BusinessIndustry Guide12 min readPublished July 5, 2026

31% vulnerability-exploitation entry · $4.44M average breach bill · every stat named + dated

Cybersecurity Statistics 2026: Breach and Cost Data

The two most-cited security annuals — Verizon’s 2026 DBIR and IBM’s Cost of a Data Breach Report — reconciled into one page. Every figure carries a named source and a publication date, the edition years are checked (one of them is not what most roundups claim), and the statistics that failed verification get their own table instead of a quiet deletion.

DA
Digital Applied Team
Senior strategists · Published Jul 5, 2026
PublishedJuly 5, 2026
Read time12 min
Sources8+ named & dated
Top breach entry vector
31%
vulnerability exploitation · DBIR 2026
first in 19 yrs
Global avg breach cost
$4.44M
IBM 2025 edition · first drop in 5 yrs
−9% vs prior
US avg breach cost
$10.22M
record high · 2.3x global average
record
Orgs with an AI breach
13%
97% of those lacked AI access controls

Cybersecurity statistics for 2026 come with a sourcing problem the SERP never discloses: the two reports everyone cites were published fourteen months apart, cover different windows, and one of them is routinely relabeled with a year it does not carry. This page fixes that. Every figure below names its source, its publication date, and its data-collection window — and the numbers that failed our verification are printed in their own table, with the reasons we refused them.

The headline data is genuinely new. Verizon’s 2026 Data Breach Investigations Report, published May 19, 2026, recorded vulnerability exploitation overtaking stolen credentials as the number-one breach entry point for the first time in the report’s 19-year history. IBM’s latest Cost of a Data Breach Report — explicitly titled the 2025 edition, because no 2026 edition exists as of this writing — measured the first global breach-cost decline in five years, even as the US average hit a record $10.22 million.

This guide reconciles the two annuals into a single spine: how attackers get in (the DBIR’s mechanics data), what it costs once they are in (IBM’s economics data), the AI-related-incident cut that neither report existed to measure two years ago, a verified-versus-recycled trust table, and the zombie statistics we traced back to their original publication dates. Strictly defensive, strictly statistics.

Key takeaways
  1. 01
    The breach entry vector flipped for the first time in 19 years.Vulnerability exploitation now starts 31% of breaches, overtaking stolen credentials (down to 13%) as the top initial-access vector in Verizon’s 2026 DBIR — published May 19, 2026, covering incidents from November 2024 through October 2025.
  2. 02
    Breach costs fell globally — and hit a record in the US.IBM’s Cost of a Data Breach Report 2025 (the current edition — there is no 2026 edition) put the global average at $4.44M, down 9% from $4.88M and the first decline in five years, while the US average rose to a record $10.22M — 2.3x the global figure.
  3. 03
    The AI governance gap is now a measured statistic.13% of organizations reported a breach of an AI model or application, 97% of those lacked proper AI access controls, and 63% lack AI governance policies entirely or are still developing them — all from IBM’s 2025 edition.
  4. 04
    Defenders are losing the patching race.Median time-to-patch rose to 43 days from 32 — a 34% deterioration — and only 26% of vulnerabilities on CISA’s Known Exploited Vulnerabilities catalogue were fully remediated during the DBIR 2026 window, down from 38%.
  5. 05
    The most-quoted cybersecurity stats fail a simple date check.“$10.5 trillion by 2025” is a 2016-vintage projection its own publisher has superseded, and “95% human error” traces to a 2014 index. The DBIR 2026’s actual human-element figure is 62% — the trust table below carries the receipts.

01The Two AnnualsTwo reports, two windows, one edition check.

Nearly every credible number in the “cybersecurity statistics” genre descends from two annuals. Verizon’s Data Breach Investigations Report measures breach mechanics — how attackers actually get in — from one of the largest incident datasets published anywhere: the 2026 edition analyzed more than 31,000 security incidents and 22,000+ confirmed data breaches across 145 countries, nearly double the prior edition’s 12,195 confirmed breaches. IBM’s Cost of a Data Breach Report, conducted by Ponemon Institute across 600 organizations, measures breach economics — what the intrusion costs once it has happened. The two are rarely read together, which is the gap this page closes.

The dates matter more than the titles. The 2026 DBIR’s incident data covers November 1, 2024 through October 31, 2025 — the title year never matches the collection window, a pattern every DBIR edition follows and one that routinely trips up sites labeling it “2026 data.” IBM’s situation is stranger: its most recent report is explicitly titled “Cost of a Data Breach Report 2025,” was published July 30, 2025, and remains the latest edition as of this post’s July 2026 publication. Any page citing “IBM’s 2026 breach-cost report” is citing a report that does not exist.

Mechanics
Verizon 2026 DBIR
Published May 19, 2026 · incidents Nov 1, 2024 – Oct 31, 2025

31,000+ incidents and 22,000+ confirmed breaches across 145 countries — nearly double the prior edition’s 12,195. The definitive dataset on how breaches start: entry vectors, ransomware, third parties, the human element.

Current edition as of Jul 2026
Economics
IBM Cost of a Data Breach 2025
Published July 30, 2025 · breaches Mar 2024 – Feb 2025

Conducted by Ponemon Institute across 600 organizations globally. The benchmark for what a breach costs — by country, industry, detection path, and now AI exposure. Still the latest edition: IBM has not released a 2026 report.

No 2026 edition exists
The load-bearing edition check
There is no 2026 edition of IBM’s Cost of a Data Breach Report as of this post’s July 5, 2026 publish date. Every “$4.44M” and “$10.22M” figure circulating in 2026 roundups comes from the report IBM itself titles “Cost of a Data Breach Report 2025,” published July 30, 2025, covering breaches from March 2024 through February 2025. IBM has historically published in mid-year, so a next edition is plausibly due later in 2026 — but no date has been announced. Cite the 2025 edition by name, or don’t cite it at all.

02Breach AnatomyHow attackers get in: the entry-vector flip.

The single most significant finding in the 2026 DBIR is a changing-of-the-guard statistic: vulnerability exploitation now starts 31% of breaches, overtaking stolen credentials as the top initial-access vector for the first time in the report’s 19-year history. Credential abuse fell to 13% — meaning unpatched software now opens well over twice as many doors as stolen passwords. For a decade, the defensive consensus was “credentials are the crown jewels.” The current data says the crown jewels are your patch queue.

The patching side of that equation is deteriorating. The DBIR’s analysis puts it plainly: “Our new median time is 43 days, almost two weeks longer than last year’s 32 days” — a 34% increase in median time-to-patch, as reported in SecurityWeek’s coverage of the report. Worse, only 26% of vulnerabilities on CISA’s Known Exploited Vulnerabilities catalogue — the list of flaws confirmed to be under active attack — were fully remediated during the reporting window, down from 38% the prior year. Attackers are speeding up while remediation slows down; the report’s own language warns that “the rapid weaponization of known vulnerabilities by AI can create a capacity crisis for security teams.”

The supply chain amplifies everything. Third-party involvement appeared in 48% of breaches — a 60% year-over-year jump. And follow-through is poor even after problems are found: only 23% of third-party organizations fully remediated missing or improperly secured MFA after being flagged. Nearly half of the breach problem now lives in vendors, partners, and platforms a security team does not directly control.

Share of confirmed breaches · DBIR 2026

Source: Verizon 2026 DBIR (published May 19, 2026), as reported by Verizon, SecurityWeek, and Help Net Security
All confirmed breaches22,000+ analyzed · DBIR 2026
100%
Human element presentup slightly from 60% the prior year
62%
Ransomware presentup from 44% the prior year
48%
Third-party involvementa 60% year-over-year jump
48%
Vulnerability exploitation entry#1 entry vector — first time in 19 years
31%
Credential abuse entryfell from the top spot it held for years
13%

The ransomware numbers show a market that is maturing on the defender side even as attack volume grows. Ransomware was present in 48% of confirmed breaches, up from 44% — in the report’s own words, “Ransomware grew again to 48% of all breaches, up from 44% from the previous year.” But the economics are shifting: the median ransom payment stayed below $140,000, and only about 31% of victims paid at all — meaning 69% refused. The DBIR also draws a direct causal line worth internalizing: 50% of ransomware victims had a credential-theft or infostealer event within the 95 days before the ransomware hit. Ransomware is rarely the first compromise; it is the monetization step of an intrusion that started weeks earlier.

Two human-side numbers round out the anatomy. The human element was present in 62% of breaches — up slightly from 60%, and a figure worth holding onto for Section 06, where it retires a much-recycled “95%” claim. And mobile social engineering succeeds 40% more often than equivalent email-based phishing, per SecurityWeek’s coverage — the attack surface has followed attention onto the phone, the same shift documented in our coverage of AI-driven email-compromise attacks.

“While the velocity of cyber threats—driven by AI and faster vulnerability exploitation—is increasing, the foundational principles of security and strong risk management remain the most effective defense.”— Daniel Lawson, SVP Global Solutions, Verizon Business, May 19, 2026

03Breach EconomicsWhat a breach costs, per the 2025 edition.

Edition disclosure first, numbers second: everything in this section comes from IBM’s Cost of a Data Breach Report 2025 — published July 30, 2025, conducted by Ponemon Institute across 600 organizations, covering breaches from March 2024 through February 2025, and still the latest edition as of this post’s July 2026 publication. With that stated plainly, the headline is a genuine inflection: the global average breach cost fell to $4.44 million, down 9% from $4.88 million — the first year-over-year decline in five years.

The decline was not evenly distributed. The US average moved the opposite direction, hitting $10.22 million — a record high and 2.3x the global average. And the cost drop arrived in the same edition as a speed record: the global breach lifecycle — time to identify plus time to contain — averaged 241 days, a nine-year low, split roughly 181 days to identify and 60 days to contain. Faster containment and cheaper breaches moving together is the pattern the report’s framing emphasizes; the expensive part of a breach is the months nobody knows it is happening.

Global average
First decline in five years
$4.44M

Down 9% from $4.88M in the prior edition. The first global year-over-year breach-cost drop since the 2020-era editions — arriving alongside the fastest identify-and-contain times in nine years.

IBM 2025 edition
US average
Record high, against the trend
$10.22M

2.3x the global average, and a record for any country in the study — the US got more expensive while the world got cheaper. Regulatory exposure and notification obligations concentrate here.

2.3x global
Breach lifecycle
Nine-year low
241days

Roughly 181 days to identify plus 60 days to contain. Healthcare — the costliest industry for the 15th consecutive year at $7.42M — took 279 days, about five weeks longer than the global average.

181 identify + 60 contain

Two cost levers stand out in coverage of the report, both worth a sourcing note: they are corroborated via secondary coverage of the IBM 2025 report rather than a directly linkable primary page, so treat them as IBM-attributed and directional. First, organizations making extensive use of security AI and automation shortened their breach lifecycle by roughly a further 80 days on average. Second, organizations that detected the breach themselves — rather than being told by the attacker or a third party — saved on the order of $900,000 per breach. Detection capability, not response heroics, is where the money is.

The most uncomfortable number in the edition is about what happens after: only 49% of breached organizations planned to increase security investment following their breach, down from 63% in the prior edition. Read against a record US cost figure, that is a measurable signal of breach fatigue — organizations absorbing eight-figure incidents without changing the budget line that produced them. Healthcare illustrates the compounding risk: costliest sector for the 15th consecutive year at $7.42 million average (down from $9.77 million), with the longest identify-and-contain cycle at 279 days.

04The AI-Incident CutAI adoption is outrunning AI governance.

For the first time, both annuals carry a measurable AI-incident cut — and the numbers describe the same gap from two directions. On the economics side, IBM’s 2025 edition found that 13% of organizations reported a breach of an AI model or AI application, with another 8% unsure whether AI was the compromise vector. Of the organizations that suffered an AI-related breach, 97% lacked proper AI access controls. The downstream damage was concrete: 60% of AI-related incidents resulted in data compromise, and 31% caused operational disruption. We covered the agentic-systems slice of this same finding in our AI agent breach-rate analysis.

The governance side is where the gap widens into a chasm: 63% of breached organizations either lack AI governance policies entirely or are still developing them, and among organizations that do have policies, only 34% perform regular audits for unsanctioned AI use. The cost premium is already measurable — breaches with a high level of shadow-AI involvement averaged $4.63 million, about $670,000 more than breaches without significant shadow-AI exposure, and shadow AI was implicated in roughly one in five breaches in the study, per analysis of the report cross-checked against IBM’s own release.

The AI adoption-vs-oversight gap · IBM 2025 edition

Source: IBM Cost of a Data Breach Report 2025 (published July 30, 2025), via IBM Newsroom — note each row’s denominator differs
Lacked AI access controlsshare of orgs that had an AI-related breach
97%
No or in-progress AI governance policyshare of breached organizations
63%
AI incidents causing data compromiseshare of AI-related security incidents
60%
Audit for unsanctioned AI useshare of orgs that do have AI policies
34%
AI incidents causing operational disruptionshare of AI-related security incidents
31%
Had an AI model or app breachedshare of all 600 organizations studied
13%
As stated — IBM Newsroom, July 30, 2025
“The data shows that a gap between AI adoption and oversight already exists, and threat actors are starting to exploit it.” — Suja Viswesan, VP of Security and Runtime Products, IBM, announcing the Cost of a Data Breach Report 2025. The quote predates this post by nearly a year — and the DBIR 2026 data below suggests the gap widened, not closed.

The DBIR’s employee-side data completes the picture — and here a precision note matters, because two different shadow-AI metrics circulate from the same report and are routinely merged into one false number. The first metric is adoption: 45% of employees are now regular users of unapproved “shadow AI” tools, up from roughly 15% the prior edition — a tripling of the user base. The second, separate metric is incidents: secondary coverage of the same report describes a fourfold increase in shadow-AI incidents as an insider-action category, now the third most common non-malicious insider action in the DBIR dataset. Adoption tripled; the incident count grew fourfold; they measure different things and should never be quoted as a single figure.

Visibility makes the problem structural: 67% of employees who use AI services at work do so on corporate devices but through non-corporate accounts — traffic security teams cannot see, let alone govern. And attackers are not waiting for governance to catch up. The DBIR found the median malicious actor used AI assistance across 15 distinct MITRE ATT&CK techniques during an attack chain, with extreme cases querying AI for 40 to 50 techniques — a co-developer across the full attack lifecycle. For a concrete, dated case study of what an AI-provider compromise looks like from the inside, see our analysis of the enterprise AI security incidents disclosed earlier this year.

The forward projection writes itself, with one caveat. IBM’s data window closed in February 2025 and the DBIR’s in October 2025 — which means neither annual has yet measured a full year of the 45%-adoption era it describes. If the access-control gap (97%) and the governance gap (63%) persist into the next editions, the 13% AI-breach rate is best read as a floor, not a peak. That is a projection, not a measurement — but it is the direction every number on this page points.

05Trust TableVerified vs recycled: the trust table.

This is the table we could not find on any competing “cybersecurity statistics 2026” page. Most roundups cite the same headline numbers with no publication date, no data window, and no edition year — which is how a 2016 projection and a 2014 measurement still headline pages a decade later. Every major statistic used in this post is listed below with its true source, its true edition, and its data-collection window, so you can cite any row — or check our work.

Verified versus recycled cybersecurity statistics trust table — each headline statistic commonly seen in 2026 roundups, its true source report with edition and publication date, its data-collection window, and a verdict: current primary, recycled-but-real, or zombie stat. Compiled July 2026.
StatisticTrue source + editionData windowVerdict
Current primary — cite freely, with the edition year attached
31% of breaches start with vulnerability exploitation — the #1 entry vector for the first time in 19 yearsVerizon 2026 DBIR, published May 19, 2026Incidents Nov 1, 2024 – Oct 31, 2025Current primary
Ransomware present in 48% of confirmed breaches, up from 44%Verizon 2026 DBIR, published May 19, 2026Incidents Nov 1, 2024 – Oct 31, 2025Current primary
48% of breaches involve a third party — up 60% year over yearVerizon 2026 DBIR, published May 19, 2026Incidents Nov 1, 2024 – Oct 31, 2025Current primary
$4.44M global average breach cost — first decline in five yearsIBM Cost of a Data Breach Report 2025 (the latest edition — no 2026 edition exists), published July 30, 2025Breaches Mar 2024 – Feb 2025, 600 organizationsCurrent primary — a 2025 edition
$10.22M US average breach cost — a record highIBM Cost of a Data Breach Report 2025, published July 30, 2025 (via IBM Newsroom)Breaches Mar 2024 – Feb 2025Current primary — a 2025 edition
13% of organizations had an AI model or application breached; 97% of those lacked proper AI access controlsIBM Cost of a Data Breach Report 2025, published July 30, 2025 (via IBM Newsroom)Breaches Mar 2024 – Feb 2025Current primary — a 2025 edition
Recycled-but-real — legitimate numbers wearing the wrong year
“IBM’s 2026 breach-cost data: $4.44M / $10.22M” as seen across 2026 roundupsThe figures are real — but they come from IBM’s report explicitly titled “Cost of a Data Breach Report 2025.” IBM has not released a 2026 edition as of this post’s July 2026 publication.Breaches Mar 2024 – Feb 2025Real numbers, wrong label — always disclose the edition
“2026 breach data” from the DBIR cited as calendar-2026 measurementsThe 2026 DBIR is the current edition, but its title year never matches its data window — a pattern every DBIR edition follows.Incidents Nov 1, 2024 – Oct 31, 2025Real numbers — date the window, not the title
Zombie — retired, with the origin receipt
“$10.5 trillion in global cybercrime costs by 2025”A 2016-vintage Cybersecurity Ventures projection (the original “Hackerpocalypse” report), reiterated annually. The firm’s own current forecast is $12.2 trillion by 2031, per its 2025 Official Cybercrime Report.Projected in 2016Zombie — superseded by its own publisher
“95% of cybersecurity breaches are caused by human error”Traces to IBM’s 2014 Cyber Security Intelligence Index, recirculated by the WEF’s 2022 Global Risks Report. The DBIR 2026’s current human-element figure is 62%.Measured circa 2014Zombie — 33 points off the current figure

The pattern the table exposes is specific to this genre: security statistics do not die, they get relabeled. A projection made in 2016 becomes “2026 data” by surviving long enough. A 2025-titled report becomes “IBM’s 2026 report” because the roundup was written in 2026. The fix costs one sentence per statistic — name the report, name the edition, name the window — and it is the entire editorial method of this page. If a security vendor, a conference deck, or a budget memo hands you a number without those three fields, the number is unverified by definition.

06Refused StatsStats we refused to publish.

Every statistics page silently omits numbers it does not trust. We think the omissions are the story. The three claims below rank on the first page of search results for cybersecurity statistics, and each one failed verification in a specific, checkable way — either the number is a decade old, its own publisher has superseded it, or it is a real figure wearing a fabricated year. If you have cited one of these, this is the section to bookmark.

Cybersecurity statistics refused during verification for this post — each claimed statistic, where it circulates, and the specific reason it failed verification: superseded projection, decade-old measurement, or real figures presented with a false edition year. Compiled July 2026.
Claimed statisticWhere it circulatesWhy we refused it
“$10.5 trillion in global cybercrime costs by 2025”Most competing “cybersecurity statistics 2026” pages, usually undatedIt is a 2016-vintage Cybersecurity Ventures projection, reiterated annually since. The firm’s own current, live forecast is $12.2 trillion by 2031 — a materially different, more recent number. We refuse to print a decade-old projection as current 2026 data.
“95% of breaches are caused by human error”Security-awareness marketing and stat roundups, often attributed to the WEFTraces to IBM’s 2014 Cyber Security Intelligence Index and was recirculated by the World Economic Forum’s 2022 Global Risks Report. The DBIR 2026’s actual human-element figure — measured against a dated, published methodology every year — is 62%, a full 33 percentage points lower.
“$10.22M US / $4.44M global breach cost — 2026 data”2026-dated aggregator posts citing the IBM figures without any edition disclosureThe numbers are real, but they come from IBM’s Cost of a Data Breach Report 2025, published July 30, 2025. Presenting them as freshly minted “2026 figures” without that context is exactly the mislabeling pattern this post exists to call out — so we only print them with the edition attached.

The “95% human error” retirement deserves the full receipt, because it is the most durable zombie in the genre. The figure traces to IBM’s 2014 Cyber Security Intelligence Index — a twelve-year-old measurement — and got a second life when the World Economic Forum’s 2022 Global Risks Report recirculated it. The current, annually re-measured equivalent is the DBIR’s human element figure: 62% in the 2026 edition, up slightly from 60%. That is still a majority — the human layer matters — but it is 33 percentage points below the recycled claim, and the gap changes the defensive conclusion: a 95% figure says train harder; a 62% figure alongside a 31% vulnerability-entry rate says patch faster.

07For DefendersWhat the data says defenders should prioritize.

Read together, the two annuals produce an unusually clear priority list — each move below is anchored to a specific measured gap, not a vendor pitch. The through-line: the 2026 breach problem is a discipline problem (patching, MFA follow-through, access controls) more than a tooling problem.

Patch pipeline
Work the KEV backlog first

Vulnerability exploitation is the #1 entry vector (31%), median time-to-patch slipped to 43 days, and only 26% of known-exploited vulnerabilities were fully remediated. CISA’s KEV catalogue is a free, prioritized target list — remediation rate against it is the single most defensible patching KPI.

Measure KEV remediation
Third parties
Enforce MFA upstream

48% of breaches involve a third party — up 60% in a year — and only 23% of flagged third parties fully fixed their MFA gaps. Contractual MFA requirements with verification beat questionnaire-based vendor assessments the data says go unactioned.

Verify, don’t survey
AI governance
Access controls before adoption

97% of AI-breached organizations lacked AI access controls, 63% lack governance policies, and only 34% of policy-holders audit for shadow AI — while 45% of employees already use unapproved tools. Inventory AI usage and gate model access the way you gate production databases.

Close the 97% gap
Detection
Find it yourself, faster

The 241-day average lifecycle is a nine-year low and costs fell with it; per coverage of the IBM 2025 report, internal detection saved on the order of $900K per breach versus attacker disclosure. Detection investment has the clearest measured payback in either report.

Fund internal detection

Defense is also a measurement discipline. The organizations that spot intrusions internally are the ones instrumenting their systems well enough to notice anomalies — the same telemetry foundations our analytics engagements build for marketing and product data, applied to a different threat model. And if the AI-governance rows above describe your organization — adoption running ahead of access controls — that inventory-and-controls work is the operational core of our AI transformation engagements: governance first, tooling second. For the adjacent fraud surfaces this post deliberately does not cover, our deepfake and fraud-detection statistics companion page applies the same named-and-dated sourcing standard, and the payment fraud and chargeback prevention playbook covers the transaction layer.

08ConclusionDate the stat, or drop the stat.

The verified picture, July 2026

Two current annuals, one edition check, and a page you can actually cite.

The verified 2026 picture rests on exactly two anchor sources. Verizon’s 2026 DBIR — published May 19, 2026, covering November 2024 through October 2025 — documents the mechanics: vulnerability exploitation at 31% overtaking credentials for the first time in 19 years, third parties in 48% of breaches, and a patching race defenders are currently losing. IBM’s Cost of a Data Breach Report 2025 — published July 30, 2025, covering March 2024 through February 2025 — documents the economics: $4.44 million global, a record $10.22 million in the US, and the first cost decline in five years.

The second finding is about the statistics themselves. The most-quoted numbers in this space fail a one-minute date check: a 2016 projection still headlining as “2025 data” after its own publisher moved on, a 2014 measurement still circulating at 33 points above the current figure, and a 2025-titled report routinely cited as a 2026 edition that does not exist. The editorial fix is cheap — every statistic gets a name, a date, and a window — and the trust table above is what it looks like applied.

Looking forward: both reports closed their windows before a full year of 45%-adoption shadow AI could register, which makes the AI-incident cut — 13% breached, 97% without access controls — the single most likely set of numbers to worsen in the next editions. IBM’s next edition is expected later in 2026; Verizon’s next DBIR next spring. When they land, the right first question is the one this page was built on: not “what is the number,” but “what window, what edition, what date.”

Govern AI before it governs your risk

97% of AI-breached orgs lacked access controls — the gap is governance.

Our team helps businesses build the measurement foundations, AI-governance controls, and data discipline that the breach statistics keep pointing at — grounded in named, dated sources rather than recycled headlines.

Free consultationExpert guidanceTailored solutions
What we work on

Governance & measurement engagements

  • Shadow-AI inventory and access-control frameworks
  • AI governance policies that survive an audit
  • Telemetry foundations that surface anomalies early
  • Vendor and third-party data-flow mapping
  • Board-ready reporting built on sourced, dated data
FAQ · Cybersecurity statistics

The questions we get every week.

No. As of this post’s July 5, 2026 publication, IBM’s most recent report is explicitly titled “Cost of a Data Breach Report 2025” — published July 30, 2025, conducted by Ponemon Institute across 600 organizations, covering breaches from March 2024 through February 2025. Every “$4.44M global” and “$10.22M US” figure circulating in 2026 roundups comes from that 2025 edition, and many pages silently relabel it as fresh 2026 data. IBM has historically published in mid-year, so a next edition is plausibly due later in 2026, but no date has been announced. Until it lands, the 2025 edition is the current benchmark — cite it by its actual name.
Related dispatches

Continue exploring security & AI data.