Key findings from the Verizon DBIR 2026: Slower vulnerability remediation meets faster exploitation

The 2026 Verizon Data Breach Investigations Report (DBIR) reveals a troubling trend: vulnerability exploitation has surged to become the number one initial access vector while remediation rates have worsened.

Key takeaways

1. Vulnerability exploitation has surged to become the leading initial access vector for breaches, accounting for 31% of data breaches during the study period.
2. Security teams’ patching efforts are falling further behind, with the median time-to-patch growing by 11 days in the past year.
3. As AI-powered tools increase the speed and volume of vulnerability discovery and vulnerability exploitation, exposure management helps organizations keep up by continually assessing their attack surfaces, prioritizing risks, and orchestrating automated remediation of security weaknesses.

What is the Verizon DBIR report

Verizon’s annual Data Breach Investigations Report (DBIR) has helped organizations understand evolving cyber threats since its first release in 2008. For the 2026 edition, Tenable Research once again contributed enriched data on vulnerability exploitation and vulnerability remediation trends. This year’s findings paint a stark picture: Compared with last year, organizations are facing a significant increase in the volume of “must-patch” vulnerabilities from the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.

The widening gap between vulnerability disclosure and remediation represents one of the most pressing challenges in cybersecurity today. Security teams are already overwhelmed, both by the rising number of vulnerabilities and the lack of time for patch management. This reality underscores the critical need for comprehensive exposure management, a strategic, AI-driven approach to preemptive security designed to help organizations reduce cyber risk by continually assessing their attack surfaces, prioritizing risks, and orchestrating automated remediation of security weaknesses.

Verizon DBIR 2026 overview and analysis

The 2026 Verizon DBIR found that vulnerability exploitation is the top initial access vector, accounting for 31% of data breaches during the study period. Even more concerning is that the median time-to-patch has increased from 32 days to 43 days, a 34% increase. This year’s findings paint a stark picture: The number of vulnerabilities continues to snowball, as organizations’ patching rates continue to fall behind.

The CVE explosion continues — and AI will accelerate it

The vulnerability landscape continues to see explosive growth as the CVE program currently reports more than 351,000 registered CVEs with more than 21,500 already reserved in 2026. As we’re on the path for another record number of CVEs, this flood of vulnerabilities creates an extremely difficult situation for security teams already stretched thin. With median time-to-patch increasing and exploitation timelines shrinking, attackers are winning the race between disclosure and remediation.

The situation may be poised to worsen dramatically. The cybersecurity community is increasingly concerned about AI-powered vulnerability discovery tools like Anthropic’s Claude Mythos, which can automatically identify security flaws in codebases at unprecedented speed and scale. While such tools hold promise for defensive security teams, they also represent a potential inflection point: if AI can discover vulnerabilities faster than organizations can patch them, the already immense patch burden could become truly unmanageable.

This AI-driven acceleration comes at the worst possible time. Organizations are already struggling to remediate vulnerabilities, with the Verizon data breach investigations report finding that organizations successfully remediate only 26% of KEV vulnerabilities. Adding to this concern, the DBIR points out that there has been a nearly 50% increase in the number of CISA KEV vulnerabilities to patch in 2025, putting even more pressure on security teams.

If AI models begin flooding the CVE database with newly discovered vulnerabilities, or worse, if attackers leverage these models to find and exploit zero-days before defenders can respond, the current remediation crisis is likely to escalate into a systemic failure of the traditional patch-based defense model.

The exposure management imperative

While vulnerability exploitation dominates headlines as the number one initial access vector, it represents only a slice of the exposure problem. The DBIR notably highlights credential abuse as another significant threat vector, underscoring that vulnerabilities don’t exist in isolation. Stolen credentials can transform a moderate-severity vulnerability into a critical breach pathway, while exposed configurations can provide attackers with the access needed to exploit unpatched systems.

This interconnected nature of exposures highlights why more and more organizations are adopting comprehensive exposure management. Understanding and addressing the full attack surface, including identity risks, misconfigurations, excessive permissions, and vulnerable assets, is essential to reducing breach risk in today’s threat landscape.

The emergence of AI-powered vulnerability discovery makes exposure management absolutely essential. As AI tools accelerate vulnerability identification, organizations cannot simply try to patch more vulnerabilities faster. Instead, they must focus on understanding and remediating the vulnerabilities that matter most in the context of their specific environment. A newly discovered vulnerability on an isolated system with no credentials exposed and strong access controls poses far less risk than an older CVE on an internet-facing asset with weak authentication. The Tenable One Exposure Management Platform provides both the contextual framework needed to make these critical prioritization decisions and the agentic orchestration engine required to accelerate remediation in an era of AI-accelerated vulnerability discovery.

Notable data insights from the DBIR reporting period

As Tenable Research examined the trends in the data, our team decided to distill the CVEs into product categories and compare which categories saw the largest percentage of unremediated assets. For our analysis, we focused on KEV CVEs as these are vulnerabilities known to have been exploited and in attackers’ crosshairs.

As you can see in the figure below, vulnerabilities affecting development tools saw the highest rate of unremediated assets, followed by virtualization/hypervisor flaws and remote monitoring and management (RMM) flaws. While the remediation process across these product categories can vary, the overall trend of nearly all of the product categories having an above 50% unremediated rate demonstrates that organizations are still struggling with vulnerability remediation.

Similarly, we looked at the average number of days that assets remained unremediated while comparing that to the number of CVEs affecting that category during the DBIR reporting period.

Tenable analysis of the data reinforces the stark reality highlighted in the Verizon DBIR: Organizations are taking longer to patch known and exploited vulnerabilities while facing a rapid increase in the number of vulnerabilities that require immediate attention.

DBIR findings

The 2026 DBIR findings are sobering but not surprising to those on the front lines of cybersecurity. The data confirms what many security teams experience daily: The patch burden is growing faster than organizations’ ability to respond. With vulnerability exploitation now the top initial access vector and median time-to-patch continuing to climb, the gap between attacker speed and defender response continues to widen.

Organizations must adopt an exposure-centric approach that considers not just the presence of vulnerabilities, but the full risk context of their environment:

• Which assets are exposed?
• Who has access?
• Which credentials are compromised?
• Which exposure combinations create the most dangerous attack paths?

In an era where AI is discovering vulnerabilities faster than humans can patch them, understanding which exposures truly matter represents the only sustainable path forward.

The 2026 DBIR, enriched with Tenable Research’s data, provides valuable insights into today’s threat landscape. Tenable encourages security professionals to read the full Verizon DBIR to understand current attack trends and use these findings to inform their exposure management strategies. The crisis documented in this report signals that the traditional vulnerability-centric model needs a fundamental evolution toward comprehensive, AI-driven exposure management.

Identifying affected systems

Tenable provides comprehensive detection coverage for CISA’s KEV catalog, with detection capabilities deployed rapidly following vulnerability disclosure. This coverage spans diverse asset categories, enabling comprehensive visibility into actively exploited vulnerabilities across your environments. CVEs on the KEV catalog will have a tag on the individual CVE pages, and you can browse our upcoming plugins on our Plugins Pipeline page.

Get more information

• Verizon 2026 Data Breach Investigations Report (DBIR)

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.