Alpine Cyber is now a part of Simulint
Learn more
Link arrow icon
Insights

Vulnerability Exploitation Is Now the #1 Way Attackers Get In

May 25, 2026

Vulnerability Exploitation Is Now the #1 Way Attackers Get In

What the 2026 Verizon DBIR tells us about patching, AI-assisted attacks, and a remediation gap that is getting worse

Executive Summary

The 2026 Verizon Data Breach Investigations Report analyzed more than 22,000 confirmed breaches across 145 countries. Its headline finding: exploitation of known vulnerabilities is now the most common initial access vector, accounting for 31% of breaches, up 55% from the prior year. At the same time, only 26% of vulnerabilities on the CISA Known Exploited Vulnerabilities catalog were fully remediated, down from 38% the year before, and the median time to patch grew to 43 days. Organizations are managing 45% more critical vulnerabilities per year than twelve months ago and closing fewer of them.

The 2026 DBIR also calls out AI-augmented vulnerability research and weaponization as an accelerating threat, explicitly telling organizations to prepare for a higher volume of patch disclosures driven by AI-assisted discovery. Projects like Anthropic’s Mythos, which applies frontier AI models to large-scale vulnerability research, illustrate the trajectory: the tools for finding and weaponizing flaws are becoming dramatically more capable, and the window between a vulnerability existing and being exploited is shrinking. Organizations running 43-day remediation cycles were already behind. That gap is about to matter more.

This article examines what the DBIR data shows, what AI’s role in the threat landscape actually looks like today, and what disciplined vulnerability management requires in this environment.

What the DBIR Actually Shows

For years, phishing and credential theft were the dominant opening moves in breaches. The 2026 DBIR marks a clear shift. Vulnerability exploitation reached 31% of initial access vectors, up from 20% the year prior. Credential abuse fell to 13% as the first action, though it still appears across 39% of breaches when measured throughout the full attack chain.

The shift reflects attacker adaptation, not new capability. As organizations invested in multi-factor authentication and phishing defenses, attackers moved toward unpatched systems: visible, predictable, and available without requiring any user to make a mistake.

The remediation picture compounds the problem. The DBIR analyzed vulnerability data from more than 13,000 organizations against the CISA KEV catalog, which lists vulnerabilities with confirmed, active exploitation. Only 26% were fully remediated. Median time to resolution: 43 days. At the 28-day mark, 35% of known exploited vulnerabilities were still open, translating to approximately 184 million open instances, up from 31 million in 2022. The DBIR frames this as a capacity problem: volume has grown eightfold in three years, and remediation processes have not kept pace. Even the most mature programs appear to hit a ceiling, with 60–70% of KEV vulnerabilities remaining open at the one-week mark regardless of tooling or mandate pressure.

One additional finding worth noting: nearly half of persistently exploited CISA KEV vulnerabilities are older flaws, with 80% registered in the CVE database before 2024. Organizations had years of advance notice. The backlog is not a low-priority queue. It is a catalog of documented weaknesses that attackers are already working through.

Why AI Makes This More Urgent

The 2026 DBIR explicitly flags AI-augmented vulnerability research as an accelerating development and tells organizations to prepare for coordinated patch disclosures driven by AI-assisted discovery. That recommendation sits in the vulnerability management section of the report, grounded in trends the authors observed as of early 2026.

Project Mythos, Anthropic’s initiative applying frontier AI models to large-scale vulnerability research, is the most visible example of where this is heading. The DBIR references the Cloud Security Alliance’s Mythos briefing for security leaders directly in this context. Mythos is designed with defensive intent: giving critical infrastructure providers and major security vendors early access to advanced discovery capabilities so systems can be hardened before those capabilities spread. That is a reasonable approach. It also signals that the pipeline from code flaw to disclosed CVE is compressing significantly. What once took a skilled analyst days or weeks to find can increasingly be identified in hours.

The implication for defenders is direct. On the offense side, AI is shortening the time between a vulnerability existing and being weaponized. On the defense side, median remediation time is growing. Those trends are moving toward each other. The DBIR also explicitly notes that AI-assisted exploit development could change the historical decay pattern for resurgent vulnerabilities: a dormant flaw that was costly to re-weaponize manually becomes a different kind of risk when an AI can reconstruct working exploit code from documented CVE details.

Beyond the discovery angle, the DBIR documents, through analysis of 793 threat actors who misused Anthropic’s platform, that AI is lowering the barrier for less-sophisticated attackers to execute well-known techniques at scale. This is not the superattacker narrative. It is something more practical: a broader population of moderately capable attackers operating more effectively, at lower cost, against a wider range of targets including small and medium-sized businesses that previously fell below the effort threshold.

What Sound Vulnerability Management Requires

Most organizations have a vulnerability management program. The DBIR data shows it is not translating into adequate risk reduction. The gap is widening, driven by a consistent set of operational failures: CVSS-only prioritization that misallocates effort toward low-risk systems while real exposure waits; unclear ownership across asset types that kills urgency at the first handoff; change control cycles built for stability that cannot match exploitation timelines measured in days; and incomplete visibility that leaves cloud workloads and unmanaged devices outside scanning scope entirely.

Addressing these gaps requires the following.

  • Continuous scanning across all asset classes: endpoints, servers, cloud infrastructure, network appliances, and third-party software. Point-in-time scans produce a snapshot of a moving target.
  • Threat-informed prioritization. Layer active exploitation data from the CISA KEV catalog and threat intelligence into the remediation queue. The questions that matter: Is this system internet-facing? Is this vulnerability being actively exploited in the wild? Is there a compensating control? CVSS alone cannot answer any of these.
  • Clear ownership by asset class, with the authority and bandwidth to act. When accountability is ambiguous, urgency does not survive the first handoff.
  • Automated patching for standard operating systems and applications. Manual deployment introduces delays that serve no one except attackers. Systems that can be patched automatically should be.
  • A fast-path process for critical disclosures on internet-facing systems that bypasses standard change control. The response window when a widely-used VPN or edge device has an actively exploited vulnerability is days, not weeks.
  • Active reduction of internet-facing footprint. The DBIR says it plainly: inventory and minimize. Every system reachable from the internet that does not need to be is unnecessary exposure. This is a governance call, not an IT task.
  • Regular review of the aging backlog. Given the DBIR data on persistent and resurgent exploitation of older vulnerabilities, known-but-unpatched issues from prior years are not safely deferred. They are documented targets.

The Takeaway

Vulnerability exploitation is now the leading attack vector, and the forces driving it are accelerating. AI-augmented discovery is compressing weaponization timelines. A broader population of attackers has access to better tooling at lower cost. Old vulnerabilities in the backlog are being actively exploited. And the volume of critical vulnerabilities requiring remediation grew 45% in a single year.

A 43-day median remediation time and a 74% non-remediation rate on known exploited vulnerabilities is not a manageable gap. It is an open invitation. Closing it requires continuous visibility, threat-informed prioritization, automation of what can be automated, and the organizational commitment to treat critical disclosures with the urgency they deserve. The fundamentals still matter most, as the DBIR puts it. The question is whether your program executes them fast enough to stay ahead of attackers who are increasingly getting AI-powered help finding the gaps you have not closed.

How Simulint Addresses This with BlueSphere Shield

BlueSphere Shield Elevate provides continuous vulnerability management with integrated CSPM and CNAPP capabilities. Rather than periodic scans and CVSS-only prioritization, Shield Elevate combines vulnerability discovery with active threat intelligence and real exposure context, identifying which vulnerabilities are actively exploited and where remediation will reduce actual risk. As AI accelerates the cadence of coordinated patch disclosures, continuous scanning becomes the difference between knowing about a problem before it is exploited and learning about it afterward.

BlueSphere Shield Core delivers automated, continuous patching across Windows, macOS, and Linux environments, reducing the window between disclosure and remediation from weeks to hours for covered systems. Shield Elevate tells you what matters most. Shield Core closes it before it can be used against you.

Learn more about BlueSphere: https://lnkd.in/eE9HTaw8

Download The Case Study
Circles
Simulint logotypeSimulint Certified B Corporation mark symbolizing verified ethical, social, and environmental business standards.
SolutionsResourcesPartnersAbout UsContactInvestorsMSPs/MSSPs
Privacy Policy
Let's Talk!Client Portal
Copyright © 2026 Simulint – All Rights Reserved.