I don't think these kinds of surveys are (1) accurate or (2) particularly useful, but the gold standard for this kind of stuff is the Verizon DBIR:<p><a href="https://enterprise.verizon.com/resources/reports/dbir/" rel="nofollow">https://enterprise.verizon.com/resources/reports/dbir/</a>
<a href="https://www.reddit.com/r/securitybreach/" rel="nofollow">https://www.reddit.com/r/securitybreach/</a><p>Sub-reddit for cataloging breaches with detail relevant to defenders.
The article notes that the number of "AI/ML hacking tools" has grown -- is there documented use of malicious actors using AI as part of campaigns? I've seen researchers publish tools that would likely fall into this space, but I'm curious if there's any known usage of these or other tools for malicious ends.