Wiz in the Verizon DBIR: How AI Acceleration and Cloud Sprawl Impact Modern Defense

Verizon's latest DBIR highlights how attackers are exploiting familiar weaknesses at increasing speed and scale. Here's what Wiz research reveals about vulnerabilities, trust relationships, and AI in modern cloud environments.

Every year, the Verizon Data Breach Investigations Report (DBIR) provides a snapshot of how attackers are compromising organizations. This year's report highlights a clear trend: attackers continue to succeed through familiar weaknesses, but they are exploiting them at increasing speed and scale.

This year, Wiz contributed research on Known Exploited Vulnerability (KEV) remediation trends to the DBIR, providing visibility into how organizations are responding to vulnerabilities that attackers are actively exploiting in the wild. As we previously explored in our Cloud Threats Retrospective, State of AI in the Cloud, and State of SDLC Security research, this year’s DBIR highlights a critical challenge: organizations are struggling to reduce risk quickly enough to keep pace with expanding attack surfaces and increasingly rapid exploitation.

Attackers are not winning because they've discovered entirely new techniques. They're succeeding because vulnerabilities, trust relationships, and increasingly complex cloud environments are creating more opportunities than defenders can operationalize against.

Vulnerability Exploitation Is Outpacing Remediation

One of the most significant findings in the DBIR is that vulnerability exploitation has become the leading initial access vector, accounting for 31% of breaches. At the same time, human-focused attacks remain a significant factor in breaches, underscoring the need for organizations to address both technical exposure and identity risk.

That trend is especially relevant in cloud environments. In Wiz's Cloud Threats Retrospective, 40% of documented cloud intrusions began with weaponized vulnerabilities, making exploitation the most common path to compromise.

As part of Wiz's contribution to this year's DBIR, we analyzed how organizations remediate Known Exploited Vulnerabilities (KEVs) across hundreds of thousands of cloud and code environments.The DBIR’s findings reveal a growing operational challenge: only 26% of KEVs were fully remediated, while 16% remained entirely unremediated.

Additional findings help explain why organizations are struggling to keep pace:

  • Median remediation time increased from 32 days to 43 days.

  • Organizations faced roughly 50% more KEVs requiring remediation than the year before, with the median number of KEVs rising from 11 to 16.

The challenge is no longer simply identifying vulnerabilities. The challenge is reducing exposure quickly enough to keep pace with growing attack surfaces, cloud sprawl, and increasingly rapid exploit development.

Trust Relationships Are Becoming the New Enterprise Boundary

The DBIR found that third-party involvement in breaches rose from 30% to 48% year over year. That trend reflects a broader shift in how modern attacks unfold. Rather than targeting individual environments directly, attackers increasingly abuse the trusted relationships that connect them.

Throughout 2025, Wiz investigated incidents involving:

  • compromised software packages,

  • OAuth token abuse,

  • GitHub personal access token theft,

  • CI/CD compromise,

  • and SaaS integrations.

Campaigns like Shai Hulud and s1ngularity demonstrated how a compromise in one trusted component can create downstream exposure across thousands of organizations. TeamPCP’s recent activity has continued this trend into 2026.

This same pattern appears throughout software development environments. In our State of SDLC Security research, we observed how modern development pipelines increasingly rely on interconnected repositories, build systems, automation platforms, identities, and third-party tooling. These connections help teams move faster, but they also create additional pathways for attackers to abuse trusted access, compromise software supply chains, and expand the impact of a single intrusion.

The enterprise boundary is no longer defined solely by infrastructure. It increasingly includes identities, integrations, software supply chains, and automation systems.

AI Is Accelerating Existing Risks

AI is one of the most discussed topics in this year's DBIR, and the findings point to a nuanced reality. AI is accelerating attacker operations more than it is changing how breaches occur.

The DBIR highlights how AI is helping threat actors accelerate reconnaissance, automate tasks, and operationalize exploits more quickly. Wiz research has observed similar trends, including AI-assisted reconnaissance, credential harvesting, vulnerability discovery, and post-compromise automation.

At the same time, AI adoption is introducing new security challenges of its own. In our State of AI in the Cloud research, we explored key AI adoption trends.

We also observed rapid adoption of AI agent technologies. In our research, 57% of organizations had deployed AI agents, while MCP servers appeared in 80% of cloud environments.

Together, these technologies introduce new identities, APIs, service accounts, orchestration layers, and automation workflows. As AI becomes embedded across development workflows, cloud operations, and business processes, organizations also need clear ownership, governance, and visibility into how these systems are deployed and connected to sensitive resources.

In practice, AI environments often create new places where familiar security issues emerge, including excessive permissions, exposed services, and credential sprawl. The result is a larger and more interconnected attack surface.

Security Teams Need to Focus on Exposure, Trust, and Speed

The lesson from this year's DBIR is that familiar weaknesses remain highly effective when combined with cloud scale, interconnected trust relationships, and increasingly rapid exploitation cycles.

For defenders, the priorities remain clear:

  • Reduce externally reachable exposure.

  • Prioritize remediation of actively exploited vulnerabilities.

  • Harden identities and trusted integrations.

  • Secure software supply chains and development environments.

  • Apply the same governance and visibility controls to AI systems that already exist for cloud infrastructure.

Read More from Wiz Research

Cloud Threats Retrospective 2026
Explore how threat actors leveraged vulnerabilities, exposed credentials, trusted relationships, and AI-assisted workflows in real-world cloud intrusions.

State of AI in the Cloud 2026
Learn how AI agents, MCP servers, self-hosted models, and managed AI services are expanding cloud attack surfaces and creating new governance challenges.

State of SDLC Security 2026
Discover how software supply chains, CI/CD systems, developer identities, and third-party tooling are reshaping risk across modern development environments.

Continue reading

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management