Verizon DBIR: Enterprises Face a Dangerous Vulnerability Glut

Verizon DBIR: Enterprises Face a Dangerous Vulnerability Glut

Newsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsEndpoint SecurityChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsbyAlexander CulafiMay 22, 20264 Min ReadApplication SecurityGitHub Confirms Breach, 4K Internal Repos StolenGitHub Confirms Breach, 4K Internal Repos StolenbyAlexander CulafiMay 20, 20263 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryThreat IntelligenceApplication SecurityCybersecurity OperationsCyber RiskNewsVerizon DBIR: Enterprises Face a Dangerous Vulnerability GlutVerizon's 2026 Data Breach Investigations Report (DBIR) finds that exploits are now involved in 31% of initial access for breaches, while patching lags too far behind the bad guys.Alexander Culafi,Senior News Writer,Dark ReadingMay 19, 20265 Min ReadSource: Cagkan Sayin via Alamy Stock PhotoDefenders are dealing with an influx of vulnerabilities like never before, and patch prioritization has never been more critical, according to Verizon Business's 2026 Data Breach Investigations Report (DBIR). This year's report confirmed several ongoing trends on the vulnerability exploitation and around threat actors abusing AI, for example — but the 2026 DBIR more broadly promotes sticking to the cybersecurity fundamentals as the industry undergoes massive change.And indeed, defenders in the past year have been tasked with handling everything from self-replicating worms infesting software components to preparing for large language models (LLMs) that can supposedly discover critical zero-day vulnerabilities all on their own."Amid all this change, one message stays the same: The threat landscape will keep evolving, but the fundamentals still matter most," the report read. "Organizations that stay grounded in strong cybersecurity basics (clear visibility into assets and third parties, disciplined patch management, and well-practiced response plans along with a culture that supports and enables secure behavior) are better positioned to handle today's realities and whatever comes next."Related:Chinese APTs Share Linux Backdoor in Central Asia Telco AttacksMost striking in the DBIR might be the statistics that show vulnerability exploitation to be the most common initial access vector for breaches last year, up 31% from the previous year. Meanwhile, only 26% of critical vulnerabilities (defined as those in CISA's Known Exploited Vulnerability catalog) were fully remediated by organizations in 2025, compared to 38% the previous year. Just over half (58%) were partially remediated last year, and 16% remained unaddressed.Further, median resolution time increased by two weeks (43 days, up from 32 in 2024), and organizations had 50% more critical bugs to patch than last year, according to the dataset. This is especially notable because the 2025 DBIR showed marked improvements in terms of remediation (a trend that continued from previous years).While organizations perhaps got worse at patching, Verizon also observed a dramatic increase in the number of vulnerability detections observed year over year, likely driven by AI-assisted bug hunting. "There were 68.7 million records in the 2022 dataset and 527.3 million in 2025 — almost eight times the volume," the DBIR reads.Why Organizations Struggle to Stay on Top of VulnerabilitiesThe reasons behind why this is happening are complicated. The volume of critical vulnerabilities is immense and only growing worse, and as the DBIR notes, even the best-resourced organizations can patch only 30% to 40% of them in the first week. Related:Stealer Spoofs Google, Microsoft & Apple, Then Backdoors macOSOrganizations also have complex environments, which can contain IT, operational technology (OT), Internet of Things (IoT) gear, AI, and cloud products to varying degrees, all being used by a range of humans and non-human identities, which require complex access and authorization processes. Meanwhile, these same organizations have resource and operational constraints as well as competing priorities; some vulnerabilities will inevitably sit unpatched for weeks or months as a result.Attackers know this. Old vulnerabilities from years ago continue to be exploited, and it doesn't help that one of the biggest beneficiaries of our new AI powered future are the threat actors themselves. Threat actors use large language models (LLMs) to develop malware, find vulnerabilities, construct phishing lures, automate reconnaissance, and more. "Threat actors are demonstrably using GenAI to help at different stages of attack, including targeting, initial access, and development of malware and other tools," the DBIR reads. "The median threat actor researched or used AI assistance in 15 different documented techniques, with some actors leveraging as many as 40 or 50."Related:Tables Turn on 'The Gentlemen' RaaS Gang With Data LeakPatrick Münch, chief security officer of Mondoo, tells Dark Reading that threat actors experience an asymmetric advantage on the AI front because adversaries need to find only one path to succeed, and AI lowers the cost of exploitation attempts to near zero. That said, he doesn't think the asymmetry is permanent. He argues the future will be in agentic remediation to combat an AI offensive."The defenders who close the gap will be the ones who use AI agentically, not as a co-pilot that helps a human security analyst write a slightly better ticket, but as autonomous workflows that detect, contextualize, prioritize, and remediate without human bottlenecks in the path," he predicts. How to Get Ahead of the Vulnerability FloodDepending on who you ask, you'll find a variety of answers for how to best get ahead of the vulnerabilities overwhelming organizations today. Some might recommend using one of the many software-as-a-service (SaaS) tools intended to manage the problem, or integrating LLMs, or something else entirely. Verizon's recommendation is more straightforward, and it's the tried-and-true advice of patch prioritization. Not all vulnerabilities are created equally, and some flaws will represent a more immediate risk to one's environment than others. The advice of the DBIR is to prioritize based on active exploitation, or recency.Old vulnerabilities may face exploitation just like new vulnerabilities, but researchers found that "the longer it’s been since a vulnerability has been exploited, the less likely it is to be exploited again soon." Based on most recent exploitation, Verizon found that the probability of exploitation resurgence drops after about 30 days, again at 90 days, and again after around nine months. After a year, the probability of seeing new exploitation is about the same as if it was never exploited at all. The report also notes that even though different environments have different needs, active exploitation should always come first in the hierarchy of fixing, despite the age of the vulnerability in question. Some new vulnerabilities may never be targeted, while many persistently exploited flaws are years old. Tim Jarrett, vice president of strategic product management at Veracode, says that one way to manage the influx of vulnerabilities is to shift detection left, prior to facing active exploitation in the first place. But for vulnerabilities already in the environment, Jarrett recommends prioritizing based on exploitation status (like the DBIR recommends) through the KEV and Exploitability Prediction Scoring System, or leaning on automated remediation tools.[Virtual Event] Anatomy of a Data Breach: What to Do if it Happens to YouJun 18, 2026|OnlineHow do you ensure your SecOps team is prepared to respond to a cyberattack that exposes your critical data?

This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response. Get ahead of attackers and avoid becoming the next breach victim.Beat Hackers To ItExplore the AgendaBeat Hackers To ItExplore the AgendaAbout the AuthorAlexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels.He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today. See more from Alexander CulafiWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologi