Industry
Ilya Kabanov

1 in 4 KEVs patched, exploits now the #1 vector

TL;DR Vulnerability exploitation is now the #1 breach vector at 31%, while only 26% of CISA KEV vulnerabilities get fully patched, down from 38% last year. AI is operationalizing well-known attacks at scale, widening the gap between the cybersecurity haves and have-nots.

Verizon published its annual Data Breach Investigations Report (DBIR). The team analyzed 31,000 security incidents and 22,000 confirmed breaches across 145 countries between Nov 1, 2024 and Oct 31, 2025.

Vuln exploitation overtakes credential abuse. Source: Verizon 2026 DBIR.
Vuln exploitation overtakes credential abuse. Source: Verizon 2026 DBIR.

Highlights:

  • Vulnerability exploitation is now the #1 initial access vector for breaches at 31%, up from 20% last year. It overtook credential abuse, which fell to 13% from 22%.
  • Organizations are 12 percentage points more behind on remediating CISA KEV vulnerabilities than last year, with full remediation falling from 38% to 26%.
  • Median time for full vulnerability remediation is 43 days, up 11 days from 32. It echoes my recent review of the HackerOne data. The median organization had 16 unique KEVs to patch, up from 11 last year, roughly 50% more critical patching work in a single year.
  • Ransomware grew again to 48% of all breaches, up from 44%.
  • People are still the weakest link, with the human element in 62% of breaches, up from 60%.
  • 67% of users are using non-corporate accounts on their corporate devices to access AI services. Regular AI users on corporate devices jumped from 15% last year to 45%, and Shadow AI is now the third most common non-malicious insider DLP action, a fourfold rise.
  • The most common data type submitted to external GenAI models was source code at 28%, followed by images (16%), structured data (14%), documents (13%) and PDFs (10%). 3.2% of submissions were research and technical documents, an intellectual-property risk.
  • Third-party breaches reached 48% of all breaches, up from 30% last year, a 60% jump after already doubling the year before.
Source code leads data submitted to external GenAI. Source: Verizon 2026 DBIR.
Source code leads data submitted to external GenAI. Source: Verizon 2026 DBIR.

My take:

  1. AI does not democratize offense and defense equally. Real-world businesses benefit significantly less from AI advancements, but their cybersecurity risk increases as AI drops the cost of attacks.
  2. The new threat of rapid exploitation boosts demand for defenses around applications, like WAFs that can buy time for patching.
  3. AI is stress-testing and surfacing the issues in development pipelines. These issues become real bottlenecks for fixing vulnerabilities.

Sources:

  1. Verizon 2026 Data Breach Investigations Report
  2. HackerOne: Finding Fast, Fixing Slow, the Rising Exposure Debt