Verizon 2026 DBIR: Patching Is Now a Capacity Problem

Every year around late May, the security crowd gets its version of the football transfer window: the Verizon DBIR drops, and we all spend a week arguing about what changed. Think of it less as a weather report and more as a tide chart, the kind harbour masters used to pin to the wall. It tells you nothing about today's storm, but it tells you which way the water has been moving for twelve months. And this year the tide has turned in a direction defenders are not going to enjoy.

What Happened

The Help Net Security writeup by Brian Honan, CEO of BH Consulting, walks through the headline findings of the Verizon 2026 Data Breach Investigations Report, built on more than 31,000 security incidents and over 22,000 confirmed data breaches across 145 countries. Sources include police forces, cybersecurity companies, and CSIRTs, which is what makes this report the closest thing the industry has to a vendor-neutral baseline.

The single biggest shift: vulnerability exploitation has overtaken stolen credentials as the most common initial access vector. Exploits now account for 31% of breaches. Credential abuse has collapsed to 13%. For anyone who has spent the last five years building their entire security narrative around phishing decks and MFA rollouts, that is a slap with a cold fish.

Ransomware is up too, involved in 48% of breaches versus 44% the year before. The small mercy: 69% of victims refused to pay. Supply chain breaches grew 60%, and third parties now feature in 48% of breaches. Half of every incident, in other words, has someone else's logo on it somewhere.

The AI section confirms what every CISO already suspected. 45% of employees are now regular users of AI tools at work, up from 15% the previous year. 67% of those accessing AI on corporate devices are using non-corporate accounts. Source code, internal documents, structured data, and technical documentation are all being uploaded into platforms nobody in security has approved. The humans are still in the loop too, involved in 62% of breaches. The cast list has just got bigger.

Technical Anatomy

The interesting bit isn't that vulnerability exploitation went up. It's why. Only 26% of critical vulnerabilities in the CISA KEV catalogue were fully remediated during 2025, down from 38% the prior year. Median time to fully remediate climbed to 43 days. That's the tide chart bit. The water is moving in the wrong direction on both axes at once: less getting fixed, and what does get fixed takes longer.

Honan calls this a capacity problem rather than a discipline problem, and I think that framing matters. The old story was lazy ops teams ignoring patch Tuesday. The new story is that the volume of disclosed and exploited bugs has outrun the headcount of the people meant to triage them. Anthropic's Mythos gets a name check in the report as the AI grabbing headlines for finding vulnerabilities at scale. Whatever you think of the marketing around AI-assisted bug hunting, the asymmetry is real: machines can generate disclosure faster than humans can generate change tickets.

Layer on the supply chain numbers and the engineering picture gets uglier. A 60% jump in supply chain breaches means the patch surface isn't just your stuff anymore. It's your SaaS vendor's stuff, your managed service provider's stuff, the outsourced payroll system nobody on the security team has SSO into. The MTTR clock starts ticking the moment a CVE lands, but for half your attack surface you don't even own the ticket queue.

And then there's the shadow AI problem. 67% of users on corporate devices hitting AI services through personal accounts means your DLP is, generously, decorative. The DBIR explicitly flags source code and technical documentation being uploaded to unauthorised platforms. From a threat-model perspective, treat every unsanctioned AI session as an exfiltration channel that smiles back at the user. Anyone who has tried to write a sensible egress policy for a 5,000-seat engineering org knows the gap between "we have a policy" and "the traffic actually obeys it".

Who Gets Burned

The verticals RiverCore readers care about are right in the splash zone. iGaming operators run sprawling estates of internet-facing systems, from KYC providers to game integrations to affiliate platforms, and the regulatory clock from the EU on top of that does not pause while you sort your patch backlog. A 43-day median remediation window against attackers who weaponise public PoCs in hours is a bad trade.

Fintech and payments shops are arguably worse off. EU DORA is now operationally live and demands that third-party ICT risk gets the same treatment as your own infrastructure. A DBIR finding that third parties now feature in 48% of breaches is not abstract risk theatre, it's a direct line into your regulator's next questionnaire. Combine that with EU NIS2 expanding the definition of essential and important entities, and EU GDPR still happily issuing fines, and the legal exposure stacks up fast.

Crypto and DeFi shops live or die by smart contract security, but the off-chain perimeter is where most actual incidents happen, and that perimeter is now an unpatched-CVE problem. Ad-tech runs on third-party SDKs and DSP integrations, which is basically the supply chain risk profile written in neon.

Smaller operators get hit hardest. The DBIR makes the point that ransomware disruption alone, never mind the ransom, can be more damaging than the demand itself. SMEs in any of these verticals don't have the bench depth to run a 24/7 vulnerability management programme alongside a regulatory compliance programme alongside an AI governance programme. Something gives. Usually the boring bit, which is the patch queue, which is the bit that just became the number one breach vector.

Playbook for Security Teams

If you read one number this week, read 43 days. Then read 26%. Your next ninety days of security investment should be aimed squarely at those two figures.

First, accept that you cannot patch everything. Build a prioritisation pipeline that starts with the CISA KEV catalogue and the subset of your assets that are actually internet-reachable. If you don't have an accurate inventory of internet-facing systems, that's the first ticket. The DBIR's whole story is that attackers find the boxes you forgot about before you find them.

Second, treat vulnerability management as a capacity problem with capacity solutions. That means automating ticketing, SLA escalation, and verification of fix. It means brutal conversations about end-of-life software that should not be exposed in the first place. Hardening, segmentation, and reducing the attack surface buy you time that pure patching cannot.

Third, third-party risk needs teeth. Contractual SLAs around patching, breach notification windows, and the right to audit are no longer paperwork exercises under DORA-style regimes. Map your critical suppliers and assume any one of them is your next incident root cause.

Fourth, do something about shadow AI this quarter. Not a policy memo, an actual control. Sanction a corporate AI tier with SSO and logging, then block the rest at egress. 67% of users on personal accounts is a number you can move with one well-implemented gateway rule.

Fifth, exercise the ransomware response. 69% not paying is encouraging, but the ones who didn't pay are the ones who tested their backups before they needed them.

Key Takeaways

• Vulnerability exploitation (31%) has overtaken credential abuse (13%) as the top initial access vector. Patch programmes are now the front line, not the back office.
• Only 26% of critical CISA KEV bugs got fully remediated in 2025, down from 38%. Median remediation time rose to 43 days. Defenders are losing ground on both volume and speed.
• Ransomware hit 48% of breaches, up from 44%, but 69% of victims refused to pay. Recovery capability is the real ransom negotiation.
• Third-party and supply chain breaches now feature in 48% of incidents, up 60% year on year. Vendor risk is no longer a procurement checkbox under DORA and NIS2.
• 45% of employees use AI tools at work (up from 15%), and 67% do so via personal accounts. Sanctioned AI tooling with logged egress is a Q3 priority, not a 2027 roadmap item.

Back to the harbour master and the tide chart. The water has been pulling out steadily for a year, and anyone watching the marks on the wall can see it. The bit where it all falls over is when defenders mistake a slow tide for stable ground. The DBIR has done its job by drawing the line. The question is whether the next twelve months of patch queues and vendor reviews and AI gateways match what the chart is already telling us.