The Treadmill: What the 2026 Verizon DBIR Says About the Patch Gap Nobody Is Closing

👋 Welcome to Unlocked

Every year Verizon publishes the most credible breach dataset in the industry, and every year the security community reads it, nods along, and moves on.

This year's findings deserve more than a nod.

The 2026 DBIR just crossed a threshold that hasn't been crossed in the report's 19-year history: for the first time ever, exploiting unpatched vulnerabilities is now the single most common way attackers get in — overtaking credential theft, which has held the top spot since the report began. That alone is worth pausing on.

But the headline number isn't actually the most alarming finding, the more alarming finding is what's sitting underneath it: organizations are patching slower, facing more vulnerabilities than ever, and the window between a vulnerability being disclosed and an attacker weaponizing it has now gone negative. Attackers are moving faster than patches exist.

That's the treadmill, and according to 22,000 confirmed breaches across 145 countries, it's picking up speed.

🔑 What the DBIR Actually Says

The 2026 Verizon Data Breach Investigations Report is the largest dataset in the report's history — 31,000 security incidents, 22,000 confirmed breaches, nearly double last year's confirmed breach count of 12,195.

The headline: vulnerability exploitation now accounts for 31% of all initial access vectors — up from 20% last year, a 55% increase in a single reporting period. For the first time in 19 years, it has knocked credential abuse off the top spot.

But here's the nuance that most coverage is missing — and it matters for how you act on this data. Phishing (16%) plus credential abuse (16%) still totals 32% of initial access, versus 31% for vulnerability exploitation. The DBIR didn't announce the death of identity-based attacks. It announced that the attack surface now has two equally dangerous front doors. Organizations that respond to this report by pivoting entirely to vulnerability management at the expense of identity controls are reading it wrong.

What's actually changed is the velocity problem. The DBIR documents it precisely: organizations patched only 26% of the critical vulnerabilities in CISA's Known Exploited Vulnerabilities catalog last year, down from 38% in 2024. The median time to fully patch a known-exploited vulnerability increased to 43 days — up from 32 days the year before. At the same time, the number of critical vulnerabilities organizations needed to patch was 50% higher than the previous year.

More vulnerabilities. Slower patching. Smaller coverage. The math doesn't work in the defender's favor.

📉 The Numbers

• 22,000+ confirmed breaches analyzed — nearly double last year's count
• 31% of initial access vectors are now vulnerability exploitation — up from 20%, a 55% YoY increase; first time #1 in 19 years
• 32% combined share of phishing + credential abuse — identity threats haven't gone away
• 26% of CISA KEV critical vulnerabilities were patched in 2025 — down from 38% in 2024
• 43 days median time to fully patch a known-exploited vulnerability — up from 32 days
• 527M vulnerability instances recorded in 2025 — up from 68.7M in 2022, an eight-fold increase in three years
• -7 days Mandiant's estimated mean time to exploit in 2025 — exploitation now routinely precedes patch availability
• 48% of all breaches involved ransomware — up from 44%
• 48% of all breaches involved a third party — up 60% year over year
• 62% of breaches involved a human element
• 4x increase in shadow AI appearing in DLP datasets year over year

🔍 Three Things the DBIR Is Really Telling You

The DBIR is 100+ pages. Here's the signal beneath the noise:

1. The patch window has inverted — and most teams don't know it.

This is the finding that should change how every CISO frames vulnerability management to their board. Mandiant's M-Trends 2026 report puts the estimated mean time to exploit at negative seven days. Exploitation now routinely occurs before a patch exists. The strategy of patching before attackers arrive is now structurally compromised — because attackers are arriving before the patch does.

Security Boulevard's analysis of both datasets describes this as "The Remediation Scissors" — two trend lines moving in opposite directions that crossed between 2022 and 2024 and have been diverging since. In 2018, defenders had a 33-day buffer between exploitation and patching. In 2025, that buffer is negative. The teams still operating as if the 2018 model holds are the ones showing up in Verizon's breach count.

What this means practically: patch velocity matters, but it can no longer be the primary defense. The organizations that survive this environment are the ones that detect and contain faster, not just the ones that patch faster. That's a fundamentally different security posture than most enterprise programs are built around.

2. The infostealer-to-ransomware pipeline now has a timeline.

One of the most actionable findings in this year's DBIR is the quantification of the credential-to-ransomware chain. 50% of ransomware victims had a credential or infostealer event occur within 95 days prior to the ransomware attack. Half. Within 95 days. That's a documented, measurable pipeline — and it means that infostealer detection isn't just a credential hygiene problem. It's an early warning system for ransomware.

The DBIR also documents the supply chain of that pipeline: infostealers are surfacing an average of 2,362 breached corporate credentials per month from organizational email domains in stealer log datasets, and 54% of devices in Initial Access Broker logs had at least one infostealer installed. Initial Access Brokers are packaging those credentials and selling them to ransomware operators, who then concentrate their effort on lateral movement and deployment rather than initial compromise. The breach has often already happened before the ransomware operator even gets involved.

This connects directly to the ShinyHunters playbook we covered in Edition #36 — their vishing campaigns and Salesforce sweeps are generating exactly the kind of authenticated session access that feeds this pipeline. The credential is the entry point. Everything downstream is operational execution.

3. Shadow AI is now a documented data loss vector.

This one appeared almost as a footnote in most DBIR coverage. It shouldn't. Shadow AI is now the third most common non-malicious insider action detected in DLP datasets — a fourfold increase in percentage from the previous year. Employees are feeding sensitive data into unauthorized AI tools at a rate that has quadrupled in 12 months.

This is the "accidental breach" category that's going to define the next two years of enterprise security — and most organizations have no governance framework for it. We covered the first documented case of a regulated financial institution leaking customer SSNs to an unauthorized AI tool earlier this month. The DBIR confirms that incident is not an outlier. It's a trend line.

Meanwhile, on the offensive side: Verizon collaborated with the Anthropic Safeguards Team to analyze 793 threat actors flagged for AI misuse between March 2025 and February 2026 — finding the median attacker used AI assistance across 15 distinct attack techniques, with extreme cases stretching to 40 or 50. Two named examples: LameHug, which used Alibaba's Qwen LLM to generate polymorphic malware on demand, and PromptLock — the first documented AI-powered ransomware strain. And Anthropic's own Project Glasswing Mythos has now surfaced more than 10,000 high- or critical-severity vulnerabilities in roughly a month of preview deployment — a figure that illustrates exactly why the patch volume crisis the DBIR documents is about to get significantly worse.

🛡️ What This Means for Your Access Layer

The DBIR's overarching theme this year is "keeping a strong foundation in the face of change." That's Verizon's polite way of saying: the fundamentals still matter, and most organizations aren't doing them well enough.

Prioritize KEV over CVE count. With 527 million vulnerability instances in 2025 and only 26% of KEV-listed critical flaws being patched, the problem isn't effort — it's prioritization. Organizations that chase CVE counts are managing noise. Organizations that focus remediation resources on CISA KEV, actively exploited vulnerabilities, and internet-facing assets first are managing risk. Dark Reading's DBIR coverage frames this well: it's a vulnerability glut problem, not a patching effort problem.

Treat credential detection as ransomware early warning. The 95-day infostealer-to-ransomware window means that detecting a compromised credential today gives you a 95-day runway before the ransomware operator arrives — if you act on it. Monitoring dark web credential exposure, rotating credentials on detection, and auditing active sessions for anomalous behavior isn't just identity hygiene. It's your ransomware prevention program.

Build a shadow AI inventory before it builds itself. The fourfold increase in shadow AI in DLP datasets means the data exposure is already happening in most organizations. The question is whether you know about it. Start with a survey of what AI tools your teams are actually using — not what's approved, what's in use — and build access controls around the highest-risk use cases first. Hardware-bound credentials and Zero Trust access controls don't just protect against external attackers. They give you the visibility layer to understand what your own employees are connecting to.

Assume breach on third-party connections. 48% of breaches involved a third party — up 60% year over year. That number is now approaching a coin flip. Auditing your third-party access footprint — active OAuth tokens, dormant integrations, vendor permissions — is the single control that addresses the largest and fastest-growing breach category in the dataset.

🔑 The Bottom Line

The 2026 DBIR is the most useful threat intelligence document published this year — and the most sobering.

The treadmill metaphor the report's authors chose is exactly right. Organizations aren't failing because they've stopped trying. They're failing because the machine is moving faster than the people running on it. More vulnerabilities, faster exploitation, slower patching, a 60% surge in third-party exposure, and a fourfold jump in accidental AI data loss — all in a single reporting year.

The organizations that stabilize on this treadmill won't do it by running harder. They'll do it by changing what they're running toward: detection speed over patch completeness, identity controls that don't depend on reaction time, and access architectures that reduce the blast radius when — not if — something gets through.

💡 Unlocked Tip of the Week

Take the DBIR's three top findings to your next leadership meeting as three direct questions:

"What percentage of our CISA KEV-listed vulnerabilities are currently patched — and what's our median time to remediate?"

"Do we have visibility into corporate credentials appearing in infostealer or dark web datasets — and what's our response playbook when we find one?"

"Do we know which AI tools our employees are using that aren't on our approved list — and what data are they putting into them?"

If any of those three questions produce a long silence, that's your roadmap for the next quarter.

🔥 Final Takeaway

For 18 years, stolen credentials sat at the top of the DBIR, but that changed this year.

It didn't change because credential theft got easier to stop, it changed because vulnerability exploitation got easier to execute — and the systems organizations rely on to stop it are moving slower than the attacks.

That's the signal in this year's data, not that one threat replaced another, but that the threat surface expanded on both fronts simultaneously while the resources defending it stayed flat.

The organizations that come out of this period intact won't be the ones that picked the right front to defend, they'll be the ones that accepted they had to defend both — and built access controls that reduced the blast radius on either one.

Until next time,

The EveryKey Team

← Last Week: The State CISO Crisis: Why 78% of Government Security Leaders Don't Think Their Data Is Safe