The Verizon 2026 Data Breach Investigations Report (DBIR), published Tuesday, revealed that vulnerability exploitation is now the top initial access vector for breaches, while organizations struggle to catch up with a growing volume of critical vulnerabilities.Exploitation of vulnerabilities now makes up 31% of initial access vectors, a 20% increase from last year’s numbers. Vulnerabilities exceeded credential abuse and phishing for the first time during the DBIR 2026 data period between Nov. 1, 2024, and Oct. 31, 2025, with a total of more than 22,000 data breaches and 31,000 total incidents from that period analyzed for the report.Phishing was the initial access vector for 16% of breaches throughout the report period and credential abuse granted access in 13% of breaches. At the same time that vulnerability exploitation rose to the top of the list, remediation of vulnerabilities from the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog fell from 38% of vulnerabilities fully remediated last year to just 26% in this year’s report.While 56% of the KEV vulnerabilities were at least partially remediated, the volume of completely unremediated flaws rose from 12% to 16% year-over-year. Additionally, the median time from detection to full remediation increased from 32 days to 43 days.“That gap is not just a patching problem. It’s a visibility and prioritization problem. Security teams are being asked to fix more critical issues, but they still need to know which ones actually create a path to compromise,” Jon Baker, vice president of threat-informed defense at AttackIQ, told SC Media in an email.The 2026 DBIR noted that organizations aren’t just getting worse at patching in general, but are facing an unprecedented volume of vulnerabilities they need to address, said Baker. Verizon recorded about 68.7 million vulnerability instances in 2022 and by contrast recorded 527.3 million in 2025 — a nearly eight-fold increase. This is despite the number of organizations included in the dataset seeing literal variation over time.“The picture it paints is that of a treadmill picking up speed,” the report authors wrote.Patrick Münch, chief security officer at Mondoo, told SC Media that another part of the problem is that adoption of automated vulnerability remediation is not catching up to the increasing pace of vulnerability disclosures and exploitation — which is only likely to increase due to advancements in AI technology.Mondoo’s 2025 State of Vulnerability Remediation Report, published in October 2025, found that 62% of security teams still used manual methods for remediation, while only 2% used fully automated methods. Just 9% of respondents reported feeling confident that important vulnerabilities could be remediated on time.“Verizon found that 60-70% of CISA KEV issues remain open a week after detection, regardless of team maturity. You don’t close that gap with another scanner. You close it with transparent agentic AI: humans in the loop on decisions, AI automation on remediation and mitigation execution, and a clear audit trail from identifying the issue to verifying it’s fixed,” Münch wrote in an email.
Threat Management, Threat Intelligence
Verizon DBIR 2026: Vulnerability exploits top initial access as patching coverage falls

Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



