🔴 The 2026 Verizon DBIR is out today… and two thirds of all breaches now start with identity

The 2026 Verizon Data Breach Investigations Report confirms what’s been building for years: identity is now the dominant attack surface.

Two thirds of all breaches investigated began with an identity-related attack: stolen credentials, session hijacking, or MFA bypass. Vulnerability exploitation jumped 34% year on year. And third-party breaches now account for 30% of all incidents, double the previous year’s figure. Verizon

Let’s look at the SMB numbers. Ransomware appeared in 88% of SMB breach incidents, compared to just 39% at large organisations. Your clients are not collateral damage in attacks aimed at big companies. They’re the primary target.

The report also confirms that 64% of ransomware victims now refuse to pay, up from 50% two years ago. And median ransom payments have fallen from $150,000 to $115,000. But the volume of attacks keeps climbing regardless.

🟡 71% of organisations had at least one identity breach last year. Most didn't spot it quickly

Another report… Sophos published its State of Identity Security 2026 report last week. They surveyed 5,000 IT and cybersecurity leaders across 17 countries, and it reads as a direct companion to the Verizon DBIR. Help Net Security

• 71% of organisations suffered at least one identity-related breach in the past 12 months

• The average organisation reported three separate incidents

• And only 24% continuously monitor for unusual login attempts… meaning the majority of these breaches had a significant undetected window before anyone noticed.

The specific number to act on: only 34% of organisations regularly audit or rotate service accounts. As AI agents multiply across client environments, each one creating new credentials and demanding persistent access, that gap is going to become significantly more dangerous.

If identity monitoring and service account hygiene aren’t already in your security stack conversation with clients, both reports published this week give you everything you need to start it.

🟢 The good guys just found 47 zero-days in three days… and got paid $1.3 million for it

Pwn2Own Berlin 2026 wrapped up on Saturday and it was a good week for the white hats.

Security researchers collected $1,298,250 in rewards over three days after finding and exploiting 47 unique zero-day vulnerabilities across Windows 11, Microsoft Exchange, Microsoft Edge, VMware ESXi, Red Hat Linux, and AI coding agents. Every single one of those vulnerabilities gets reported privately to the vendor, who then has 90 days to patch before any details become public. BleepingComputer

DEVCORE took the Master of Pwn title with 50.5 points and $505,000. The standout moment was Orange Tsai’s $200,000 payday for chaining three bugs to achieve remote code execution with system privileges on Microsoft Exchange.

The whole point of Pwn2Own is easy to lose in the headline numbers: this is organised, paid, responsible disclosure. Every bug found here is a bug that gets patched rather than sold to the highest bidder on the dark web. It is, in the most literal sense, hackers making the world safer. High five to the white hats!

Right, enjoy your Tuesday. We’ll be back in your inbox tomorrow morning. See you then.