The Verizon 2026 DBIR Confirms the Shift from Vulnerability Management to Exposure Management

Every year, the Verizon Data Breach Investigations Report (DBIR) gives the security industry a chance to step back from the noise and look at what happened.  

Not what vendors predicted.  

Not what attackers threatened.  

Not what defenders feared.  

What happened. 

This year’s report makes one point hard to ignore: vulnerability exploitation became attackers’ initial leading access vector. 

According to the Verizon 2026 Data Breach Investigations Report, exploitation of vulnerabilities is now the most common initial access vector for breaches, rising to 31% in this year’s dataset (over 20% from the prior year, a 55% increase). Credential abuse, the previous leader, dropped to 13%. (pp. 10, 15) 

That is not a small statistical movement. It is a signal that the operating model for vulnerability management must change. 

Vulnerability management remains a core security discipline, but the data shows that traditional vulnerability management, without shifting to a more comprehensive exposure view, is no longer enough for the environment defenders operate in today.  

The shift is not about renaming a program. It is about changing the decision model. Vulnerability management has historically been built around detection and severity. Exposure management is built around context, exploitability, ownership, reachability, business impact, and action. That is the difference between knowing what is broken and knowing what to fix first. 

We’ve said it often, and the data backs up the claim. Teams are drowning in too many findings, too many assets, too many disconnected tools, and too little context about which exposures are most likely to become part of an attack path. 

The lesson from the 2026 DBIR is the old operating model has hit a ceiling. Most organizations can find more risk than they can fix. The winners will be the teams that can decide, defend, and execute on what gets fixed first. 

The Patching Capacity Problem Is Now Measurable 

Security teams have always known they cannot patch everything at once. The 2026 DBIR puts hard numbers behind that reality. 

According to the report, only 26% of CISA Known Exploited Vulnerabilities were fully remediated by organizations in 2025, down from 38% the previous year. The median time to full resolution increased to 43 days, up from 32 days. In the median case, organizations had 50% more critical vulnerabilities to patch than the prior year. (pp. 10, 17) 

Known initial access vectors in non-Error, non-Misuse breaches over time (source: Verizon 2026 Data Breach Investigation Report, p. 10)

The report’s survival analysis makes the point even more clearly. Verizon analyzed more than 1 billion anonymized vulnerability detection records and found that, in 2025, 35% of KEV vulnerability instances were still open at Day 28. That translated into 184 million open vulnerability instances in the dataset.  

Verizon also observed that by Day 7, 60% to 70% of KEV vulnerabilities remained open regardless of year, volume, or organizational maturity. Even organizations performing at their best only fixed 30% to 40% of KEV instances in the first week after detection. (p. 18) 

The answer cannot just be ‘patch faster.’ Most teams should patch faster where they can, but the DBIR shows a harder truth: even strong programs leave a large percentage of known exploited vulnerabilities open during the first week. That means prioritization is not a reporting exercise. It is a control. When capacity is constrained, the quality of the prioritization model determines how much real risk is reduced. 

Severity Scores Don’t Tell You What Attackers Will Do Next 

For too long, the industry has treated vulnerability severity as a proxy for risk. CVSS scores are useful, but they were never meant to answer every operational prioritization question. The 2026 DBIR reinforces this distinction. 

A critical CVSS score tells you something about the theoretical impact. It doesn’t tell you whether attackers are using the vulnerability, whether exploit code is reliable, whether the asset is exposed, whether compensating controls exist, or whether the system matters to the business. 

Verizon reports that there were 1,526 CVEs listed in the CISA KEV catalog as of February 2026, and 991 of those had some exploitation activity over the prior 12 months. Nearly half of the vulnerabilities with detectable exploitation activity were categorized as having “Persistent” exploitation. Verizon also found that only 20% of the vulnerabilities in that persistent category were registered in the CVE database in 2024 and 2025. For the other 80%, organizations would have had about two years’ advance notice to patch. (p. 19) 

This tells us two things. 

First, old vulnerabilities still create real risk. Attackers don’t care if a CVE is old if it still works. 

Second, considering vulnerability age alone is a poor prioritization strategy. New doesn’t automatically mean it’s the most dangerous. Old doesn’t automatically equal irrelevant. What matters is whether the vulnerability is exploitable, whether exploitation is active or likely to return, whether the affected asset is reachable, and whether compromise would matter to the business. 

Verizon’s analysis of re-exploitation supports this more nuanced view. The report found that the probability of seeing resurgent exploitation drops by roughly half at 30 days, again at 90 days, and again around nine months. Verizon’s conclusion is practical: if an organization must choose between patching a KEV vulnerability that hasn’t been exploited recently and another vulnerability that threat intelligence indicates has recent exploitation history, focusing on the one with recent activity may be the smarter bet. (p. 20) 

That is exposure thinking. It combines vulnerability data with exploit activity, threat intelligence, environmental context, and business impact. 

Exposure Now Extends Beyond the Assets You Own 

The 2026 DBIR also makes clear that organizations cannot define exposure only by what sits inside their own environment. 

According to the report, breaches involving third parties reached 48% of total breaches, a 60% increase from last year’s dataset. Verizon specifically notes that, as organizations increase their reliance on third parties for services and software, their exposure increases as well. (pp. 11, 20) 

That is one of the most important findings in the report. 

Select key enumerations in breaches (source: Verizon 2026 Data Breach Investigation Report, p. 20)

Modern organizations are built on interconnected systems, including SaaS platforms, cloud services, identity providers, managed service providers, software vendors, APIs, and business partners. A breach path may begin in a vendor’s environment, move through a third-party integration, abuse an OAuth token, or exploit a vulnerability in a product the organization depends on. 

Verizon breaks third-party involvement into several archetypes, including software supply chain exposure, vendors hosting an organization’s data, and vendors connected into an organization’s environment. The report also notes that many cloud-based third-party incidents highlighted in 2025 came down to insecure authentication, improper credential rotation, or lack of least privilege enforcement for users or service accounts. (pp. 20–21) 

The same point appears in Verizon’s third-party cloud exposure data. Only 23% of third-party organizations fully remediated missing or improperly secured MFA on cloud accounts. For weak passwords and permission misconfigurations, the time to resolve 50% of all findings was nearly eight months. Verizon also found that 37% of organizations had an admin account with MFA disabled on an IaaS offering. (pp. 11, 22) 

These are not all CVEs. Some are identity issues. Some are permission issues. Some are configuration issues. But all of them can be considered exposures. 

Attack Paths Are Bigger than Vulnerabilities 

One of the most valuable sections of the 2026 DBIR is its analysis of privilege escalation. It confirms something many practitioners already know from experience: vulnerabilities are only one part of the attack path. 

Verizon examined privilege escalation and credential access techniques and grouped mitigations into four categories: passwords, configurations, permissions, and patches. The report found that about 65% of techniques could be addressed by privilege management, 33% by configurations, 30% by password policies, and only about 10% by applying patches. (p. 68) 

That does not make patching less important. It makes the scope of the problem clearer. 

An attacker does not need a new exploit at every stage of an intrusion. They can use weak passwords, excessive permissions, exposed credentials, misconfigured systems, remote access pathways, and trusted administrative tools. In fact, Verizon found that most incidents in its privilege escalation analysis didn’t include exploiting a vulnerability for privilege escalation. (p. 70) 

The report also discusses attack graphs and the way transitory privilege relationships allow attackers to move from low-level users to domain admins. Based on attack graphs collected from organizations, Verizon found that 16% of organizations had about 80% exposure, meaning that given initial access to the environment, an attacker with low-level privileges had an 80% or better chance of compromising a key administrative account or infrastructure element. (p. 71) 

That is the operational gap exposure management is meant to close. 

The Ransomware Lesson Is About the Path, Not the Payload 

The 2026 DBIR reports that System Intrusion has been the top breach pattern since 2022 and now accounts for 60% of breaches. Within that pattern, ransomware appears in 77% of breaches, and use of stolen credentials and exploit vulnerability each appear at 39%. (p. 40) 

This is where the conversation needs to become more operational. 

Ransomware is often discussed as if it were the beginning of the problem. It is usually the outcome. Before ransomware is deployed, attackers need a path in, a way to persist, a way to elevate privileges, a way to move, and a way to reach valuable systems or data. 

The 2026 DBIR shows those paths are increasingly built from the same ingredients: exploitable vulnerabilities, stolen credentials, exposed remote access, third-party weaknesses, excessive privileges, and misconfigurations. Verizon’s analysis of Initial Access Broker offerings found that 44% of known connection types were VPN and 35% were some type of remote desktop application. The report also notes the presence of ProxyShell and ProxyLogon access two to three years after disclosure, reinforcing the value attackers place on long-tail failures in patching and mitigation. (p. 45) 

What Must Change 

The move to exposure management is not a rejection of vulnerability management. It is the next stage of maturity and an adaptation to the evolution of attacker mentality. 

Traditional vulnerability management asks: What vulnerabilities do we have, and how severe are they? 

Exposure management asks a broader set of questions: 

• Which vulnerabilities are being exploited in the wild?
• Which affected assets are internet-facing?
• Which systems support critical business processes?
• Which exposures are connected to privileged identities or sensitive data?
• Which third-party relationships create reachable paths into our environment?
• Which misconfigurations or permission chains make compromise easier?
• Which fixes would reduce the most real-world risk fastest? 

Those questions reflect how attackers operate. They also reflect the reality of modern security teams: finite resources, distributed ownership, complex environments, and constant pressure to prove that remediation work is reducing risk. 

The 2026 DBIR doesn’t say organizations should stop patching. It says, directly and indirectly, that patching everything at the speed attackers move is not a realistic strategy. The organizations that perform best will be the ones that know which exposures matter most, can explain why they matter, and can mobilize the right owners to fix them. 

That requires visibility. It requires context. It requires risk-based prioritization that security, IT, cloud, application, and business teams can act on. 

A modern program still needs asset visibility, scanning, patching, and accountability. But it also needs exploit intelligence, third-party context, identity and privilege awareness, cloud configuration hygiene, and remediation workflows that can move across security, IT, application, and business teams. 

Attackers are exploiting the gaps between tools, teams, assets, identities, and vendors. Defenders need to close those gaps before they become breach paths. That is the real shift from vulnerability management to exposure management.