VERIZON'S 2026 Data Breach Investigations Report finds defenders are being swamped by vulnerabilities, with patch prioritisation more critical than ever. The DBIR notes that vulnerability exploitation was the most common initial access vector for breaches last year, at 31% of cases. It highlights remediation gaps: only 26% of critical vulnerabilities in the Known Exploited Vulnerability catalog were fully remediated in 2025, 58% were partially remediated, and 16% remained unaddressed.
The report also shows the burden increasing, with median time to resolution rising to 43 days and organisations facing 50% more critical bugs to patch than the previous year. It points to a surge in detections, driven in part by AI-assisted bug hunting, reporting 68.7 million records in 2022 versus 527.3 million in 2025.
According to Verizon Business's DBIR, threat actors are leveraging AI, including GenAI, at various attack stages, underscoring the need to ground defences in fundamentals like visibility, patch management and well-practised response plans.