The Verizon Data Breach Investigations Report remains one of the most useful annual sources for understanding how real-world breaches are changing. The 2026 report analyzes more than 31,000 security incidents, including more than 22,000 confirmed data breaches, and shows a clear shift in attacker focus: exploitation of vulnerabilities is now the leading known initial access vector.
For security teams responsible for enterprise infrastructure, the most important finding is the growth in attacks involving network assets. Leading organizations are already feeling the pain, and sounding the alarm about this urgent threat. Pat Opet, Global CISO of JPMorganChase, gave a keynote about network edge risk at RSAC 2026. He summed it up perfectly:
“The devices that we put on the edge of our network…The very devices that are supposed to be our frontline defense are becoming our greatest weakness…All of this is due to the legacy architecture that exists in these opaque devices that are provided from network companies and security companies to defenders.”
Opet noted that half of the critical vulnerabilities addressed by JPMC in the last year were on perimeter devices.
Exploitation of Vulnerabilities Became the Leading Initial Access Vector
Last year, exploitation of vulnerabilities had nearly caught up with credential abuse. This year, it moved ahead.
According to the 2026 DBIR, exploitation of vulnerabilities is now the highest known initial access vector. That matters because exploitation puts direct pressure on teams that already struggle to identify, prioritize, and remediate exposed infrastructure before attackers act.
Network Asset Breaches Increased 3x Since 2025
Network assets have been under increasing pressure for years. In the 2026 DBIR, they reached roughly the same targeting frequency as user devices.
VPNs, firewalls, routers, and switches accounted for 1.5% of breaches in last year’s report and now account for 5%. Over the same period, user device targeting dropped from 8% to slightly below 5%. The DBIR notes that part of the increase reflects a change in how Verizon codes remote access cases, from Server to Network asset, but still characterizes the trend as a significant rise in targeting.
These devices often sit outside the coverage of traditional endpoint tools, yet they provide critical access paths into enterprise environments. Read Eclypsium’s report on Eradicating Hidden Risks in Network Edge Devices.
Vulnerability Volume Is Outpacing Patch Programs
Until 2025, defenders were making steady progress in remediating vulnerabilities faster. In 2025, that changed. The number of vulnerabilities in the DBIR dataset increased, while the percentage of CISA Known Exploited Vulnerabilities that organizations fully remediated declined.
From the report:
“Only 26% of critical vulnerabilities, defined as being in the Cybersecurity Infrastructure and Security Agency Known Exploited Vulnerabilities (CISA KEV) catalog, were fully remediated by organizations in 2025, a drop from the previous year’s 38%. The median time for full resolution went up to 43 days, almost two weeks more than the previous year’s 32 days. In the median case, organizations had 50% more critical vulnerabilities to patch in this year’s reporting dataset compared to the previous year.”
The trend is not just slower patching. Vulnerability volume is growing faster than remediation capacity. Instances of vulnerabilities in the DBIR dataset grew from 68.7 million records in 2022 to more than 527 million in 2025.
The gap between patching and exploitation is widening too. Only 12% of vulnerabilities were remediated before being added to the KEV, down from 17% in 2024. Attackers have more time to exploit known issues before defenders have prioritized and remediated them.
AI-Driven Vulnerability Discovery Is Increasing the Pressure
AI-assisted vulnerability research is adding more findings to an already overloaded remediation pipeline.
Anthropic’s Claude Mythos, a cybersecurity-focused model distributed to vetted partners through Project Glasswing, found 271 vulnerabilities in Firefox during internal testing with Mozilla. Microsoft is also on pace to exceed its annual record for vulnerabilities patched, with more than 500 addressed in the first five months of 2026. Microsoft has attributed part of that increase to AI-assisted analysis by internal teams and the broader security community.
The volume increase is unlikely to slow. NIST announced in April 2026 that it would stop enriching the majority of CVEs in the National Vulnerability Database, citing a 263% surge in submissions between 2020 and 2025. NIST will prioritize full enrichment for CVEs in the CISA KEV catalog, software used by the federal government, and software designated as critical under Executive Order 14028. Other CVEs may be labeled “Not Scheduled.”
That creates a triage problem. KEV is a critical source, but it is a floor, not a complete picture of exploited risk. Teams that relied on NVD enrichment now face more CVEs without CVSS scores or CPE mappings.
What This Means for Security Teams
The DBIR data describes a vulnerability management system under strain. Defenders are patching more vulnerability instances in absolute terms, but the number of vulnerabilities entering the pipeline is growing faster than process improvements can absorb.
For security teams, the priority is clear: focus on internet-facing network infrastructure, treat CISA KEV as a minimum baseline, and assume the window between disclosure and active exploitation is shorter than the current patch cycle.
Network assets now sit in the same targeting tier as user devices, but they often lack the same level of detection and verification coverage. Security teams need visibility into the firmware, hardware, and device posture of the infrastructure attackers are increasingly targeting.
Read Eclypsium’s Guide to Eradicating Hidden Threats In Network Edge Devices to learn how to proactively protect against this rapidly growing threat.
