Every year, Verizon publishes the Data Breach Investigations Report — 19 years of breach data, tens of thousands of incidents, and the closest thing the industry has to a ground truth. The 2026 edition dropped this week with a finding that should stop security teams cold: organizations are getting worse at patching, precisely when it matters most.

TL;DR

  • For the first time in the DBIR’s 19-year history, vulnerability exploitation is the #1 breach entry point — confirmed in 31% of breaches
  • Median time to fully patch a known-exploited vulnerability: 43 days (up from 32 days the previous year)
  • Only 26% of CISA’s Known Exploited Vulnerabilities were fully remediated in 2025 — down from 38% the year before
  • Third-party involvement in breaches surged 60% year-over-year, now present in nearly half of all breaches
  • Shadow AI usage among employees jumped from 15% to 45% in a single year — a new, largely unmonitored data exposure surface

What the DBIR Is — and Why It Matters

The Verizon Data Breach Investigations Report (DBIR) is not a vendor survey or a marketing report. It aggregates real incident data at scale: the 2026 edition analyzed over 31,000 security incidents and more than 22,000 confirmed breaches across 145 countries, drawing on contributions from law enforcement agencies, incident response firms, ISACs, and CERTs worldwide. The data covers incidents occurring between November 2024 and October 2025.

Because it draws from a broad, multi-source dataset over nearly two decades, the DBIR is one of the few reports where year-over-year trend lines are actually meaningful. When something changes in the DBIR, it reflects a genuine structural shift — not a sample artifact.

The 2026 edition reflects a structural shift.

The Historic Change: Exploitation Takes the Top Spot

For the first time in the report’s 19-year history, vulnerability exploitation has surpassed credential theft as the most common way attackers get into organizations.

According to the report, vulnerability exploitation now appears as the initial access vector in 31% of breaches — up from roughly 20% in recent years. Credential-based attacks have declined as the leading initial access vector, though stolen credentials remain heavily involved across breach chains — often appearing later in the kill chain once initial access is established.

This isn’t a surprise to anyone who has been watching threat intelligence closely. We covered the early signals of this shift in April based on IBM X-Force and Mandiant data. The DBIR is significant because it is the broadest dataset in the industry — this is no longer a trend from a handful of IR engagements. It’s the confirmed picture across tens of thousands of real incidents.

The implication: if an attacker wants into your organization, the most common path in 2025 was not a phishing email. It was a publicly accessible, unpatched service.

The Paradox: We Know the Answer. We’re Getting Worse at It.

Here is where the 2026 DBIR stands apart from other annual reports. The fix for vulnerability exploitation is not complicated — patch faster, prioritize actively exploited vulnerabilities, reduce your internet-facing attack surface. Security teams know this.

The data shows organizations are doing it more slowly than the year before.

MetricPrior Year2025
Median time to fully patch32 days43 days
CISA KEV vulnerabilities fully remediated38%26%
Vulnerability volume (median org)Baseline+50%

Every number moved in the wrong direction. Organizations are taking longer to patch, patching fewer known-exploited vulnerabilities, and doing so against a 50% higher volume of critical flaws than the year before.

Verizon describes this as the “Remediation Paradox” — the growing gap between how fast attackers operate and how slowly defenders patch. The report notes that AI is accelerating exploitation timelines “from months to mere hours.” Patch cycles measured in weeks are not an adequate response to exploitation measured in hours.

This is not a technology problem. The tools to prioritize and track patching exist. CISA publishes the KEV catalog specifically to help teams know where to focus. The 2026 DBIR is measuring whether organizations are actually using it — and in the observed 2025 data, only 26% of KEV-related critical vulnerabilities were fully remediated.

Third Parties: The 60% Problem Nobody Is Talking About

One of the less-discussed findings in the 2026 DBIR is the growth of third-party involvement in breaches.

Third-party involvement — meaning a vendor, supplier, partner, or service provider played a role in enabling the breach — increased by 60% year-over-year. Third parties are now present in nearly 48% of breaches the DBIR analyzed.

This is a compounding problem. An organization can invest heavily in its own vulnerability management program and still be breached through a vendor that hasn’t patched a critical flaw. The attack surface is no longer just your own infrastructure — it extends to every third party with access to your systems, data, or network.

The DBIR data on MFA remediation at third-party organizations illustrates the gap: only 23% of third-party organizations fully remediated MFA issues, despite these being well-documented, high-priority controls.

Ransomware: More Frequent, Smaller Payments

The 2026 DBIR’s ransomware findings show a nuanced picture.

Ransomware was involved in 48% of confirmed breaches — up from 44% the previous year. The threat is growing in absolute frequency.

At the same time, 69% of ransomware victims did not pay the ransom. The report also found that the median ransom payment dropped below $140,000, a significant decline from previous years.

One specific finding worth noting for defenders: the DBIR observed a median of 95 days between credential leak events — such as infostealer infections — and the subsequent ransomware attack. This is not necessarily a direct measurement of dwell time from initial access to deployment, but it reflects how much of a window defenders have between a credential exposure event and its eventual weaponization. That gap is a detection opportunity. Organizations monitoring for compromised credentials in threat intelligence feeds or infostealer outputs have a realistic chance to act before the ransomware stage.

Shadow AI: The Silent New Risk Surface

The 2026 DBIR introduced a finding that doesn’t fit neatly into the traditional breach narrative but reflects a real and growing exposure: shadow AI.

The report found that employee use of unapproved AI tools surged from 15% to 45% of employees in a single year — a threefold increase. The DBIR categorized shadow AI as the third most common non-malicious data leakage activity.

Shadow AI (unapproved AI tools) refers to employees using AI tools — whether chatbots, coding assistants, or document processors — that haven’t been approved, vetted, or secured by the organization. Data entered into an external AI service may leave the organization’s governed environment, depending on the provider’s data retention, training, and access control policies. Many employees doing this have no intent to harm — they’re trying to work faster.

The security implication is data governance, not just access control. Organizations that don’t have clear AI usage policies are already experiencing data exposure they may not be measuring.

What You Can Do Now

The DBIR’s findings point to specific, actionable priorities. None of these are new — but the data confirms which ones matter most right now:

1. Treat CISA KEV as your minimum baseline The CISA Known Exploited Vulnerabilities catalog lists CVEs being actively exploited in the wild. The DBIR data shows only 26% of these are getting fully remediated. That means if you fully remediate KEV vulnerabilities on internet-facing assets within 24-48 hours, you’re already ahead of nearly three-quarters of organizations. Subscribe to KEV updates and make KEV remediation a tracked, time-bound process.

2. Measure your patch velocity — don’t assume it The DBIR found the median remediation time went up, not down. How long does it actually take your organization to go from CVE publication to confirmed patch on production systems? Pick five recent critical CVEs and trace the timeline. The answer often surprises teams that assumed their process was working.

3. Extend vulnerability management to your vendors If nearly half of breaches involve third parties, your vulnerability management program needs to include them. At minimum: contractual patching SLAs for critical systems, evidence requests when major CVEs affect vendor software, and MFA enforcement as a baseline requirement. The DBIR’s finding that only 23% of third-party organizations fully remediated MFA issues suggests this is where significant gaps exist.

4. Build detection for early-stage ransomware indicators With a 95-day median window observed between credential leak events and subsequent ransomware attacks, detection has a realistic window. Focus on: anomalous authentication from valid credentials, unexpected access to sensitive file shares, unusual service account behavior, and C2 patterns. A credential compromise caught in that 95-day window is a ransomware incident that never happened.

5. Create an AI usage policy before the data exposure is already done A threefold increase in shadow AI in a single year means this is already happening in your organization. A policy that acknowledges legitimate use cases while defining approved tools, prohibited data types, and clear guidance gives employees a path that doesn’t create risk. Prohibition alone will not work.

The Bigger Picture

The 2026 DBIR is not pessimistic — it is precise. It shows where the failures are happening: not in detection technology, not in security awareness, but in the basic discipline of remediation velocity and third-party accountability.

Organizations that track their KEV remediation rate, measure patch velocity on internet-facing assets, and require meaningful security commitments from their vendors are addressing the actual mechanisms behind the most common breach patterns in 2025.

The gap between organizations doing this and those that aren’t is the gap the DBIR is measuring.

Sources