The 2026 Verizon DBIR Shows Vulnerability Management Has Become a Remediation Problem

The 2026 Verizon DBIR confirms what security teams have been dreading: attackers are exploiting known weaknesses faster than organizations can prioritize, remediate, and verify them.

This is not a brand-new pattern, but the report shows the gap widening: vulnerability exploitation is now the most common known initial access vector for breaches, rising to 31% from 20% the year before. In the same period, only 26% of CISA Known Exploited Vulnerabilities detected in organizational environments were fully remediated, with median time to full resolution increasing to 43 days.

The harder problem now is not finding more vulnerabilities; it is closing the right ones. Teams need better ways to know which exposures matter, who can fix them, what fix is safe, and whether the exposure is actually gone.

Vulnerability exploitation is the #1 known initial access vector for breaches

For years, vulnerability management ran as routine maintenance: scan the environment, classify what comes back, assign a severity, and open a ticket. But if exploitation is now the most common known initial access vector, vulnerability management cannot be simply measured on findings and tickets, it has to be also measured by whether exploitable weaknesses are actually fixed.

That is where teams often get stuck. A vulnerable system may be business critical, owned by another team, tied to dependencies, or hard to patch without downtime. The hard work is reaching a fix that is safe, has a clear owner, and can be verified as done.

Remediation throughput is not keeping up

In 2025, only 26% of CISA Known Exploited Vulnerabilities (KEVs) detected in organizational environments were fully remediated, down from 38% the year before. Median time to full remediation rose to 43 days from 32, roughly two extra weeks per finding.

Behind those numbers is a throughput problem: exposure debt is growing because more known, exploitable findings are being left open for longer.

A recent report from Cogent Research found that time to exploit (TTE) declined from 125 days in January 2025 to just 10 hours in April 2026. Known exploits are now circulating well inside the window when teams are remediating them.

The Verizon report underscores the point: at Day 28 after detection, 35% of KEV instances were still open, up from 27% the prior year.

None of this means teams are doing nothing. Organizations remediated more vulnerability instances in 2025 than the year before. The problem is that remediation work is increasing, but not enough to keep pace with vulnerability volume, exploitability, and attacker speed.

So another dashboard of findings does not solve that; instead, teams need better ways to prioritize, assign, execute, and verify fixes so remediation can scale with discovery.

Contextual prioritization is no longer optional

When there are more high-priority findings than capacity to fix them, the order teams work in starts to matter. Severity scores cannot set that order on their own, and neither can a vulnerability's presence in the KEV catalog, because two known-exploited vulnerabilities rarely carry the same risk at the same moment.

Verizon draws a useful distinction here: KEV is a timestamp, not a timeline. It records that exploitation crossed a threshold at some point, not whether attacker interest is currently rising or fading. An older vulnerability under active exploitation can be more urgent than a recent KEV entry that no one is targeting. The practical question is whether attackers are using a given weakness right now, and whether they can reach it in this environment.

Prioritizing well, then, means ranking on more than a severity score. It takes two kinds of context: what attackers are doing (e.g., whether the vulnerability is being exploited right now) and what the exposure looks like inside the organization (e.g., whether the asset is reachable, how exposed it is, its business impact, and who owns it). Neither shows up in a CVSS score, even though deciding what to fix first depends on both.

Remediation is getting harder to coordinate

The DBIR's other major trends add up to the same operational problem: teams have to close exposures across more parties, in less time, and with less margin for a miss.

Ransomware was involved in 48% of confirmed breaches, up from 44% the prior year, so a missed exposure is now likelier to end in a serious incident. Third-party involvement also reached 48% of breaches, a 60% increase year over year, which widens the set of vendors, cloud environments, and SaaS integrations teams have to account for. And while the DBIR’s AI findings are measured, they show attackers using GenAI to accelerate familiar activities like targeting, initial access, vulnerability research, malware development, and tooling.

The result is a coordination problem as much as a security one: deciding what matters, finding the right owner, choosing a safe fix, and proving the exposure is closed, now repeated across far more findings than before.

The next step is verified remediation

Discovery is only the beginning of vulnerability management. A scanner can surface exposure, but it does not decide what matters most, identify the right owner, produce a safe fix, or confirm the issue is closed.

In most organizations, the steps after a finding are handled by different tools and different people, with gaps between each one. Joining them into a single process is what turns a finding into a fix.

This is what Cogent is building toward. Its AI agents carry out that process: confirming the asset is reachable, finding the owner, recommending the safest fix or compensating control, routing the work through the systems a team already uses, and verifying the exposure is gone.

Most security tools add to the list of findings. Cogent is built to shrink it, by closing the open, exploitable paths an attacker could use.