Hi guys, I send out a weekly newsletter with the latest cybersecurity vendor reports and research, and thought you might find it useful, so sharing it here.

All the reports and research below were published between May 18th - May 24th.

You can get the below into your inbox every week if you want: https://www.cybersecstats.com/cybersecstatsnewsletter/

Big Picture Reports

2026 Data Breach Investigations Report (Verizon)

Verizon's flagship DBIR, now in its 19th year, pulls together data from 31,000 real-world security incidents across 145 countries, with more than 22,000 confirmed as data breaches.

Key stats:

• 31% of breaches start with software vulnerabilities.
• Only 26% of critical vulnerabilities were fully remediated by organizations in 2025, down from 38% the previous year.
• The median time to full resolution increased to 43 days, almost 2 weeks longer than the previous year’s 32 days.

Read the full report here.

The Hidden Costs of Downtime (Splunk)

What does downtime cost Global 2000 companies? The answer is quite shocking ($15k a minute).

Key stats:

• Aggregate unplanned downtime costs for Global 2000 companies total $600 billion annually, representing a 50% increase in two years.
• The average cost of downtime for organizations is $15,000 per minute.
• Downtime costs an organization $95 million in lost revenue annually, nearly double the 2024 level.

Read the full report here.

The State of Patch Management Report 2026 (Adaptiva)

How does your patch management program compare to your peers? Find out in this report on patch management trends, challenges, and opportunities based on a survey of 200+ IT and security professionals.

Key stats:

• Since 2023, the share of organizations deploying patches within six days has nearly quadrupled, rising from 15% to 59%.
• More than 60% of organizations rely on manual processes in at least part of the patch lifecycle.
• Only 8% of organizations report fully autonomous patching today, but 90% plan to expand automation in the next 12 months.

Read the full report here.

2026 State of Tech Talent Report (The Linux Foundation)

What's holding back AI adoption? Is it you, security person? If so, maybe keep holding.

Key stats:

• 48% of organizations report security concerns as the top barrier to AI adoption, up from 17% in 2024.
• 57% of organizations report a significant capacity gap in AI security and risk management.
• 40% of organizations report being understaffed in cybersecurity and compliance.

Read the full report here.

Cyber Threat Intelligence Report 2026 (Bridewell)

A really good report that covers a lot of ground, from how attackers are adapting their infrastructure, to identity-led compromise, infostealers, fragmenting ransomware, evolving social engineering, abuse of trusted platforms, AI-amplified capability, and emerging 2026 risks like edge exploitation and state-aligned cybercrime.

Key stats:

• In 2025, 27.89% of all adversary infrastructure tracked was hosted in the US, an increase from 23.63% in 2024.
• Cobalt Strike accounted for 38.4% of all OST output, maintaining its position as the primary adversary framework.
• Across 2025, 7,918 victim postings were observed on ransomware group data-leak sites across 129 distinct threat actors.

Read the full report here.

Supply Chain Security

2026 Supply Chain Vulnerability Report (Black Kite)

Over 48,000 CVEs were published last year.

Key stats:

• Of the 48,000+ CVEs published in 2025, only 58 represented a genuine, discoverable, and exploitable threat to enterprise supply chains.
• Attackers exploited vulnerabilities an average of seven days before public disclosure in 2025.
• 2,130 AI-related vulnerabilities were reported in 2025, a more than 200% increase since 2023.

Read the full report here.

2026 Software Supply Chain Security State of the Union (JFrog)

Where software supply chain security is improving and where it is…not improving.

Key stats:

• Malicious npm packages surged 451% year-over-year.
• 97% of organizations claim they have certified model governance.
• 53% of organizations self-host models from sources where malicious payloads have been detected.

Read the full report here.

Mobile Application Security

2026 Application Security Threat Report (Digital.ai)

App attacks have been climbing for five years straight, and two sectors are taking the worst of it.

Key stats:

• Mobile application attack rates climbed 58% between 2022 and 2026, rising from 55% to 87%.
• Financial services applications faced a 91% attack rate in 2026, the highest recorded for any vertical.
• Automotive applications faced a 91% attack rate in 2026.

Read the full report here.

AI Security

From Agentic Risk to Human Win: Building a Culture of Security in the Era of Agentic AI (KnowBe4)

Long-time readers (and security practitioners) already know that AI agents are doing real things in workflows, but too many organizations have no real handle on their AI use.

Key stats:

• 58% of cybersecurity leaders report that AI agents are already taking actions within organizational workflows.
• 52% of organizations report their use of AI is unapproved or ungoverned.
• Only 19% of cybersecurity leaders report that their organizations have an integrated and culture-embedded approach in place to manage human-related cybersecurity risk.

Read the full report here.

Enterprise AI Provisioned. So Why Is the Work in Personal Accounts? (Harmonic Security)

Turns out employees are doing a lot of their AI work for the business on personal accounts the company has no visibility into.

Key stats:

• 64.5% of activity on personal and free-tier AI accounts is business use rather than personal use.
• 45.6% of employees' personal AI activity flows through enterprise tools their company is paying for.
• 74.6% of all AI use at work has a clear business purpose.

Read the full report here.