In 2024, I wrote that the DBIR was entering its vulnerability era.

The 2025 report showed vulnerability exploitation surging as an initial access vector, closing the gap on credential-based attacks and signaling a structural shift in how breaches begin.

The 2026 report doesn’t just confirm that thesis, it blows past it. Vulnerability exploitation is now the leading initial access vector in confirmed breaches, and the gap between exploitation and every other method of entry is widening, not narrowing.

The 2026 DBIR analyzed 12,195 confirmed breaches across 22,052 security incidents, the largest dataset in the report’s 18-year history. The findings tell a story that anyone working in vulnerability management already feels in their bones, but now has the numbers to prove. Attackers aren’t waiting for defenders to catch up, if anything, they’re doubling down on their lead.

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

-> Contact Us! <-

Exploitation Takes the Lead

The headline number is stark and of course gets a lot of the attention, and rightfully so.

Exploitation of vulnerabilities now accounts for the largest share of initial access vectors in breaches, nearly doubling the share held by phishing. That’s a complete inversion of the hierarchy that dominated the DBIR for over a decade, where stolen credentials and social engineering sat comfortably at the top of the chart and vulnerability exploitation was a secondary concern.

This isn’t a marginal shift either.

The DBIR shows exploitation’s share growing year over year while credential-based initial access flattens and the structural reason is straightforward. The attack surface has expanded faster than any organization’s ability to defend it, and the math favors the attacker.

As I laid out in The Attack Surface Exponential, the combination of cloud-native architectures, third-party dependencies, and sprawling SaaS footprints means there are simply more vulnerable entry points than any security team can monitor, let alone patch, in any reasonable timeframe.

Edge devices are a prime example. The DBIR found that organizations remediated only 54% of edge device vulnerabilities within an entire year, with a median time-to-remediate of 43 days. That’s 43 days of exposure on devices that sit at the boundary between the internet and the internal network, devices that attackers have learned to target precisely because they’re notoriously slow to patch and often lack the monitoring coverage that endpoints receive.

The exploitation pattern also shows up in the third-party data. Third-party involvement in breaches doubled year over year to 30%, driven in large part by exploitation of vulnerabilities in vendor software and edge infrastructure. When your perimeter is someone else’s code, your patch timeline is someone else’s priority.

The Remediation Gap Is a Chasm

The core problem isn’t that organizations don’t know about vulnerabilities. It’s that they can’t fix them fast enough to matter.

This is the remediation gap I’ve been writing about since Vulnpocalypse, and the 2026 DBIR provides the clearest evidence yet that the gap isn’t just persistent. It’s accelerating.

On one side of the equation, the rate of vulnerability discovery continues to climb. FIRST projected a median of approximately 59,000 new CVEs for 2025, a 50% increase over the prior year.

The actual numbers tracked close to that projection, and 2026 is on pace to exceed it. Every year produces more vulnerabilities than the last, and nothing about the current software ecosystem suggests that trajectory will flatten. More code is being written by more developers (and non-developers, e.g. vibe coding), with more dependencies, deployed into more environments, at faster release cadences than at any point in history.

On the other side, remediation capacity hasn’t scaled to match.

The DBIR’s 43-day median remediation figure for edge devices is actually an improvement over some industry benchmarks, but it’s meaningless against the exploitation timeline. Sergej Epp’s research tracking the “Zero Day Clock” found that the median time-to-exploit collapsed from 771 days in 2018 to roughly 4 hours by 2024.

The defenders are measuring their response in weeks or months and the attackers are measuring theirs in hours.

The MOAK autonomous exploitation project makes this concrete. Researchers demonstrated that an autonomous system could exploit 174 out of 178 CISA Known Exploited Vulnerabilities in an average of 21 minutes per vulnerability, with no human intervention.

These aren’t theoretical proof-of-concept demonstrations against lab environments. These are real CVEs from CISA’s KEV catalog, the same vulnerabilities that federal agencies are mandated to patch, being exploited faster than most organizations can open a change management ticket.

As I covered in Vulnerability Management in the Age of Autonomous Exploitation, the traditional vulnerability management model assumed that defenders had a meaningful window between disclosure and exploitation. That window functionally no longer exists.

The DBIR’s data on exploitation as the leading initial access vector is the downstream consequence of that collapsed timeline playing out at scale.

The NVD and the Infrastructure That Isn’t There

The vulnerability data infrastructure that the industry depends on is itself in crisis. As I wrote in The NVD Just Threw in the Towel, NIST reclassified approximately 29,000 backlogged CVEs to a status of “Not Scheduled,” effectively acknowledging that it can’t keep pace with the volume of incoming vulnerabilities.

The National Vulnerability Database was designed for an era when vulnerability discovery was measured in thousands per year. At nearly 60,000 and climbing, the system has hit a structural scaling limit that no amount of incremental funding will solve.

This matters for the DBIR’s findings because the entire vulnerability management lifecycle, from discovery to prioritization to remediation, depends on accurate, timely enrichment data.

When the NVD can’t provide CVSS scores, CPE mappings, or affected product information within any reasonable timeframe, organizations are flying blind on which vulnerabilities actually affect their environment and which ones represent real exploitability risk. The prioritization models that security teams rely on to triage their backlogs are only as good as the data feeding them, and that data pipeline is increasingly unreliable.

The result is predictable and shouldn’t be surprising to anyone who’s been paying attention for years. Teams are drowning in vulnerability backlogs they can’t meaningfully prioritize, while attackers exploit the specific vulnerabilities that matter most.

The DBIR’s exploitation data isn’t just a story about attackers getting faster. It’s a story about the defensive infrastructure failing to provide the information defenders need to keep up.

Ransomware, SMBs, and the Business Model That Works

Ransomware was present in 44% of all breaches analyzed in the 2026 DBIR, up from 32% the prior year. For small and midsize businesses, the number was 88%. That’s not a typo. Nearly nine out of ten breaches affecting SMBs involved ransomware.

The economics explain why.

The median ransom payment declined to $115,000, driven partly by the fact that 69% of victim organizations chose not to pay, up from 50% in 2022. But ransomware operators have adapted by shifting to volume over margin. They’re targeting smaller organizations that lack the security infrastructure, staffing, and incident response capabilities to prevent or recover from an attack.

When the cost of an attack is negligible and the success rate against SMBs is high, a lower per-target yield still produces enormous aggregate revenue.

The DBIR also surfaced a troubling pipeline between infostealers and ransomware. Roughly 50% of ransomware victims had a credential leak appear in infostealer logs within 95 days before the breach. This suggests that the ransomware attack chain is increasingly industrialized, with initial access brokers harvesting credentials at scale via infostealers and selling them to ransomware operators who handle the deployment.

The credential harvesting and the exploitation aren’t separate problems, they’re connected stages of the same kill chain.

This industrialization also shows up in the tooling data. Attacker use of remote monitoring and management tools increased by 240%, a signal that threat actors are increasingly leveraging legitimate administration tools to blend into normal network activity and avoid detection.

The line between “legitimate IT operations” and “active compromise” is blurring in ways that make traditional detection approaches less effective.

GenAI and the Attacker Curve

The 2026 DBIR introduces data on generative AI usage by threat actors, and while the findings are early, they track with what I’ve been writing about in The AI Cyber Capability Curve. GenAI-generated content appeared in phishing emails at a growing rate, with synthetic text enabling more convincing and scalable social engineering. The report also found that 15% of non-malicious bot traffic is now AI-driven, growing at 21% month over month.

The more interesting finding is on the defender side.

The DBIR found that 45% of employees are regular users of AI tools in the workplace, but 12% of data loss prevention events flagged Shadow AI usage, meaning employees accessing AI tools outside of sanctioned enterprise channels. The security implications are twofold. Organizations are struggling to maintain visibility into how AI tools are being used internally, and the data flowing into unsanctioned AI services represents an expanding and largely unmeasured exfiltration risk.

This isn’t a future problem, it’s a present one.

The DBIR’s inclusion of GenAI metrics signals that the report’s authors see AI-enabled threats and AI-related risks as a permanent addition to the breach data taxonomy, not a passing trend.

I suspect we will see a surge in AI-assisted vulnerability exploitation in future years of the DBIR, driven by the industrialization of AI discovery and autonomous exploitation.

Espionage and the Blurring of Motive

One of the quieter but structurally significant findings in the 2026 DBIR is that espionage-motivated attacks accounted for 17% of breaches, with a notable overlap between espionage and financial motivation. Threat actors that historically operated with a single clear motive are increasingly pursuing both intelligence collection and monetization within the same campaign.

This blurring complicates the defender’s calculus.

An organization that assumed it wasn’t a target for state-sponsored activity because it lacks classified data or geopolitical significance may find itself compromised by an actor whose primary goal is espionage but who deploys ransomware as a secondary revenue stream, or as cover for the real objective.

The traditional segmentation between “nation-state threats” and “financially motivated cybercrime” is breaking down, and the DBIR’s data reflects that convergence.

The Counter-Narrative Nobody Wants to Hear

Here is where the analysis gets uncomfortable and even counter-intuitive, given much of the FUD the security industry uses to try and drive spending, using cyber attackers and impacts as a forcing function.

Despite 12,195 confirmed breaches in a single year’s dataset, despite exploitation as the leading attack vector, despite ransomware hitting 88% of SMB breaches, the overwhelming majority of breached organizations are still in business. The site destroyedbybreach.com, run by Adrian Sanabria tracks public companies that suffered major breaches and documents what happened to them afterward. The answer, in most cases, is not much. Stock prices recover, revenue continues, and customers often stay.

I will caveat this with those being public companies, which tend to be larger, more well resourced, and able to weather the storm of a cyber incident more so than SMB’s. This is a point others such as Kelly Shortridge have made, in her piece “Markets DGAF About Cybersecurity”. Other resources report that while stock prices may drop 5.3% post breach, they tend to recover and even climb higher within 46 days of an incident.

All that said, the lack of major systemic impacts, and continued revenue, stock price rebound etc. creates a perverse incentive structure that sits at the heart of why vulnerability management remains chronically underfunded and why exploitation keeps climbing as an initial access vector.

If breaches don’t destroy companies, the economic pressure to invest in prevention is weak. Boards and executives make rational capital allocation decisions based on observed consequences, and the observed consequences of most breaches are manageable. Insurance covers a portion of the loss, customers express concern but rarely leave. Regulatory fines exist but are typically absorbed as a cost of doing business.

The problem with this calculus is that it’s backward-looking. It assumes future breaches will carry the same consequences as past ones, even as the exploitation timeline collapses, autonomous attack tools proliferate, and regulatory regimes tighten.

That said, there is the reality that we’re currently in a deregulatory environment in the U.S. at the Federal level, so any concept of software liability is likely tabled for now, so vendors don’t feel the pressure to address the technical debt they ship downstream to consumers and society either. This of course is why many consider cybersecurity to be a market failure.

Why Exploitation Stays at Number One

The structural forces driving exploitation to the top of the DBIR’s initial access chart aren’t temporary, they’re compounding.

The attack surface continues to expand. Cloud adoption, third-party integrations, API proliferation, and the rise of agentic AI systems are all adding new categories of exploitable surface faster than security programs can inventory them, let alone secure them.

The NVD’s inability to keep pace with vulnerability enumeration means the data infrastructure that prioritization depends on is degrading at the same time that the volume of vulnerabilities is increasing. Autonomous exploitation tools are lowering the skill barrier and collapsing the time-to-exploit to hours, while defenders still operate on patch cycles measured in weeks and months, and the economic incentives to invest in vulnerability management remain structurally weak because breaches, so far, haven’t been existential events for most organizations.

This is the exploitation era.

Not because a single report declared it, but because every structural trend in the data points the same direction.

More vulnerabilities, faster exploitation, slower remediation, expanding attack surfaces, and insufficient economic consequences to force a different outcome.

The question the DBIR leaves unanswered isn’t whether exploitation will remain the leading initial access vector. The data makes that nearly certain for the foreseeable future. The real question is what it will take to change the incentive structure that makes this outcome rational.

Until the cost of inaction exceeds the cost of investment, the gap between what attackers can exploit and what defenders can remediate will continue to widen, and the DBIR will continue to document the consequences.