Council classifies as critical infrastructure, including finance, energy, and telecommunications, the operational consequences of a ransomware incident extend well beyond the ransom decision itself. Regulatory notification timelines, business continuity obligations, and reputational exposure to clients and partners all become live issues simultaneously. Organisations that have tested their incident response processes against realistic scenarios are in a materially better position than those whose IR plan exists on paper but has never been stress-tested against an actual breach timeline.
What the 2026 DBIR Should Change About Your Security Programme
Taken together, the DBIR’s findings describe a threat environment where attackers are exploiting vulnerabilities faster than patching processes respond, using third-party access as a preferred entry path, and benefiting from internal AI adoption that has outpaced governance. None of these are new risks. All three appeared prominently because they worked consistently throughout 2025.
The organisations that came through last year with better outcomes were not necessarily the ones with the most mature security stacks. They were the ones with an accurate picture of their actual attack surface, including vendor access, cloud configurations, and internal data flows, and the capability to act on that picture quickly when new threats emerged.
Getting that picture requires going beyond perimeter testing. It requires managed SOC capability that covers cloud environments with the same depth as on-premises infrastructure. It requires third-party access to be treated as part of the attack surface being tested, not excluded from scope because it sits outside the organisation’s direct control. And it increasingly requires advisory support that can translate threat intelligence into security investment decisions at a level that boards and leadership teams can act on.
If the findings in this report reflect concerns you already have about your organisation’s security posture, iConnect’s team works with enterprises across Dubai and the UAE on exactly this kind of programme. The DBIR tells you where the industry’s defences are failing. The more important question is where yours specifically are.
