Vulnerability Exploitation Surges Ahead as Leading Breach Cause in New Verizon DBIR

Verizon’s Data Breach Investigations Report (DBIR) for 2026 has been released, and the single most interesting piece of information is the new prevalence of attackers leading with vulnerability exploitation. It has surged ahead as the #1 cause of initial breaches, not only supplanting credential abuse for the first time in the report’s history but shooting past it by a notable margin.

One’s suspicions might naturally turn to AI being the cause, especially with frontier models such as Mythos all over the news as of late. But the DBIR data set always lags by a little over a year, and the researchers instead see organizations simply being overwhelmed with more and more patching requirements over time.

Criminal actors increasingly turn to vulnerability exploitation

The DBIR does present some other upward ticks in certain threat types that are worth noting; ransomware has seen a small increase in activity despite a larger increase in victims totally unwilling to pay, shadow IT (and AI) is increasingly a problem in terms of data protection, and there is a big jump in “human element” failure involving third party vendors and contractors leading to breaches, for just a few of the more notable examples. But the headline item is vulnerability exploitation being responsible for a majority of breaches at 31%, jumping past credential abuse which now sits just behind phishing at 15%.

The research points to simple patching fatigue. The number of critical CISA KEV vulnerabilities requiring patching was up by 50% over the period, which ran from late 2024 to late 2025. Organizations reported patching only 26% of these fully, a drop from the prior period. This is in spite of KEV vulnerabilities generally being the ones that are first in line for patching.

This is the first time in 19 years of the DBIR that credential abuse has not been the leading initial breach cause, and it has actually plummeted to the #3 spot as phishing has taken a slight edge over it as well. While AI is likely not a significant factor in the data examined here, models like Mythos are poised to take full advantage of median patch times that have now dropped to well over a month (43 days).

DBIR points to need for major changes in security and remediation processes

There have been numerous signals lately that vulnerability exploitation and remediation will soon need to be approached in very different ways. The DBIR report comes at it from something of a different angle than the recent hype about AI, but the conclusion is the same: organizations simply cannot keep up with critical vulnerabilities, whether due to staffing or interoperability issues, and renewed focus needs to be put on certain areas of the security process.

One is the very beginning: security by design is more critical than ever in a world where it may become impossible to fully keep up with patching. It’s no longer an “it would be nice if you could work it in there” type of element, but an absolute necessity. Full and continuous visibility into environments and vendor processes can also no longer be thought of as a luxury.

There are two final important notes from the 2026 DBIR. The first is that while 26% of critical vulnerabilities went unpatched, respondents did say that 58% were at least partially remediated. That potentially points to legacy system and operational conflict issues still being a larger factor than staffing. The other is that this surge in vulnerability exploitation does not necessarily suggest a surge in state-backed threat actor activity, as 87% of these exploitations were linked to a for-profit criminal group of some sort.