The Verizon 2026 Data Breach Investigations Report (DBIR) lands with some numbers that are hard to sit with if you’re in the business of defending web applications, APIs, and data. AI-driven bot traffic is growing at a pace most organizations aren’t equipped to handle. Web application attacks are often successful, for the same reasons they’ve always had success. And agentic AI is opening an attack surface that most security programs haven’t yet fully addressed. Cequence is once again honored to be the only API security and bot management vendor to have contributed to the 2023, 2024, 2025, and 2026 Verizon DBIR.
Bots are eating the internet
About 15% of all non-malicious bot traffic in Q3 2025 came from AI bots – crawlers and fetchers built to vacuum up training data or serve real-time requests from AI assistants. This category of bot didn’t exist four years ago, but it accounts for roughly one-quarter the volume of traditional search engine crawlers.
AI crawler and fetcher traffic grew 21% month over month between May and December 2025. Crawler traffic alone grew 32% MoM. Human-led traffic grew 0.3%.
The distribution isn’t even. Online Gambling saw 133% month-over-month growth in AI bot traffic – almost certainly automated systems pulling odds, player stats, and other high-value, rapidly-changing data. Digital Media Publishing and Retail followed at 45-48%. Both are industries where what you publish has direct commercial value and attribution actually matters.
“Accounting for increased resource usage in this evolving landscape is the bare minimum, and bot management solutions would be required for more fine-grained control, especially if your content is proprietary and monetizable.”
— Verizon 2026 DBIR
The report puts it plainly: handling extra resource consumption is the bare minimum. Organizations with proprietary content need bot management that distinguish between bot types based on what the bot is trying to do and enforce policies as needed. Blanket blocking isn’t viable. What matters is knowing what each bot is actually doing.
Web application attacks: persistent, effective, financially motivated
Basic Web Application Attacks accounted for 3,217 incidents in the 2026 dataset, 2,281 of which resulted in confirmed data disclosure. Stolen credentials drove most of them – a pattern that is so consistent across DBIR editions to feel almost tedious to repeat.
What’s changed: exploitation of unpatched vulnerabilities climbed, tied to high-impact cases where software flaws sat unaddressed in organizational or partner infrastructure. Password dumping appeared in the top action varieties for the first time. The technique involves extracting credential hashes or plaintext passwords from system memory, registries, or authentication databases. Brute force remained the reliable fallback when purchased credentials aren’t an option.
Vulnerability exploitation is now the most common entry vector at 31% of the dataset. Credential abuse dropped to 13%. Both trends reflect attacker adaptation, but they also reflect a remediation situation that’s getting worse – only 26% of critical vulnerabilities in the CISA KEV (Known Exploited Vulnerabilities) catalog were fully remediated in 2025, down from 38% the year before, with median resolution time up to 43 days. APIs and internet-exposed web applications are where unpatched flaws and stolen credentials meet.
The agentic AI risk is already here
Most security programs haven’t operationalized any specific security response to agentic AI. Agentic systems act on behalf of users or other AI models, retrieving data, executing tasks, chaining actions across tools and APIs with minimal human oversight. The report flags service and machine accounts as the most likely entry points in this environment. These are the accounts agents actually use. They carry elevated permissions, they rarely trigger MFA, and they’re routinely over-provisioned because enforcing least privilege across complex cloud environments takes time that security teams don’t have.
The credential exposure data sits directly behind this. Third-party cloud environments took nearly eight months on average to resolve weak password and excessive permission misconfigurations, and only 31% reached full remediation. A compromised service account used by an AI agent isn’t a single-user breach – it’s an autonomous actor with persistent access and a wide blast radius.
Shadow AI adds to this. Employee AI use on corporate devices jumped from 15% to 45% of the workforce in a single year. Two-thirds of those users accessed AI platforms through personal accounts with no enterprise governance in place. The most common data type submitted to unauthorized external AI models was source code. Research and technical documentation appeared in 3.2% of DLP violations. The governance infrastructure for what agentic workflows access and transmit hasn’t been built yet at most companies.
The report also notes that more than 15% of corporate users have unauthorized AI browser extensions installed – tools built to capture browsing context for model input. Internal sites, authenticated sessions, non-public data – feeding third-party models with no visibility from security teams. When agents start operating in those same browser environments, it opens a greenfield for exposure.
What to do about it
The vulnerability and remediation data makes continuous patching and MFA enforcement non-negotiable for internet-exposed application attack surfaces. Organizations need a bot management solution that handles AI-native traffic patterns, including controls that support content governance and attribution. And agentic AI security can’t stay aspirational; the credential hygiene, least-privilege enforcement, and service account controls that matter here are the same fundamentals the DBIR has been flagging for years. The difference is what happens when an autonomous agent operating at machine speed, rather than a single human user, is the one who gets in.
