For those of us who devote much of our time and energy to studying software vulnerabilities, the annual release of the Verizon Data Breach Investigations Report (aka the Verizon 2026 DBIR) is a high holy day. For 19 years, the DBIR has been pretty much the gold standard of corporate cybersecurity research: heavy on stats and charts, huge corpus of data, but presented in fun, eyeball-grabbing ways. So let’s get into some initial impressions!
Exploits are up, but still not the majority #
Most headlines and slide citations you’ve likely seen sourced from the DBIR over the last couple weeks (and certainly through the next several months) are breathless exhortations that exploited vulnerabilities are up – way up – as average time-to-patch rates are slowing down, which spells doom for most enterprises. This is absolutely the case: exploited vulnerabilities account for 31% of initial access events that ultimately lead to a material breach, which is up from 2025’s reported 20% rate, which itself is a whopping 55% boost from last year, and continues the trend of exploitation taking more and more of the initial access pie.
However, what the DBIR doesn’t state plainly is that this statistic represents merely a plurality, not a majority, of successful initial access attacks. Putting it another way, 69%1 of initial access attacks sourced from something other than an exploited software vulnerability.
This means that even if you manage to patch 100% of technical vulnerabilities on your network edge, you’ve still got a ton of work to do to deal with misconfigurations, default credentials, phishing, pretexting, and all the other ways spies and criminals penetrate your network. I know, I know, as a vulnerability-lover, this pains me, too, but that’s just the deal with modern, comprehensive cybersecurity. Maybe next year? If exploitation rates rise another 60-ish percent, it’ll be in striking range of a majority tactic.
The “speed of light” barrier to patch rates #
Unfortunately, that “patch 100%” target is ever more elusive these days, and we have real backing from the DBIR for this opinion. The Verizon authors cite the rapid rise of CVE-identified vulnerabilities, and specifically, the ever-increasing rate of CISA KEV additions. IT security shops have been admirably keeping up with the firehose… until the 2025 study period that the 2026 DBIR covers, where keeping up with critical vulnerabilities faltered.
For me, the most compelling quote in the DBIR is this: “this might be an initial measurement of the “speed of light” — the theoretical limit — for vulnerability remediation processes. Organizations at their very best only get to fix 30%–40% of KEV instances in the first week after detection, so choosing the correct ones to patch really is the key strategy.” Emphasis added, because this goes right to the core of something we’ve been flogging for a while now here at runZero.
While DBIR uses “CISA KEV-listed vulnerabilities” as a useful stand-in for “critical vulnerabilities,” we know that not all KEVs are created equal. Heck, I wrote a whole paper on the art and science of KEVology, and we released a fun workbench, KEV Collider, for sorting and choosing the KEVs that organizations can use to help prioritize this tiny subset of software vulnerabilities.
What this also tells me is that it’s simply unreasonable and unrealistic to expect an enterprise of any appreciable size and complexity to mitigate every KEV on any human-scale timeline with our current tooling and processes. Achieving 100% coverage inside the first week after detecting a known-exploited vulnerability in the environment is nearly impossible for no less than half of the very best and most expensive IT security teams.
Part of the reason here is the sheer volume of alerts to deal with. It may well be possible to hit this mark in a vacuum in a well-understood tech stack, but when your attention is being seized by alert after alert, in quick succession, in a chaotic environment of a modern TCP/IP network, teams and systems are practically guaranteed to start dropping patches on the floor. We seem to have hit maximum capacity in 2024, and now we get to worry about a renewed onslaught of AI-assisted vulnerability discovery further slowing us down.
I cannot stress this enough: it is impossible to keep patched against thousands to millions of vulns as they become public. Enterprises must make choices, based on the inherent riskiness of specific vulnerabilities, where those vulnerable systems live, and how far attackers need to go to reach them. This makes high-visibility asset and exposure management a critical component of any continuous security strategy.
Ransomware and AI #
A couple other stories emerged for me in the DBIR this year, which I wanted to touch on. First off, there’s a shift in the ransomware economics underway. Verizon reports that ransomware attacks are up by volume (no surprise there), but the rate at which victims are paying off the extortionists is trending down, along with the total dollar amounts of payments. This strikes me as very normal economics of scale, and the goal of pretty much every consumer tech company in Silicon Valley and beyond: lower prices, increase consumption, and you make up the difference on volume. So, what does this mean for RaaS (ransomware-as-a-service)? I’m starting to suspect there will be a major upheaval (dare I say, disruption) in the space, but I have no idea what that’ll look like.
The other story that jumped out at me is the massive uptake of “shadow AI” in enterprises. The DBIR reports that people who describe themselves as “regular AI users” on company equipment, on the job, is up to 45% over last year’s figure of 15% of regular AI users. This tells me that shadow AI is going to be a real headache this year, and to keep an eye out for the entirely predictable breach of company secrets due to unsanctioned, unauthorized AI use. Just like how shadow IT imperils enterprise networks by escaping the usual controls applied to sanctioned techs, using off-site chatbots and other LLM-backed technology is virtually guaranteed to lead to an exposure of sensitive customer and company info. Security shops are advised to monitor for this, but detection is going to be quite difficult in the BYOD/WFH world we live in; at the very least, every enterprise today needs to spend some leadership cycles on crafting and publishing an AI acceptable use policy (AUP), and take violations of this seriously. I hate to be the tech police here, but even the most well-meaning employee, having just hopped on the AI bandwagon, is going to screw this up eventually.
Getting ahead of (gestures broadly) all this #
The DBIR is an invaluable resource for good statistics and good science, and if you’ve read this far, you’re the kind of person that’s likely to run into citations from the DBIR from your vendors, your partners, and your boss for the rest of the year. Hopefully, your takeaway from the DBIR (or this book report) is not, in the end, utter despair. There are things you can do to get ahead of your exposure management.
One of those things is to give runZero’s best-in-class solution a whirl. Head over to runZero.com/try for a free community edition and see what I’m talking about when I say that vulns aren’t the only thing, or even the most pressing thing, you can spend your time and effort on. Modern cybersecurity means having a great, up-to-date picture of your attack surface, and the runZero 4.9 release does a bang-up job at getting you armed with the situational awareness to stay ahead of the most likely attacks you’re going to see in this cruel, cruel world.
1Nice
