Something shifted in the cyber threat world last year, and Verizon just proved it with hard numbers. For the first time in 19 years, hackers are breaking into organizations more through unpatched software flaws than stolen passwords. The 2026 Data Breach Investigations Report is out, and the story it tells should alarm every security team still running behind on patches.
Vulnerability Exploitation Finally Tops the Charts
For the first time in the DBIR’s 19-year history, exploiting software vulnerabilities has surpassed stolen credentials as the leading way attackers get into organizations. That is not a small shift. It is a fundamental change in how cybercriminals choose to operate.
The numbers are stark. Vulnerability exploitation accounted for 31% of all confirmed breaches, up sharply from 20% the year before. Credential abuse, which held the top spot in last year’s report, dropped to just 13%. Hackers are moving from tricking people to breaking systems.
The scale of this year’s report makes the findings even harder to ignore. Verizon analyzed more than 31,000 security incidents and over 22,000 confirmed breaches spanning 145 countries, covering the period from November 2024 through October 2025. That figure of 22,000 confirmed breaches is nearly double the 12,195 reported in the previous year’s dataset.
The Patching Crisis Is Getting Worse, Not Better
What makes this surge in exploitation so troubling is the matching collapse in patching performance. Organizations are not just slow. They are getting slower while the workload keeps growing.
Here is what the data shows about how organizations handled critical vulnerabilities last year:
- Only 26% of CISA Known Exploited Vulnerabilities (KEV) were fully patched, down from 38% in 2024
- 58% of critical flaws were only partially remediated
- 16% were left completely unaddressed
- Median time to patch jumped from 32 days to 43 days, a 34% increase
- Organizations had 50% more critical vulnerabilities to fix than the year before
The previous year’s DBIR had actually shown real improvement in patching rates. That progress has now reversed in a significant way.
Part of the problem is sheer volume. The CVE program now lists more than 351,000 registered vulnerabilities, with over 21,500 already reserved just in 2026. Even the strongest security teams can only patch 30% to 40% of actively exploited bugs within the first week after detection. Qualys, which contributed over one billion anonymized vulnerability remediation records to this year’s report, described the situation plainly: defenders are running harder than ever and still falling behind.
AI-assisted bug hunting is making things worse on the discovery side. The total volume of vulnerability detections jumped from 68.7 million records in 2022 to 527.3 million in 2025. That is nearly eight times the volume in just three years, and security teams are expected to sort, prioritize, and act on all of it.
AI Is Turbocharging Attackers at Every Step
One of the most alarming findings in this year’s report is how deeply threat actors have embedded AI into their attack workflows. This is no longer a future risk. It is happening now, and the numbers confirm it.
The median threat actor researched or used AI assistance across 15 different documented attack techniques. Some actors used it across as many as 40 to 50 techniques. AI is being applied at the targeting stage, during initial access, and in developing malware and custom tools for attacks.
AI is also shrinking the time attackers need to strike after a vulnerability becomes public. That window, which used to be measured in months, has been compressed to mere hours in some cases. Defenders who relied on having days or weeks to push out patches are now racing against a clock they cannot see.
“While the velocity of cyber threats, driven by AI and faster vulnerability exploitation, is increasing, the foundational principles of security and strong risk management remain the most effective defense.” — Daniel Lawson, SVP Global Solutions, Verizon Business
Shadow AI is creating a second problem inside organizations. Employee use of AI tools on corporate devices tripled in a single year, jumping from 15% to 45% of the workforce. Two-thirds of those users are accessing AI platforms through personal accounts with no enterprise oversight in place. The most common data being fed into unauthorized AI tools is source code, which creates serious data leakage exposure that many companies have not yet addressed.
Ransomware and Supply Chain Risks Hit New Highs
Vulnerability exploitation is leading the headlines, but it is not the only threat growing at a dangerous pace. Two other trends from this year’s DBIR deserve serious attention from security leaders.
Ransomware was present in 48% of confirmed breaches last year, up from 44% the year before. The good news is that organizations are getting better at refusing to pay. Only 31% of ransomware victims paid, and the median ransom payment fell below $140,000. That resistance is important, but the volume of ransomware incidents still represents a massive operational burden for affected businesses.
Supply chain risk is the other escalating concern. Third-party involvement in breaches jumped 60% year over year and now accounts for 48% of all confirmed breaches. Nearly half of every breach examined in this report involved some degree of third-party exposure. Mobile-based social engineering is also climbing, with attackers now achieving a success rate 40% higher through fake texts and voice calls than through traditional email phishing.
What Security Teams Must Do Right Now
The DBIR does not just document the problem. It offers clear, practical direction for organizations trying to get ahead of an overwhelming vulnerability backlog.
The core recommendation is patch prioritization based on active exploitation, not just severity scores or age of the vulnerability. Not all critical flaws carry equal risk in a given environment, and treating them all the same is what gets organizations buried.
Verizon’s data shows a useful exploitation decay curve that security teams can use to make better patching decisions:
- The probability of a vulnerability being re-exploited drops significantly after 30 days of no activity
- It drops again at the 90-day mark
- It drops further after around nine months
- After a full year with no exploitation, the risk is roughly the same as if the vulnerability had never been exploited at all
This means teams should chase the hot list, not the long list. Active exploitation in the wild should always come first, regardless of how old the vulnerability is.
Security experts also recommend shifting vulnerability detection earlier in the development cycle rather than waiting for flaws to reach production environments. For vulnerabilities already in the wild, tools like CISA’s KEV catalog and the Exploitability Prediction Scoring System provide data-driven ways to rank what needs immediate attention. Automated remediation tools are increasingly seen as necessary to close the speed gap that human-driven patching processes cannot bridge on their own.
The 2026 DBIR makes one thing clear above all else: the volume of threats is growing faster than any team can manually handle. Organizations that cling to old patching timelines, ignore third-party risk, and allow unchecked shadow AI in their environments are running out of time to catch up. The good news is that the fundamentals, disciplined patch management, clear asset visibility, and practiced response plans, still work. They just need to be applied with more urgency and smarter automation than most teams are currently using. That urgency is not optional anymore. The data has made that unmistakably clear.
What do you think about the state of enterprise patch management in 2026? Drop your thoughts in the comments below and share this story with your security teams using #DBIR2026 on X and LinkedIn.
