The Verizon Data Breach Investigations Report (DBIR) has been the industry’s most widely referenced breach dataset for nearly two decades. The 2026 edition analyzed more than 22,000 confirmed breaches across 145 countries. For organizations focused on the security of their external infrastructure, the findings are worth reading carefully.
Verizon DBIR 2026 Shows Vulnerability Exploitation Has Overtaken Everything Else
For the first time in the DBIR’s history, exploitation of vulnerabilities is the most common initial access vector in breaches. It accounts for 31% of all initial access, up from 20% last year, a 55% increase year over year. It has overtaken both phishing and credential abuse.
This is not a marginal shift. Vulnerability exploitation has been climbing steadily in the DBIR dataset for the past three years, and this year it crossed the threshold. The external attack surface, specifically the internet-facing infrastructure that organizations expose to the world, is now the primary entry point for breaches.
The assets being targeted reflect this. Web applications, VPNs, and remote access infrastructure remain the most commonly exploited asset categories. The DBIR reclassified remote access devices this year into a dedicated “Network” asset category to better reflect their role at the edge of the network. That category jumped from 1.5% to 5% of breaches, a signal of how heavily attackers are focusing on perimeter infrastructure.
The Remediation Math Does Not Work
The DBIR’s vulnerability management analysis is built on aggregated data from more than 13,000 organizations and over 527 million vulnerability instances. The picture it paints is one of a system under structural strain.
Organizations take a median of 43 days to remediate a known-exploited vulnerability. That is up from 32 days in the prior year. Only 26% of known-exploited vulnerabilities were fully remediated, down from 38%. And at Day 7 after detection, between 60% and 70% of known-exploited vulnerabilities remain open regardless of organizational maturity, investment, or tooling. The DBIR describes this as a potential theoretical ceiling for remediation processes.
The volume is part of the problem. The number of vulnerability instances in the dataset grew from 68.7 million in 2022 to 527 million in 2025. Organizations collectively got better at patching over that period, but the volume grew faster than the improvement. The curve shifted backward. 47 million vulnerability instances are, based on the remediation trajectory, simply not going to be addressed.
The DBIR’s conclusion is direct: “choosing the correct ones to patch really is the key strategy.” Not patching everything. Not patching faster. Choosing correctly, based on what is actually being exploited.
Recency of Exploitation Is a Better Signal Than Severity
The DBIR includes a new analysis of re-exploitation probability, built on 1.4 million observations of approximately 1,000 vulnerabilities over six years. The finding is significant for anyone making prioritization decisions.
The probability of a vulnerability being exploited again drops by roughly half at 30 days since the last observed exploitation activity. It halves again at 90 days, and again at around nine months. After approximately one year with no observed exploitation activity, the probability is roughly the same as if the vulnerability had never been exploited at all.
The implication: a vulnerability showing recent exploitation activity, even if it is not on a formal catalog, is a higher-priority target than a cataloged vulnerability that has not been exploited in months. Recency of real-world exploitation is a stronger prioritization signal than severity scores or static lists.
This aligns with how watchTowr Intel approaches vulnerability prioritization. watchTowr Instinct identifies which vulnerabilities are highly likely to be exploited in the wild, and Attacker Eye captures real-world exploitation behavior as it happens. Together, they prioritize by what attackers are actually doing, not by what a score suggests they might do.
The DBIR’s Own Recommendation Points to External Attack Surface Management
Buried in the DBIR’s analysis of AI-augmented vulnerability discovery is a recommendation that deserves more attention than it will likely receive: “prepare for a large number of patches from coordinated disclosures of AI-augmented vulnerability discovery, while making sure to inventory and minimize your internet-facing footprint.”
That recommendation has two parts. The first acknowledges that AI is accelerating vulnerability discovery on both the offensive and defensive sides, and that the volume of patches organizations will need to process is about to increase. The second is operational guidance: know what is internet-facing, and reduce it where possible.
This is External Attack Surface Management in its most essential form. Continuous discovery of what is exposed. Validation of what is exploitable. Prioritization based on what is actually being targeted. The DBIR is not using the term, but it is describing the capability.
When Remediation Cannot Keep Pace, Mitigation Has to Fill the Gap
The DBIR data confirms a structural reality that the industry has been grappling with: remediation timelines and exploitation timelines are on fundamentally different trajectories. Exploitation is measured in hours. Remediation, at 43 days median, is measured in weeks. No amount of process improvement has moved the first-week remediation ceiling past 30-40%.
When a critical vulnerability is disclosed and exploitation begins before a patch can be tested and deployed, organizations need a way to reduce their exposure immediately. Not as a replacement for patching, but as a deliberate capability that buys time for proper remediation.
This is the problem Active Defense was built to solve. When the watchTowr Platform validates that an organization is exposed to an actively exploited vulnerability, Active Defense delivers intelligence-driven mitigation rules built from real exploitation behavior, not vendor descriptions, directly to the security infrastructure organizations already operate. It covers organizations during the window between knowing they are exposed and being able to remediate. Active Defense operates autonomously or under manual control, depending on how each organization needs it to work.
This Is Preemptive Exposure Management
The Verizon DBIR 2026 describes a threat landscape where vulnerability exploitation is the primary way breaches start, where the most targeted assets sit at the network edge, where remediation cannot keep pace with exploitation volume, and where the recommendation is to understand and minimize what is internet-facing.
The watchTowr Platform was built for this exact reality. It combines proactive threat intelligence, real-world attacker telemetry, and automated red teaming to continuously answer the question that matters most: “Are we affected?”
AI-Driven Rapid Reaction delivers that answer at speed when new threats emerge. Active Defense enables mitigation while remediation is underway. Together, they give security teams the one thing the DBIR data shows they need most: time to act before threats become incidents.
When exploitation happens in hours, watchTowr delivers what no one else can: time to respond.
