Security Gap Attackers Are Exploiting Most

Last Updated on May 25, 2026 by Arnav Sharma

For the first time in the Verizon Data Breach Investigations Report’s nineteen-year history, exploitation of software vulnerabilities is the single largest initial access vector behind confirmed breaches. The security gap attackers are exploiting most is no longer stolen credentials, phishing, or social engineering on its own. It is unpatched, exploitable code sitting on internet-facing infrastructure, identified by automated tools and weaponised within hours by AI-assisted threat actors.

That inversion sounds like a headline. For security architects and CISOs, it is a structural change in where cybersecurity risk concentrates and how cyber security programs should be resourced. The number itself, 31%, is less interesting than what it implies: defenders are losing the foot race between disclosure and exploitation, and the conventional playbook of monthly patch cycles plus identity hardening no longer maps to how breaches actually start. This article unpacks what the data really shows about modern cybersecurity threats, why this particular security gap has grown so quickly, and what a defensible response to today’s cyber risks looks like in 2026.

The Headline Finding: Vulnerability Exploitation Overtakes Credential Abuse

What the 2026 DBIR Actually Says

Verizon analysed more than 22,000 confirmed breaches across 145 countries for the 2026 report. Exploitation of vulnerabilities accounted for 31% of initial access in those breaches, up from 20% the year before. Credential abuse, the perennial leader, dropped to 13%. Phishing came in at 16%. System Intrusion, the breach pattern most closely associated with vulnerability exploitation and lateral movement, grew from 36% of breaches in 2024 to roughly 60% in 2026.

The DBIR also exposed a widening remediation gap. Only 26% of critical vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalogue were fully remediated during the reporting period, down from 38% the previous year. The median time to fully resolve those vulnerabilities increased from 32 days to 43 days. Organisations are dealing with roughly 50% more critical vulnerabilities requiring patching, and the curve is bending the wrong way.

Why This Isn’t a Marginal Shift

A 55% year-over-year jump in a top-line breach metric is not noise. It signals that threat actors have recalibrated where they invest reconnaissance and exploit-development effort, and the dataset has caught up with what red teams and incident responders have been seeing since 2024. Vulnerability exploitation has been climbing steadily in the DBIR for three consecutive years. This year it crossed the threshold.

For security leaders who built their cybersecurity posture around identity-first thinking, the implication is direct. Strong authentication, conditional access, and credential hygiene remain essential, but they no longer cover the dominant attack path. If your security programs allocate budget, headcount, and executive attention proportional to where breaches originate, vulnerability and exposure management should now sit at the top of the stack, not in the middle.

The Hidden Caveat: Identity-Related Access Still Adds Up

The DBIR’s headline comparison pits vulnerability exploitation (31%) against credential abuse (13%) as discrete vectors. That comparison is accurate but incomplete. Identity-related initial access is tracked across three categories: phishing (16%), credential abuse (13%), and pretexting (about 3%). Combined, identity-driven entry still reaches roughly 32%, statistically tied with vulnerability exploitation.

The honest reading is that two distinct attack paths are now roughly equal in operational impact. Both demand attention. The difference is that vulnerability exploitation has gone from third place to first in twenty-four months, while identity attacks have been the established threat for a decade. Trajectory matters when planning where to invest in 2026 and 2027.

Why This Security Gap Is the One Attackers Are Exploiting Most

Volume: The Vulnerability Pipeline Is Saturated

Organisations are drowning in disclosure. Vulnerability instances in the DBIR dataset grew from 68.7 million in 2022 to 527 million in 2025. That growth outpaces every realistic improvement in patch management throughput. Even where mature security teams improved their remediation rate, the inbound volume of new known vulnerabilities grew faster.

The DBIR makes a hard observation: based on current trajectories, roughly 47 million vulnerability instances simply will not be remediated under any reasonable scenario. They will sit in production environments, in dependencies, in third-party software, and across cloud platforms. They are, in effect, permanent attack surface.

Velocity: Time-to-Exploit Has Gone Negative

In 2020, the average time between a CVE’s public disclosure and its first observed exploitation was 745 days. By 2025, that window dropped to roughly five days for most vulnerabilities and hours for high-value targets. According to Hadrian’s analysis of Mandiant data, the average time-to-exploit across 2025 was negative one day. Attackers, on average, were exploiting vulnerabilities before patches were publicly available.

Flashpoint’s research puts the average at 44 days when measured across the full population, but the distribution skews aggressively. For internet-facing edge devices, VPN gateways, and management consoles, exploitation in under 24 hours of disclosure has become routine. Worse, the share of zero-day vulnerabilities exploited before public disclosure rose 42% year-over-year according to CrowdStrike’s 2026 Global Threat Report, meaning some zero-day attacks now precede the patch entirely. CISA is reportedly considering cutting the default KEV remediation window from two weeks to three days in direct response.

Visibility: The Gap You Can’t See

Volume and velocity compound each other when defenders lack visibility. The DBIR found that at day seven after detection, between 60% and 70% of known-exploited vulnerabilities remained open across organisations of every maturity level. The plateau holds regardless of investment in security tools, automated tools, or staffing. The DBIR describes this as a theoretical ceiling for current remediation processes.

That ceiling exists because most security environments still treat vulnerability management as a periodic scanning and ticketing exercise rather than continuous monitoring tied to active exploitation intelligence. The result is a structural blind spot precisely where attackers concentrate their effort.

How AI Changed the Math for Both Sides

AI-Assisted Weaponisation in Hours, Not Weeks

The 2026 DBIR observed that fifteen distinct attack techniques are now being enhanced with generative AI. That number understates the change. Threat actors are using AI at every stage of the kill chain: reconnaissance, vulnerability comprehension, exploit synthesis, payload adaptation, and target-specific testing. Even when AI does not produce a finished exploit, it compresses the human bottleneck that used to slow weaponisation.

Google’s Threat Intelligence Group documented the first operational “just-in-time” AI-powered malware in November 2025. Russian APT28’s PROMPTSTEAL used Hugging Face’s API to dynamically generate reconnaissance commands during execution against Ukrainian targets, rather than hard-coding functionality. OpenAI’s June 2025 threat intelligence report disclosed ten major malicious AI operations the company had disrupted across China, Russia, Iran, North Korea, and other actors.

What “Turn-Key” Exploitation Looks Like

Two developments in late 2025 mark a phase change. AutoExploit demonstrated a fully automated pipeline that, given a CVE advisory and patch diff, can synthesise a vulnerable application, generate functional exploit code, and validate it in roughly ten to fifteen minutes for about one dollar of compute. HexStrike-AI, observed in the wild against Citrix NetScaler vulnerabilities (CVE-2025-7775, CVE-2025-7776, CVE-2025-8424), reduced exploitation time from days to minutes for unauthenticated remote code execution.

This is the operational reality behind the DBIR’s warning that the AI-assisted vulnerability window has shrunk from months to hours. The bottleneck is no longer a skilled exploit developer reading patch diffs at 2 a.m. The bottleneck is whatever takes longest in the attacker’s pipeline, which is increasingly nothing.

Why AI-Driven Defence Alone Can’t Catch Up

AI is genuinely useful on the defender side, particularly for triage, alert correlation, and prioritisation. Combined with AI-driven analytics, modern security information and event management deployments can surface exploitable patterns that would have been buried in log noise five years ago. But there is a structural asymmetry. Attackers need one viable exploit path. Defenders need to close all of them. AI amplifies both sides, but it amplifies the side with the simpler optimisation problem more.

The pragmatic implication: AI tooling for defenders is necessary but insufficient. The architectural changes that matter, exposure reduction, segmentation, and exploitation-led prioritisation, do not become optional just because the SOC has a new dashboard.

The Second-Order Gaps Feeding the Same Problem

Vulnerability exploitation does not exist in isolation. The DBIR’s data shows it interacting with three other gaps that amplify its impact.

Third-Party and Software Supply Chain Exposure

Third-party breaches surged to 48% of incidents in the 2026 DBIR, double the prior year. Ransomware appeared in 48% of confirmed breaches, with 96% of small and midsize businesses affected. The common thread is dependency: when you depend on a vendor’s code, their unpatched vulnerability becomes your breach.

The Salesloft Drift incident from August 2025 is the canonical example. Attackers tracked as UNC6395 compromised Salesloft’s GitHub environment, pivoted to Drift’s AWS environment, and stole OAuth tokens issued by more than 700 customer organisations. Between August 8 and 18, they used those tokens to query Salesforce, Google Workspace, and other connected SaaS platforms, harvesting support case text for embedded credentials. The downstream victims included Cloudflare, Google, Palo Alto Networks, Proofpoint, and Zscaler. None of them were breached through their own systems. They were breached through a trusted third-party integration that bypassed every security control they had invested in.

OAuth tokens are now the practical perimeter for most enterprises, and the visibility into who holds them is, in most organisations, close to zero.

Cloud Misconfigurations and the API Attack Surface

The rapid expansion of cloud adoption, multi-cloud environments, and API-driven architectures created a permanent class of misconfigurations: exposed storage buckets, over-permissive IAM roles, privilege drift, and unscoped service accounts. Attackers scan for these at scale. Many of the 2026 cyber incidents catalogued so far, including ransomware-driven security incidents at the University of Hawai’i and the Pathstone Family Office, traced back to misconfigured systems, weak access controls, and a lack of monitoring on cloud environments and workload identities.

Misconfigurations do not produce CVEs. They do not appear in scanner outputs. They are nonetheless one of the most reliable categories of security vulnerabilities in the modern attack surface, and they routinely expose sensitive data without triggering any of the existing security controls a typical enterprise relies on.

Identity and Authentication as Connective Tissue

Even when vulnerability exploitation is the initial vector, attackers move laterally across environments by abusing identity. Compromised service accounts, missing MFA on legacy endpoints, weak permission boundaries between SaaS platforms, and persistent OAuth grants are the bridges between an initial foothold and a full breach. The DBIR’s root cause analysis found that only 23% of third-party organisations fully remediated missing or improperly secured MFA on cloud accounts, and weak password and permission misconfigurations took a median of eight months to resolve for 50% of findings.

The lesson for application security, identity and access management, and identity management programs: vulnerability exploitation is the entry door, but identity is the corridor. Closing one without the other leaves the breach pattern intact.

A Prioritisation Framework: Patch What’s Actually Being Exploited

The DBIR’s most actionable conclusion is also its least quoted: “choosing the correct ones to patch really is the key strategy.” Not patching everything. Not patching faster across the board. Choosing correctly, based on what is actually being exploited.

Start with CISA KEV, Not Your Total Vulnerability Backlog

Most enterprises track thousands of open vulnerabilities. A 9.8 CVSS score on something that no threat actor has ever weaponised is a lower priority than a 7.2 on a CVE listed in CISA KEV with confirmed in-the-wild exploitation. Vulnerability prioritisation should anchor on KEV first, EPSS scores second, and CVSS only as a tiebreaker.

Map Exploitable Vulnerabilities to Attack Surface, Not Severity Scores Alone

A critical CVE on an internal-only system behind a segmented network is operationally different from a medium-severity CVE on a VPN gateway. Pair vulnerability data with attack surface mapping, ideally continuous, so prioritisation reflects real exposure rather than theoretical severity. The vulnerabilities that attackers actively exploit are overwhelmingly on internet-facing infrastructure: edge devices, web applications, identity providers, and cloud platforms.

Compensating Controls When Patching Isn’t Viable

For known vulnerabilities you cannot patch within the exposure window, virtual patching through WAF rules, IPS signatures, or compensating controls is no longer optional. AI-driven systems can now generate validated WAF rules for newly disclosed CVEs in roughly the same window attackers use to build exploits. This is first aid, not a cure, but in a five-day TTE environment it materially reduces blast radius.

Traditional Patching vs. Exploitation-Led Prioritisation

Dimension	Traditional Patching	Exploitation-Led Prioritisation
Trigger	Monthly cycle, severity score	Active exploitation signals (KEV, EPSS, threat intel)
Coverage	All CVEs above threshold	KEV-listed and high-EPSS first, others queued
Exposure window	30 to 90 days typical	24 to 72 hours for KEV; 7 days for high-EPSS
Decision input	CVSS score, asset owner	Attack surface exposure, exploit-in-wild status, business impact
Compensating controls	Optional	Mandatory for any patch delay beyond window
Audit posture	Compliance checklists	Time-to-remediation telemetry, KEV closure rate

The shift is not from one tool to another. It is from a calendar-driven process to a threat-informed one.

Building a Response Plan That Survives the Velocity Gap

A response plan written for a thirty-day exposure window is operationally useless against a five-day TTE. Modern incident response and preparedness require structural changes, not procedural ones.

Continuous Monitoring and Centralized Logging Architecture

Security teams need centralized logging across cloud platforms, SaaS platforms, endpoints, and identity providers, with detection content keyed to KEV-relevant indicators and to the cyberattacks most likely to land first. SIEM coverage of the most likely entry vectors, exposed web applications, VPN gateways, identity provider authentication flows, and OAuth grant activity, should be treated as a baseline control, not an aspiration. Endpoint security and endpoint detection coverage on every workload, including mobile devices used for authentication, removes the easiest blind spots and the security failures that follow when those blind spots go unmonitored.

Pre-Built Escalation Playbooks for KEV-Listed CVEs

When a new CVE lands on KEV, the response should not start with a meeting. It should start with a runbook: identify affected assets, deploy compensating controls within hours, schedule patches against an explicit SLA, and escalate to executive notification if any affected asset cannot be remediated within the window. Pre-built escalation paths eliminate the negotiation that consumes the first 48 hours of every CVE response.

Beyond Compliance Checklists: Measuring Time-to-Remediation

Compliance checklists measure whether a control exists. They do not measure whether it works against a 24-hour TTE. The metrics that matter in 2026 are time-to-remediation for KEV-listed vulnerabilities, KEV closure rate, percentage of internet-facing assets covered by continuous monitoring, and mean time to detect post-exploitation activity. If your security audit cycle reports the first set without the second, the report is describing a posture that no longer matches the threat model.

What Good Cybersecurity Posture Looks Like in 2026

A defensible cybersecurity posture in 2026 has five characteristics. First, vulnerability and exposure management is the top-funded discipline within the security program, not a subordinate of compliance. Second, KEV-listed vulnerabilities are closed within days, not weeks. Third, third-party and software supply chain risk is governed as actual attack surface, with OAuth grants inventoried and SaaS integrations reviewed quarterly. Fourth, secure software development practices, including continuous security testing, dependency scanning, and product security review, are non-negotiable at the application security boundary. Fifth, AI-driven analytics support prioritisation and detection, with humans retaining decision authority over containment and escalation.

Organisations that operate this way will not eliminate breaches. They will reduce blast radius, shorten dwell time, and make themselves expensive enough as targets that opportunistic threat actors look elsewhere.

Closing the Gap: A Checklist for Security Leaders

For security leaders facing budget cycles in the next two quarters, the following actions move the needle:

• Reweight the security program so vulnerability and exposure management has explicit executive sponsorship and a named owner with authority over remediation SLAs.
• Establish a KEV-anchored remediation SLA: critical-tier 72 hours, high-tier 7 days, all others within 30 days, with compensating controls mandatory for any delay.
• Inventory every OAuth grant, third-party integration, and SaaS-to-SaaS connection. Treat the result as your real attack surface map.
• Deploy or validate continuous monitoring on internet-facing edge infrastructure, identity providers, and high-value cloud workloads.
• Run a tabletop exercise specifically modelled on the Salesloft Drift incident pattern: a vendor breach that bypasses your perimeter through legitimate authentication.
• Update incident response plans with pre-built escalation playbooks keyed to KEV publication.
• Build virtual patching capability through WAF or IPS for cases where production patching exceeds the exposure window.
• Replace compliance-checklist reporting with time-to-remediation telemetry surfaced to the board.

None of this is novel. What is novel is that, given the 2026 DBIR data, none of it is optional.