Inside the 2026 Verizon DBIR: Why Vulnerabilities Are Now the Front Door

The 2026 Verizon Data Breach Investigations Report is out, and the story this year is simple: attackers stopped knocking. They walked in through the vulnerabilities you didn’t patch. As a contributor to the DBIR again this year, we see this pattern across our own dataset of hundreds of thousands of vulnerabilities. The signal is clear, and it’s not a good one.

Here’s what stood out.

Vulnerability Exploitation Is Now the #1 Way In

Exploitation of vulnerabilities is now the most common initial access vector for breaches. It accounts for 31% of cases, up from 20% last year. That’s a 55% jump in a single year.

Verizon put it plainly in the report: this trend “underlines the ongoing importance of getting the basics right.”

The basics. Not AI defence. Not zero trust architecture. Patching.

Patching Got Worse. A Lot Worse.

The CISA Known Exploited Vulnerabilities (KEV) catalog is the shortlist. These are vulnerabilities attackers are actively using right now. If anything gets fixed first, it should be these.

It didn’t.

• Only 26% of critical KEV vulnerabilities were fully remediated in 2025, down from 38% the year before.
• The median time to full remediation climbed to 43 days, up from 32. Nearly two weeks slower.
• Organizations had 50% more critical vulnerabilities to patch compared to the previous year.
  More to fix. Fewer getting fixed. Taking longer to fix the ones that do.

The Glass-Half-Full View Isn’t Much Better

You could argue partial remediation deserves credit. Fine. Even then, the fully unremediated KEV vulnerabilities add up to 16%, up from 12% last year.

So the picture isn’t that defenders are working hard but losing ground. It’s that more critical vulnerabilities are sitting completely untouched, in environments where attackers already know how to exploit them.

That’s the part that should land hardest.

Why This Is Happening

Volume is part of it. The CVE pipeline keeps growing. Security teams are drowning in findings, alerts, and dashboards.

But volume alone doesn’t explain a drop from 38% to 26%. That’s a prioritization failure. Teams are spending cycles on vulnerabilities that don’t matter while the ones in the KEV catalog, the ones with confirmed exploitation in the wild, wait 43 days for a fix.

If you can only patch some of what your scanner finds, the KEV list is the answer to the question of which ones.

What Needs to Change

Based on what we see across our customer base:

1. Risk-based prioritization, not CVSS alone. A CVSS 9.8 with no real-world exploitation matters less than a CVSS 7.5 in the KEV catalog. Use both.
2. Validated findings. Time spent chasing false positives is time stolen from real fixes. Verify before you escalate.
3. A remediation SLA tied to KEV status. If a vulnerability is in the KEV catalog, it gets a tighter clock than everything else. 43 days is too long.
4. Continuous, not periodic. Quarterly scans don’t survive against a threat landscape that moves daily.
5. Asset visibility first. You can’t patch what you don’t know you own. Attack surface gaps remain a major contributor to the breach pipeline.

Where That Leaves Us

The DBIR has been telling us the same thing for years: the basics work, and most organizations still aren’t doing them. This year the data is harsher than usual. Exploitation jumped to first place as an initial access vector. Patching of the most dangerous vulnerabilities got worse on every measurable dimension.

The attackers haven’t changed their playbook. They didn’t need to.

Want the full picture? Read our 2026 Vulnerability Statistics Report: https://www.edgescan.com/stats-report/

The trend is clear. The fix is known. The only question left is whether your remediation pipeline is faster than the median.