Defenders are dealing with an influx of vulnerabilities like never before, and patch prioritization has never been more critical, according to Verizon Business’s “2026 Data Breach Investigations Report” (“DBIR”). This year’s report confirmed several ongoing trends on the vulnerability exploitation and around threat actors abusing AI, for example — but the “2026 DBIR” more broadly promotes sticking to the cybersecurity fundamentals as the industry undergoes massive change.

And indeed, defenders in the past year have been tasked with handling everything from self-replicating worms infesting software components to preparing for large language models (LLMs) that can supposedly discover critical zero-day vulnerabilities all on their own.

“Amid all this change, one message stays the same: The threat landscape will keep evolving, but the fundamentals still matter most,” the report read. “Organizations that stay grounded in strong cybersecurity basics (clear visibility into assets and third parties, disciplined patch management, and well-practiced response plans along with a culture that supports and enables secure behavior) are better positioned to handle today’s realities and whatever comes next.”

Related:Stealer Spoofs Google, Microsoft & Apple, Then Backdoors macOS

Most striking in the “DBIR” might be the statistics that show vulnerability exploitation to be the most common initial access vector for breaches last year, up 31% from the previous year. Meanwhile, only 26% of critical vulnerabilities (defined as those in CISA’s Known Exploited Vulnerability catalog) were fully remediated by organizations in 2025, compared to 38% the previous year. Just over half (58%) were partially remediated last year, and 16% remained unaddressed.

Further, median resolution time increased by two weeks (43 days, up from 32 in 2024), and organizations had 50% more critical bugs to patch than last year, according to the dataset. This is especially notable because the “2025 DBIR” showed marked improvements in terms of remediation (a trend that continued from previous years).

While organizations perhaps got worse at patching, Verizon also observed a dramatic increase in the number of vulnerability detections observed year over year, likely driven by AI-assisted bug hunting. “There were 68.7 million records in the 2022 dataset and 527.3 million in 2025 — almost eight times the volume,” the “DBIR” reads.

Why Organizations Struggle to Stay on Top of Vulnerabilities

The reasons behind why this is happening are complicated. The volume of critical vulnerabilities is immense and only growing worse, and as the “DBIR” notes, even the best-resourced organizations can patch only 30% to 40% of them in the first week. 

Related:Tables Turn on ‘The Gentlemen’ RaaS Gang With Data Leak

Organizations also have complex environments, which can contain IT, operational technology (OT), Internet of Things (IoT) gear, AI, and cloud products to varying degrees, all beig used by a range of humans and non-human identities, which require complex access and authorization processes. Meanwhile, these same organizations have resource and operational constraints as well as competing priorities; some vulnerabilities will inevitably sit unpatched for weeks or months as a result.

Attackers know this. Old vulnerabilities from years ago continue to be exploited, and it doesn’t help that one of the biggest beneficiaries of our new AI powered future are the threat actors themselves. Threat actors use large language models (LLMs) to develop malware, find vulnerabilities, construct phishing lures, automate reconnaissance, and more

“Threat actors are demonstrably using GenAI to help at different stages of attack, including targeting, initial access, and development of malware and other tools,” the “DBIR” reads. “The median threat actor researched or used AI assistance in 15 different documented techniques, with some actors leveraging as many as 40 or 50.”

Related:From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber

Patrick Münch, chief security officer of Mondoo, tells Dark Reading that threat actors experience an asymmetric advantage on the AI front because adversaries need to find only one path to succeed, and AI lowers the cost of exploitation attempts to near zero. That said, he doesn’t think the asymmetry is permanent. He argues the future will be in agentic remediation to combat an AI offensive.

“The defenders who close the gap will be the ones who use AI agentically, not as a co-pilot that helps a human security analyst write a slightly better ticket, but as autonomous workflows that detect, contextualize, prioritize, and remediate without human bottlenecks in the path,” he predicts. 

How to Get Ahead of the Vulnerability Flood

Depending on who you ask, you’ll find a variety of answers for how to best get ahead of the vulnerabilities overwhelming organizations today. Some might recommend using one of the many software-as-a-service (SaaS) tools intended to manage the problem, or integrating LLMs, or something else entirely. 

Verizon’s recommendation is more straightforward, and it’s the tried-and-true advice of patch prioritization. Not all vulnerabilities are created equally, and some flaws will represent a more immediate risk to one’s environment than others. The advice of the “DBIR” is to prioritize based on active exploitation, or recency.

Old vulnerabilities may face exploitation just like new vulnerabilities, but researchers found that “the longer it’s been since a vulnerability has been exploited, the less likely it is to be exploited again soon.” Based on most recent exploitation, Verizon found that the probability of exploitation resurgence drops after about 30 days, again at 90 days, and again after around nine months. After a year, the probability of seeing new exploitation is about the same as if it was never exploited at all. 

The report also notes that even though different environments have different needs, active exploitation should always come first in the hierarchy of fixing, despite the age of the vulnerability in question. Some new vulnerabilities may never be targeted, while many persistently exploited flaws are years old. 

Tim Jarrett, vice president of strategic product management at Veracode, says that one way to manage the influx of vulnerabilities is to shift detection left, prior to facing active exploitation in the first place. But for vulnerabilities already in the environment, Jarrett recommends prioritizing based on exploitation status (like the “DBIR” recommends) through the KEV and Exploitability Prediction Scoring System, or leaning on automated remediation tools.





Source link

#

Comments are closed