Verizon has just published the 19th edition of the Data Breach Investigations Report (DBIR), the most cited and referenced breach report in the global cybersecurity industry. The headline finding of this year’s edition breaks with nearly two decades of history: for the first time in 19 years of DBIR publication, vulnerability exploitation has overtaken stolen credentials as the most frequent initial access vector in data breaches. The report, based on analysis of over 31,000 security incidents and more than 22,000 confirmed breaches occurring between November 2024 and October 2025, sends a direct message to all security leaders: patching is no longer a maintenance task. It is the first line of defence.

What does the 2026 DBIR reveal? The key findings

The 2026 Verizon report confirms several critical trends that security professionals must immediately integrate into their risk management:

  • 31% of breaches from vulnerability exploitation. Nearly a third of all confirmed breaches in 2025 began with an unpatched vulnerability. This is the first time in 19 years that this vector has overtaken the abuse of stolen credentials, which dropped to 13%.
  • Over 22,000 confirmed breaches analysed. The volume of breaches analysed in the 2026 edition almost doubles the previous report (12,195 breaches in the 2025 DBIR). Either there are more incidents, or there is greater detection and reporting capacity. Possibly both.
  • Only 26% of critical CVEs in the CISA KEV were patched in 2025. The CISA KEV catalogue lists vulnerabilities under confirmed active exploitation. Only one in four was fully remediated during 2025. The previous year the figure was 38%. The trend is downward.
  • The median patching time rose to 43 days. In the 2025 DBIR it was 32 days. In 2026 it rises to 43. The time to patch is growing precisely when the exploitation window is compressing.
  • The volume of critical vulnerabilities to patch grew 50%. Organisations are not getting better at patching: they simply have more to patch. 50% more critical CVEs than the previous year with the same teams and processes.
  • The exploitation window has compressed to hours. Verizon documents how AI is being deployed by threat actors across all phases of the attack lifecycle. The window between vulnerability disclosure and active exploitation has moved from months to hours in the most critical cases.
  • AI is accelerating attacks, not just defences. On average, threat actors apply AI assistance across 15 distinct attack techniques. Some adversaries across as many as 50. Reconnaissance, targeting, initial access and malware development: the entire cycle is being accelerated by AI.
  • Shadow IT entered the top 3 sources of breaches. Unmanaged assets and services — personal SaaS applications, unauthorised cloud instances, unapproved APIs and tools — have become one of the three most frequent breach vectors.
  • Ransomware remains prevalent but payments are declining. Ransomware prevalence remains high, but the percentage of organisations paying the ransom has declined compared to previous editions.

Why vulnerability exploitation has overtaken credentials for the first time in 19 years

The shift in the #1 vector is not accidental. The 2026 DBIR points to two structural causes that have accumulated over years until crossing this historic threshold:

  1. Organisations cannot patch fast enough to keep up with new vulnerabilities. The number of critical CVEs published annually continues to grow. Security teams, with the same resources, must prioritise and execute on a volume 50% higher than the previous year. The result is an accumulation of security technical debt that becomes attack surface.
  2. AI has compressed the exploitation window to hours. Where a vulnerability once took weeks or months to be weaponised, threat actors using AI tools can now develop and deploy exploits in hours. The window to patch before the attack arrives has shrunk dramatically.
  3. Credential theft defences have improved. MFA, though imperfect as this week’s EvilTokens case demonstrated, has hardened the credentials vector sufficiently that attackers find it more profitable to seek unpatched vulnerabilities in internet-facing systems.
  4. The vulnerability attack surface is systematically larger. Every new SaaS application, every IoT device, every internet-facing server, every unaudited development extension installed is a potential attack surface. Accelerated digitalisation creates vulnerabilities faster than teams can manage them.

The patching crisis: why organisations cannot remediate in time

The 2026 DBIR puts numbers to something security professionals have been observing for years: the vulnerability management model that operates on 30–90 day cycles is no longer sufficient for the current threat landscape. Three factors explain the crisis:

  • Volume exceeds operational capacity. 50% more critical CVEs than the previous year with the same teams means organisations must prioritise under constant pressure. 74% of critical KEV CVEs are not patched — not because organisations don’t know about them, but because they cannot keep up.
  • Third-party dependencies lengthen cycles. Many organisations do not directly manage the infrastructure hosting their vulnerabilities: they depend on cloud providers, on-premise software vendors with their own update cycles. As we saw this week with cPanel (CVE-2026-41940) or Exchange OWA (CVE-2026-42897), the chain from “patch available” to “patch applied” can take weeks.
  • Shadow IT creates systematic blind spots. If the security team doesn’t know an asset exists, it can’t be patched. Shadow IT’s growth into the top 3 breach sources confirms that asset inventory remains an unsolved problem in most organisations.

What the 2026 DBIR confirms about the attacks we covered this week

The value of the DBIR as a reference framework is that it turns tactical intelligence into strategic context. The five attacks Apolo Cybersecurity has documented this week are direct examples of the patterns the 2026 DBIR identifies as dominant:

  • Exchange OWA CVE-2026-42897 (Monday): zero-day under active exploitation with no permanent patch, with remediation time depending on each organisation applying a manual mitigation. Exactly the DBIR pattern: disclosure-to-exploitation window compressed to hours, median patching time of 43 days.
  • The Gentlemen ransomware (Tuesday): ransomware as the second most impactful DBIR vector, with affiliates using AI to calibrate ransoms and maximise pressure. The DBIR confirms ransomware remains prevalent despite declining payments.
  • EvilTokens / OAuth Device Code Phishing (Wednesday): the DBIR documents the rise of phishing as an entry vector and the growing sophistication of techniques that evade standard MFA defences. EvilTokens is the commercial materialisation of that trend.
  • DDoS against the CNMC (Thursday): the DBIR confirms growth in attacks against public infrastructure and availability, especially in the context of geopolitical tensions.
  • TeamPCP / GitHub via Nx Console (Monday): the DBIR explicitly documents the rise of attacks against developer environments, CI/CD pipelines and software supply chains as a first-order emerging vector. TeamPCP is the 2026 case study.

Key lessons for CISOs and SOC teams in Spain

The 2026 DBIR is not a report of abstract global trends. It is an operational risk map with direct implications for any Spanish organisation:

  • Prioritise patching as a critical activity, not maintenance. If 31% of breaches begin with an unpatched vulnerability and the median patching time is 43 days, patching cannot be managed on monthly cycles. CVEs in the CISA KEV catalogue must be treated as active incidents: 72-hour deadlines, not weeks.
  • Actively inventory all exposed assets. Shadow IT in the top 3 breach sources means asset inventory is a security task, not just an operations one. You cannot patch what you don’t know exists.
  • Review the patching cycle of critical suppliers. Many vulnerabilities in Spanish environments live in systems managed by third parties: hosting providers, on-premise software vendors, SaaS providers. Due diligence on patching SLAs from these providers is part of risk management.
  • Don’t delegate vulnerability prioritisation to CVSS scores alone. CVSS is a severity indicator, not an urgency one. A CVE with CVSS 7.0 in the KEV catalogue demands more immediate attention than a CVE with CVSS 9.5 that only exists in very specific environments. Prioritisation must be based on context: is it being actively exploited? Is it exposed in our infrastructure?
  • Update risk models to treat AI as a threat amplifier. If attackers use AI across 15 attack techniques on average, the response time available to defenders has been systematically compressed. Risk models that assume exploitation windows of weeks are no longer valid.

Cybersecurity as a strategic priority

The Verizon 2026 DBIR arrives at a moment when the Apolo Cybersecurity blog has spent three weeks documenting exactly the patterns the report confirms as dominant: unpatched vulnerabilities exploited in hours, software supply chain attacks, increasingly sophisticated ransomware as a service, and techniques that evade standard authentication defences. The DBIR does not reveal future trends: it validates what is already happening. And what is happening in Spain — Ahorramas, CNMC, Exchange OWA, cPanel, GitHub via VS Code — is the same pattern Verizon documents at global scale.

For any Spanish executive or CISO, the question the 2026 DBIR raises is direct: how many critical CVEs from the CISA KEV catalogue does your organisation have unpatched right now? If the answer is not “zero” or you don’t know the answer, the DBIR’s 31% gives you the context for why it’s urgent to find out.

Apolo Cybersecurity: vulnerability management and remediation time reduction

At Apolo Cybersecurity we help Spanish organisations reduce their exposure to the vectors the 2026 DBIR identifies as dominant: vulnerability posture assessment against the CISA KEV catalogue, implementation of accelerated prioritisation and patching processes for critical CVEs, exposed asset inventory (including Shadow IT), critical supplier patching SLA audits, and detection of active exploitation in environments that have not yet applied available patches.

If your organisation has no visibility into how many critical KEV CVEs it has unpatched, the 2026 DBIR has just given you the argument to prioritise it.

Prev Post
Next Post

Any questions?
We're happy to help!

CONTACT US TODAY!
info@apolocybersecurity.com
Responsable: Apolo Analytics S.L.
Finalidad: Responder a tu mensaje y almacenaje en base de datos para gestionar tu solicitud.
Legitimación: Consentimiento del interesado al enviar el formulario.
Destinatarios: No se cederán datos a terceros, salvo obligación legal.
Derechos: Puedes ejercer tus derechos de acceso, rectificación y supresión, entre otros, enviando un correo a secretaria@apolocybersecurity.Com.
Información adicional: Puedes consultar la información completa en nuestra Política de Privacidad.

¡Gracias !

Su mensaje a sido recibido correctamente.
Oops! Algo a ido mal a la jora de enviar el formulario.
te esperamos!
Schedule a call
Project photo
Send us an email
Project photo
+34 937948378
Project photo
Carrer 27 del BZ, 10–16, Sector BZ Zona Franca, 08040 Barcelona
Project photo
FAQScontactTERMS AND CONDITIONSWork with Us
Accelerated by:
Certifications:
Light Eyes is part of Apolo Cybersecurity
LEGAL NOTICEPRIVACY POLICYCookiesinformation security policy
Privacy Settings
Copyright © 2025 Apollo Cybersecurity