Verizon DBIR: Enterprises Face a Dangerous Vulnerability Glut TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsCybersecurity OperationsCISA Exposes Secrets, Credentials in 'Private' RepoCISA Exposes Secrets, Credentials in 'Private' RepobyRob WrightMay 19, 20263 Min ReadVulnerabilities & ThreatsMicrosoft Exchange Zero-Day Under Attack, No Patch AvailableMicrosoft Exchange Zero-Day Under Attack, No Patch AvailablebyRob WrightMay 18, 20263 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryThreat IntelligenceApplication SecurityCybersecurity OperationsCyber RiskNewsVerizon DBIR: Enterprises Face a Dangerous Vulnerability GlutVerizon's "2026 Data Breach Investigations Report" ("DBIR") finds that exploits are now involved in 31% of initial access for breaches, while patching lags too far behind the bad guys.Alexander Culafi,Senior News Writer,Dark ReadingMay 19, 20265 Min ReadSource: Cagkan Sayin via Alamy Stock PhotoDefenders are dealing with an influx of vulnerabilities like never before, and patch prioritization has never been more critical, according to Verizon Business's "2026 Data Breach Investigations Report" ("DBIR"). This year's report confirmed several ongoing trends on the vulnerability exploitation and around threat actors abusing AI, for example — but the "2026 DBIR" more broadly promotes sticking to the cybersecurity fundamentals as the industry undergoes massive change.And indeed, defenders in the past year have been tasked with handling everything from self-replicating worms infesting software components to preparing for large language models (LLMs) that can supposedly discover critical zero-day vulnerabilities all on their own."Amid all this change, one message stays the same: The threat landscape will keep evolving, but the fundamentals still matter most," the report read. "Organizations that stay grounded in strong cybersecurity basics (clear visibility into assets and third parties, disciplined patch management, and well-practiced response plans along with a culture that supports and enables secure behavior) are better positioned to handle today's realities and whatever comes next."Related:Stealer Spoofs Google, Microsoft & Apple, Then Backdoors macOSMost striking in the "DBIR" might be the statistics that show vulnerability exploitation to be the most common initial access vector for breaches last year, up 31% from the previous year. Meanwhile, only 26% of critical vulnerabilities (defined as those in CISA's Known Exploited Vulnerability catalog) were fully remediated by organizations in 2025, compared to 38% the previous year. Just over half (58%) were partially remediated last year, and 16% remained unaddressed.Further, median resolution time increased by two weeks (43 days, up from 32 in 2024), and organizations had 50% more critical bugs to patch than last year, according to the dataset. This is especially notable because the "2025 DBIR" showed marked improvements in terms of remediation (a trend that continued from previous years).While organizations perhaps got worse at patching, Verizon also observed a dramatic increase in the number of vulnerability detections observed year over year, likely driven by AI-assisted bug hunting. "There were 68.7 million records in the 2022 dataset and 527.3 million in 2025 — almost eight times the volume," the "DBIR" reads.Why Organizations Struggle to Stay on Top of VulnerabilitiesThe reasons behind why this is happening are complicated. The volume of critical vulnerabilities is immense and only growing worse, and as the "DBIR" notes, even the best-resourced organizations can patch only 30% to 40% of them in the first week. Related:Tables Turn on 'The Gentlemen' RaaS Gang With Data LeakOrganizations also have complex environments, which can contain IT, operational technology (OT), Internet of Things (IoT) gear, AI, and cloud products to varying degrees, all beig used by a range of humans and non-human identities, which require complex access and authorization processes. Meanwhile, these same organizations have resource and operational constraints as well as competing priorities; some vulnerabilities will inevitably sit unpatched for weeks or months as a result.Attackers know this. Old vulnerabilities from years ago continue to be exploited, and it doesn't help that one of the biggest beneficiaries of our new AI powered future are the threat actors themselves. Threat actors use large language models (LLMs) to develop malware, find vulnerabilities, construct phishing lures, automate reconnaissance, and more. "Threat actors are demonstrably using GenAI to help at different stages of attack, including targeting, initial access, and development of malware and other tools," the "DBIR" reads. "The median threat actor researched or used AI assistance in 15 different documented techniques, with some actors leveraging as many as 40 or 50."Related:From Stuxnet to ChatGPT: 20 News Events That Shaped CyberPatrick Münch, chief security officer of Mondoo, tells Dark Reading that threat actors experience an asymmetric advantage on the AI front because adversaries need to find only one path to succeed, and AI lowers the cost of exploitation attempts to near zero. That said, he doesn't think the asymmetry is permanent. He argues the future will be in agentic remediation to combat an AI offensive."The defenders who close the gap will be the ones who use AI agentically, not as a co-pilot that helps a human security analyst write a slightly better ticket, but as autonomous workflows that detect, contextualize, prioritize, and remediate without human bottlenecks in the path," he predicts. How to Get Ahead of the Vulnerability FloodDepending on who you ask, you'll find a variety of answers for how to best get ahead of the vulnerabilities overwhelming organizations today. Some might recommend using one of the many software-as-a-service (SaaS) tools intended to manage the problem, or integrating LLMs, or something else entirely. Verizon's recommendation is more straightforward, and it's the tried-and-true advice of patch prioritization. Not all vulnerabilities are created equally, and some flaws will represent a more immediate risk to one's environment than others. The advice of the "DBIR" is to prioritize based on active exploitation, or recency.Old vulnerabilities may face exploitation just like new vulnerabilities, but researchers found that "the longer it’s been since a vulnerability has been exploited, the less likely it is to be exploited again soon." Based on most recent exploitation, Verizon found that the probability of exploitation resurgence drops after about 30 days, again at 90 days, and again after around nine months. After a year, the probability of seeing new exploitation is about the same as if it was never exploited at all. The report also notes that even though different environments have different needs, active exploitation should always come first in the hierarchy of fixing, despite the age of the vulnerability in question. Some new vulnerabilities may never be targeted, while many persistently exploited flaws are years old. Tim Jarrett, vice president of strategic product management at Veracode, says that one way to manage the influx of vulnerabilities is to shift detection left, prior to facing active exploitation in the first place. But for vulnerabilities already in the environment, Jarrett recommends prioritizing based on exploitation status (like the "DBIR" recommends) through the KEV and Exploitability Prediction Scoring System, or leaning on automated remediation tools.About the AuthorAlexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels.He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today. See more from Alexander CulafiWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security ManagementAccess More ResearchWebinarsAI-Powered Cybersecurity for Resource-Constrained OrganizationsHow Security Teams should apply Threat Intelligence into their DefensesYour Guide to Securing AI Adoption in Your OrganizationWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsAI-Powered Cybersecurity for Resource-Constrained OrganizationsThurs, June 18, 2026, at 1pm ESTHow Security Teams should apply Threat Intelligence into their DefensesThurs, June 11, 2026 at 1pm ESTYour Guide to Securing AI Adoption in Your OrganizationTues, June 9, 2026 at 1pm ESTWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?Wed, June 3, 2026 at 1pm ESTThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

The Verizon Data Breach Investigations Report (DBIR) indicates that enterprises are confronting a significant vulnerability glut, emphasizing that the pace of patching consistently lags behind the activities of threat actors. The report underscores that exploits are currently involved in thirty-one percent of initial access for breaches, highlighting a critical systemic failure in timely remediation. Defenders are facing an influx of vulnerabilities and must prioritize patching based on active exploitation. The report advocates for maintaining foundational cybersecurity principles, including clear visibility into assets and third parties, disciplined patch management, effective response plans, and a culture that fosters secure behavior, asserting that these fundamentals remain paramount despite rapid industry evolution.

The statistics reveal the severity of the backlog and the pace of detection. Although improvements were noted in remediation trends over the years, only twenty-six percent of critical vulnerabilities defined in the CISA Known Exploited Vulnerability catalog were fully remediated by organizations in 2025, compared to thirty-eight percent the previous year. Furthermore, nearly half of these critical flaws were only partially remediated, leaving sixteen percent of vulnerabilities unaddressed. This situation is compounded by increased resolution times, with the median time to resolve a vulnerability increasing to forty-three days, compared to thirty-two days in 2024. Organizations also faced a substantial increase in the sheer volume of vulnerabilities needing attention, possessing fifty percent more critical bugs to patch than the preceding year.

This struggle is rooted in the complexity of modern organizational environments. These environments often encompass a heterogeneous mix of IT systems, operational technology (OT), Internet of Things (IoT) gear, artificial intelligence (AI), and cloud products, all managed by diverse human and non-human identities requiring intricate access controls. Competing operational priorities and resource constraints frequently lead to vulnerabilities remaining unpatched for extended periods. Concurrently, threat actors are leveraging this environment, exploiting old vulnerabilities and using the rapidly advancing capabilities of generative AI—including large language models (LLMs)—to accelerate their attack lifecycle, from targeting and initial access to malware development. The DBIR documented that threat actors demonstrably use AI assistance in numerous tactics, with the median actor researching or using AI assistance in fifteen documented techniques, and some leveraging forty or fifty AI-assisted techniques.

Looking ahead, the report suggests that future success in managing this dynamic threat landscape requires a shift in defensive strategy beyond simple patching. While traditional methods remain relevant, the recommendations point toward proactive, data-driven prioritization. Effective management involves prioritizing vulnerabilities based on active exploitation or recency, as research suggests that the probability of a vulnerability resurging decreases significantly after thirty, ninety, and nine months of exploitation. Experts recommend shifting detection efforts earlier into the process, pre-exploitation, and utilizing tools like the Known Exploited Vulnerability catalog and the Exploitability Prediction Scoring System to guide remediation efforts. A key long-term prediction is the emergence of agentic remediation, where AI operates as autonomous workflows that can detect, contextualize, prioritize, and remediate threats without human bottlenecks. This approach moves beyond AI as a mere co-pilot to enabling truly autonomous defenses against sophisticated, AI-powered offensive operations.