Verizon DBIR flags vulnerability exploitation

Verizon said on May 19 that vulnerability exploitation overtook stolen credentials as the top initial access vector in its 2026 Data Breach Investigations Report, the first time that has happened in the report’s 19-year history. The company said 31% of breaches now begin with exploited software flaws, based on incidents that occurred between Nov. 1, 2024, and Oct. 31, 2025. Verizon also said artificial intelligence is accelerating the time between vulnerability disclosure and exploitation, compressing the response window for defenders from months to hours. The report was published Tuesday alongside a Verizon webinar featuring the DBIR authors. ### Why does “vulnerability exploitation” matter more than stolen credentials this year? The 31% figure is the headline because it moves software flaws ahead of credential abuse, which SecurityWeek reported accounted for 13% of breaches in the Verizon dataset. That changes the center of gravity for defenders from identity theft alone to the speed of patching and containment around exposed systems. (verizon.com) Verizon said the shift reflects how attackers are using AI to accelerate exploitation of known vulnerabilities. In the company’s summary, Verizon said the window for defense has narrowed from months to mere hours as threat actors move faster once flaws are known. ### What is the report actually saying about AI? Verizon said the 2026 report uses 2025 data, which predates the latest frontier-model advances, but argued the trend line is already visible. (securityweek.com) The company’s summary does not claim AI created the vulnerability problem; it says AI is changing the speed and scale at which that problem is being operationalized. (verizon.com) Tenable, which said it contributed vulnerability exploitation and remediation data to the 2026 DBIR, framed the same point as a widening mismatch between faster exploitation and slower remediation. Scott Caveza, a senior staff research engineer at Tenable, wrote that AI-powered tools are increasing the speed and volume of vulnerability discovery and exploitation, while patching programs are falling further behind. (verizon.com) ### Why are raw CVE counts a weak way to prioritize risk? Tenable said the volume of registered CVEs continues to rise, with more than 351,000 registered and more than 21,500 already reserved in 2026. That scale makes simple counting a poor guide for operational decisions because most organizations cannot remediate everything at once. The more useful question is which flaws are actually exploitable in the environment, which ones sit near privileged systems, and which ones can realistically be patched before attackers move. (tenable.com) Verizon’s summary points to exploited vulnerabilities as the breach driver; Tenable’s analysis adds the operational context that median time-to-patch rose to 43 days from 32 days a year earlier. ### What does that mean for exposure management? Tenable said organizations patched only 26% of defects in CISA’s Known Exploited Vulnerabilities catalog last year, down from 38% in 2024, while the median number of critical flaws requiring action rose 50% from the prior dataset. That is why vendors and researchers are increasingly arguing for exposure management models that rank issues by exploitability, business criticality and attack-path context rather than severity labels alone. (verizon.com) In practice, that approach pushes teams to ask whether a flaw is reachable, whether it sits on a path to administrative control, and whether compensating controls can buy time if patching is slow. Those are inferences from the report’s findings on exploitation and remediation pressure, rather than a direct Verizon quote. ### What else in the DBIR reinforces the same pattern? (tenable.com) Verizon said third-party involvement in breaches rose 60%, with third parties now appearing in 48% of breaches. The company also said mobile-focused social engineering attacks had a success rate 40% higher than traditional email phishing, and employee use of unapproved “shadow AI” tools jumped from 15% to 45% in one year. (verizon.com) Those findings broaden the report beyond patching, but they point in the same direction: more attack paths, less time to respond, and more pressure to prioritize the exposures that can lead directly to business-critical systems. Verizon’s full 2026 DBIR remains available on its website, which says the report draws on incidents from Nov. 1, 2024, through Oct. 31, 2025. (verizon.com 1) (verizon.com 2)