By ByteBot
For 19 consecutive years, the top way attackers broke into systems was the same: steal a password. The 2026 Verizon Data Breach Investigations Report officially ended that streak. Vulnerability exploitation — unpatched CVEs, misconfigured APIs, and flawed application code — now accounts for 31% of initial access vectors. Stolen credentials have fallen to second place at 13%. This is not a statistical footnote. For developers, it is a signal: what you ship is now more dangerous than what your users type.
A 19-Year Streak, Broken
The 2026 DBIR is Verizon’s most comprehensive edition yet — 31,000 security incidents and 22,000 confirmed data breaches across 145 countries. The numbers aren’t just bigger; the story they tell is fundamentally different. Credential theft falling to 13% is, counterintuitively, good news. It suggests that MFA adoption and credential hygiene investments are working. The bad news is that attackers have simply moved on. Exploit the software, not the human. It’s faster, scales better, and doesn’t require a convincing phishing email.
The shift has a clean logic to it: harden one attack surface and threat actors migrate to the next. Organizations spent the last decade locking down passwords. Attackers spent that same time getting very good at finding and weaponizing CVEs.
The Remediation Paradox
Here is the number that should concern every engineering team: organizations patched only 26% of vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog last year, down from 38% in 2024. The KEV list is not theoretical risk — it is a curated catalog of CVEs with confirmed, active exploitation in the wild. Falling behind on that list is not a compliance gap; it is an open door.
The timing makes it worse. Median time to full patch resolution climbed to 43 days in 2025, up from 32 days in 2024. Meanwhile, AI-assisted exploitation is compressing attacker timelines from months to hours. Defenders are moving slower. Attackers are moving faster. The gap between patch release and exploitation is collapsing while remediation cycles expand — and that window is exactly where breaches happen.
Across the top three vulnerability categories by CWE, the median time to hit 50% remediation was six to seven months. For a known-exploited vulnerability, six months of exposure is not a risk tolerance decision — it is an invitation.
Supply Chain Is Now Half the Battle
Third-party involvement in breaches jumped 60% year-over-year and now features in 48% of all confirmed breaches. This is not an enterprise-only concern. Every developer who pulls a package from npm, PyPI, or Crates.io is part of a supply chain. Every dependency you ship is a trust decision. The vendor and contractor human element surged from 30% to 48% of third-party incidents — supply chain is not just a software problem; it’s a people-and-process problem that starts with the code developers write and the packages they choose.
What Developers Should Do Now
The DBIR’s findings translate to a short list of non-negotiable practices:
- Track KEV vulnerabilities in your dependencies. The CISA KEV catalog is public. Use Software Composition Analysis (SCA) tools to flag packages with active KEV entries. If you’re using a library with a confirmed exploit in the wild, the 26% remediation industry average means most teams haven’t patched it.
- Integrate SAST into your CI/CD pipeline. Static analysis catches the class of vulnerabilities the DBIR now flags as the top breach vector — before they ship. A finding at PR review costs minutes. A finding in a breach costs months.
- Generate an SBOM. Software Bills of Materials are increasingly required by enterprise customers and federal contracts. More practically, you cannot patch what you don’t know you have.
- Pin and audit dependencies. Lock file discipline matters. Unpinned dependencies are a supply chain attack waiting to happen.
- Prioritize by exploitation likelihood, not CVSS score. A CVSS 9.8 with no known exploit in the wild is less urgent than a CVSS 7.2 on the KEV list. Triage accordingly.
The Real Takeaway
The “patch later” culture — the sprint backlog full of security tickets that get de-prioritized every planning cycle — is exactly what the DBIR is measuring. The report’s data covers November 2024 through October 2025. Every breach in that dataset represents an organization that had a known vulnerability and didn’t fix it fast enough.
Credentials getting dethroned as the top attack vector is a genuine security win. But the attacker response — pivot to software vulnerabilities, automate exploitation with AI, compromise supply chains — means the industry traded one problem for a harder one. The data is clear: organizations that treat remediation speed as a product metric, not a compliance checkbox, are the ones that won’t appear in next year’s report. For a deeper developer-focused breakdown, Veracode’s application security analysis is worth reading alongside the primary findings.
