Verizon Report: AI Accelerates Software Vulnerability Exploits, Overtaking the Stolen Credentials Method as the Leading Attack Vector
Published
Key Takeaways
- AI Accelerated Exploitation: Hackers leverage artificial intelligence to shrink vulnerability response times from months to mere hours.
- Exploits Surpass Credentials: Vulnerability exploitation initiated 31% of breaches, overtaking stolen credentials as the primary attack vector.
- Defensive AI Imperative: Verizon CISO Nasrin Rezai emphasizes the necessity to fight AI with AI across all cyber defense processes.
Hackers are increasingly using artificial intelligence (AI) to detect and exploit software vulnerabilities. Analyzing more than 31,000 security incidents, the annual Verizon data breach report found that 31% of all breaches started with flaw exploitation. For the first time, this tactic surpassed stolen credentials as the leading initial access method.
Threat actors actively use generative AI across all attack stages, including targeting, initial access, and the development of malware and other tools, accelerating the exploitation time and shrinking the defense window from months to mere hours.
Shadow AI and Escalating Adversary Capabilities
The Verizon report also identifies internal operational risks. Shadow AI (the use of unauthorized AI tools) now ranks as the third most common non-malicious insider action in data loss incidents. Employees routinely submit sensitive source code, images, and other structured data into these platforms.
Meanwhile, third-party involvement in breaches is up 60%, while AI Bot Internet Crawlers registered a massive 21% month-over-month growth compared to the 0.3% human-led traffic growth, the report outlined.
The Verizon report does not include data regarding Mythos, a highly capable AI model announced on April 7, which is currently deployed under Anthropic's Project Glasswing. This controlled initiative allows select organizations, including Verizon, to use the unreleased Claude Mythos Preview model strictly for defensive cybersecurity purposes, according to Reuters.
Defensive Security Strategies
To mitigate these advanced threats, Verizon Chief Information Security Officer Nasrin Rezai stated that organizations need to fight AI with AI. She emphasized that we must incorporate artificial intelligence seamlessly into the software development life cycle, testing processes, and active cyber defense frameworks at an unprecedented scale.
“Companies can’t defend against that reality with periodic assessments and siloed tools,”
Matthew Hartman, Chief Strategy Officer at Merlin Group, “To keep pace, organizations need continuous visibility into vulnerabilities, vendors, and employee AI usage — and the ability to act on that intelligence before attackers can.”
“The most effective mitigation strategy requires abstracting our defenses away from the endless race to patch individual endpoints and instead establishing a hardened identity and authorization control plane,” said Sectigo’s Jason Soroko. “Even if an attacker successfully breaches the outer wall, cryptographic verification ensures they cannot assume trusted roles or siphon data, ultimately transforming a potentially catastrophic breach into a localized and manageable event.”
Collin Hogue-Spears, Senior Director of Solution Management at Black Duck, stated that leaders must invest in two layers. “The first is AI-augmented reachability analysis that separates exploitable findings from theoretical ones, the second is compensating controls: egress restrictions, behavioral allowlists, and identity-bound access.”
“Today, we’re in a human plus AI world, requiring a very different security paradigm, one that’s based on adaptive identity with zero standing privilege as a minimum requirement,” said Chandra Gnanasambandam, Chief Technology Officer at SailPoint, with Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, saying this is an economics story rather than a credential story and Mika Aalto, Co-Founder and CEO at Hoxhunt, saying this year’s report is refinement, not revolution.
“For 2027, it is not a matter of if your organization will appear in next year's dataset but how your organization responds once an incident has occurred,” said Morey Haber, Chief Security Advisor at BeyondTrust.
“Our only true defense is to comprehensively tripwire our cyber infrastructure with model-aware detections and traps, and to dynamically engage reasoning swarms of AI attackers with swarms of reasoning AI defenders,” advised Ram Varadarajan, CEO at Acalvio.
As the report outlines attackers are scaling the basics and the fundamentals still matter most, Diana Kelley, Chief Information Security Officer at Noma Security, says defenders need to do the same, “only faster, cleaner and with much better control over identity, data and third parties.”
In an interview with TechNadu, Diana Kelley, CISO at Noma Security, detailed three specific controls that can make a big difference in curbing shadow AI before it scales.
The broader cybersecurity landscape reflects this rapid escalation. A Harness "State of AI-Native Application Security 2025" report said that the AI-native app boom creates security blind spots and major security risks.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular