TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources THREAT INTELLIGENCE APPLICATION SECURITY CYBERSECURITY OPERATIONS CYBER RISK NEWS Verizon DBIR: Enterprises Face a Dangerous Vulnerability Glut Verizon's "2026 Data Breach Investigations Report" ("DBIR") finds that exploits are now involved in 31% of initial access for breaches, while patching lags too far behind the bad guys. Alexander Culafi,Senior News Writer,Dark Reading May 19, 2026 5 Min Read SOURCE: CAGKAN SAYIN VIA ALAMY STOCK PHOTO Defenders are dealing with an influx of vulnerabilities like never before, and patch prioritization has never been more critical, according to Verizon Business's "2026 Data Breach Investigations Report" ("DBIR"). This year's report confirmed several ongoing trends on the vulnerability exploitation and around threat actors abusing AI, for example — but the "2026 DBIR" more broadly promotes sticking to the cybersecurity fundamentals as the industry undergoes massive change. And indeed, defenders in the past year have been tasked with handling everything from self-replicating worms infesting software components to preparing for large language models (LLMs) that can supposedly discover critical zero-day vulnerabilities all on their own. "Amid all this change, one message stays the same: The threat landscape will keep evolving, but the fundamentals still matter most," the report read. "Organizations that stay grounded in strong cybersecurity basics (clear visibility into assets and third parties, disciplined patch management, and well-practiced response plans along with a culture that supports and enables secure behavior) are better positioned to handle today's realities and whatever comes next." Related:Stealer Spoofs Google, Microsoft & Apple, Then Backdoors macOS Most striking in the "DBIR" might be the statistics that show vulnerability exploitation to be the most common initial access vector for breaches last year, up 31% from the previous year. Meanwhile, only 26% of critical vulnerabilities (defined as those in CISA's Known Exploited Vulnerability catalog) were fully remediated by organizations in 2025, compared to 38% the previous year. Just over half (58%) were partially remediated last year, and 16% remained unaddressed. Further, median resolution time increased by two weeks (43 days, up from 32 in 2024), and organizations had 50% more critical bugs to patch than last year, according to the dataset. This is especially notable because the "2025 DBIR" showed marked improvements in terms of remediation (a trend that continued from previous years). While organizations perhaps got worse at patching, Verizon also observed a dramatic increase in the number of vulnerability detections observed year over year, likely driven by AI-assisted bug hunting. "There were 68.7 million records in the 2022 dataset and 527.3 million in 2025 — almost eight times the volume," the "DBIR" reads. Why Organizations Struggle to Stay on Top of Vulnerabilities The reasons behind why this is happening are complicated. The volume of critical vulnerabilities is immense and only growing worse, and as the "DBIR" notes, even the best-resourced organizations can patch only 30% to 40% of them in the first week. Related:Tables Turn on 'The Gentlemen' RaaS Gang With Data Leak Organizations also have complex environments, which can contain IT, operational technology (OT), Internet of Things (IoT) gear, AI, and cloud products to varying degrees, all beig used by a range of humans and non-human identities, which require complex access and authorization processes. Meanwhile, these same organizations have resource and operational constraints as well as competing priorities; some vulnerabilities will inevitably sit unpatched for weeks or months as a result. Attackers know this. Old vulnerabilities from years ago continue to be exploited, and it doesn't help that one of the biggest beneficiaries of our new AI powered future are the threat actors themselves. Threat actors use large language models (LLMs) to develop malware, find vulnerabilities, construct phishing lures, automate reconnaissance, and more. "Threat actors are demonstrably using GenAI to help at different stages of attack, including targeting, initial access, and development of malware and other tools," the "DBIR" reads. "The median threat actor researched or used AI assistance in 15 different documented techniques, with some actors leveraging as many as 40 or 50." Related:From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber Patrick Münch, chief security officer of Mondoo, tells Dark Reading that threat actors experience an asymmetric advantage on the AI front because adversaries need to find only one path to succeed, and AI lowers the cost of exploitation attempts to near zero. That said, he doesn't think the asymmetry is permanent. He argues the future will be in agentic remediation to combat an AI offensive. "The defenders who close the gap will be the ones who use AI agentically, not as a co-pilot that helps a human security analyst write a slightly better ticket, but as autonomous workflows that detect, contextualize, prioritize, and remediate without human bottlenecks in the path," he predicts. How to Get Ahead of the Vulnerability Flood Depending on who you ask, you'll find a variety of answers for how to best get ahead of the vulnerabilities overwhelming organizations today. Some might recommend using one of the many software-as-a-service (SaaS) tools intended to manage the problem, or integrating LLMs, or something else entirely. Verizon's recommendation is more straightforward, and it's the tried-and-true advice of patch prioritization. Not all vulnerabilities are created equally, and some flaws will represent a more immediate risk to one's environment than others. The advice of the "DBIR" is to prioritize based on active exploitation, or recency. Old vulnerabilities may face exploitation just like new vulnerabilities, but researchers found that "the longer it’s been since a vulnerability has been exploited, the less likely it is to be exploited again soon." Based on most recent exploitation, Verizon found that the probability of exploitation resurgence drops after about 30 days, again at 90 days, and again after around nine months. After a year, the probability of seeing new exploitation is about the same as if it was never exploited at all. The report also notes that even though different environments have different needs, active exploitation should always come first in the hierarchy of fixing, despite the age of the vulnerability in question. Some new vulnerabilities may never be targeted, while many persistently exploited flaws are years old. Tim Jarrett, vice president of strategic product management at Veracode, says that one way to manage the influx of vulnerabilities is to shift detection left, prior to facing active exploitation in the first place. But for vulnerabilities already in the environment, Jarrett recommends prioritizing based on exploitation status (like the "DBIR" recommends) through the KEV and Exploitability Prediction Scoring System, or leaning on automated remediation tools. About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels. He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management Access More Research Webinars AI-Powered Credential Security: Intelligence Without Exposure AI-Powered Cybersecurity for Resource-Constrained Organizations How Security Teams should apply Threat Intelligence into their Defenses What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? Your Guide to Securing AI Adoption in Your Organization More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi MAR 06, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results