Home
The Verizon 2026 Data Breach Investigations Report dropped this week, and for the first time in the report’s 19-year history, vulnerability exploitation has overtaken credential abuse as the top initial access vector. Exploited vulnerabilities now account for 31% of breaches, up from 20% the year before. Credentials dropped from 22% to 13%.
Read past the headline and the picture gets worse. Only 26% of CISA’s Known Exploited Vulnerabilities were fully remediated in 2025, down from 38% the year before. Median remediation time stretched from 32 days to 43 days. The median number of KEVs hitting organizations climbed from 11 to 16. Defenders are losing ground on the most basic operational hygiene. They are not patching the vulnerabilities the U.S. government has already confirmed are being exploited in the wild.
This is the gap your pen testing program is supposed to find before the attacker does. Most programs aren’t, and the DBIR 2026 data is the clearest evidence yet of why.
Why Vulnerability Exploitation Just Overtook Credentials
Credential abuse didn’t get easier to defend. MFA rollouts, password manager adoption, identity-aware proxies. The controls are working. Credential abuse dropped from 22% to 13%, partially because pretexting was separated out as its own category this year. Even adjusted for that change, the trend is real. The front door got harder to walk through.
What didn’t get harder is everything else. 31% of breaches now start with vulnerability exploitation, up from 20% the year before. That’s a step change, not a drift. Attackers shifted to the path of least resistance. That path is the unpatched VPN concentrator, the file transfer appliance with a known CVE, the perimeter device whose vendor disclosed a vulnerability three weeks ago that nobody has tested against your environment.
The numbers behind the headline are the operational story. Median KEV remediation time grew to 43 days, and only about a quarter of KEVs are getting fully fixed. The median number of KEVs hitting an organization grew to 16 per year. So the typical enterprise is dealing with more known-exploited vulnerabilities than ever, fixing fewer of them, and taking longer to do it. That gap is the attack surface.
This is exactly the structural mismatch FireCompass has been pointing at for two years. Scanners produce noise, manual pen tests run on a calendar, and the window between disclosure and active exploitation has compressed to days. The DBIR just put a number on the cost of pretending otherwise.
The Annual Pen Test Is a Dead Letter
Read the DBIR data against your own pen testing cadence and the math falls apart immediately. If your last external pen test was nine months ago, every KEV published since then is a vulnerability that has never been validated against your environment. With 16 KEVs hitting the median organization per year and 43-day median remediation, the annual or biannual pen test is operating on the wrong clock.
The cadence argument used to be philosophical. Now it’s quantitative. Vulnerability disclosure is continuous. CVE publication is continuous. Active exploitation is continuous. The only thing that’s discrete is the engagement letter your pen testing vendor sends once a year.
The harder question is what continuous validation actually looks like. Most security teams can’t afford to run manual pen tests every week. They don’t have the budget to scope, kick off, and remediate continuous engagements through traditional consulting firms. Headcount alone won’t get you there. There are not enough senior pen testers in the global market to test every web app, API, and edge device every time a relevant CVE drops.
This is where autonomous, evidence-backed pen testing changes the economics. FireCompass runs continuously across the same scope a manual team would cover, validates every finding through an exploit pipeline (false positive rate below 2%), and produces proof-of-exploit and reproduction steps for every vulnerability. The point isn’t speed for its own sake. It’s matching the cadence of testing to the cadence of attack.
Third-Party Breaches Doubled, and Your Pen Test Probably Doesn’t Cover Them
The most uncomfortable number in this year’s report isn’t on the vulnerability side. Third-party involvement in breaches grew 60%, from 30% to 48%. Nearly half of all breaches now run through a vendor, supplier, or service provider.
The DBIR breaks this into three patterns: vulnerabilities in a vendor’s product (the SolarWinds shape), vendors hosting your data (the Snowflake shape), and vendors with a connection into your environment (the Target shape). Different mechanics, same outcome. The trust relationship was the attack surface.
Look at your pen test scope. The vendor portal that authenticates into your VPN? Out of scope. The SaaS admin console with privileged API access to your customer data? Out of scope. The contractor laptop, the partner SFTP, the federated identity provider. All out of scope. Meanwhile attackers are going through exactly these surfaces because that’s where the trust terminates.
You can’t pen test your vendors directly. But you can, and should, pen test the interfaces where their trust meets your environment. OAuth flows. API keys. Service accounts. SSO redirects. Webhook endpoints. Every one of these is a path the DBIR data says is being used right now in real breaches. The DBIR authors are explicit about the root cause: most third-party incidents come down to insecure authentication (absence of MFA, improper credential rotation) or lack of least privilege enforcement for users or service accounts. Those are testable conditions. They just have to be in scope.
Mobile Phishing Is Now 40% More Effective Than Email
A finding that didn’t make most headlines but matters enormously for offensive security teams: mobile-centric voice and text-based scams achieved a 40% higher click-through rate in phishing simulations than email campaigns. Email phishing defenses have gotten better. Attackers moved to SMS and voice, where enterprise security controls barely exist.
Pretexting (the synchronous, conversational form of social engineering where the attacker builds rapport before extracting something) was separated from credential misuse as its own initial access vector this year, accounting for 6% of breaches. The DBIR called this out specifically because of its role in high-profile ransomware breaches. The attacker isn’t blasting phishing emails anymore. They’re calling your help desk, pretending to be your CFO, building a relationship over four texts before asking for the password reset.
The implication for pen testing programs is that the “standard” engagement model (start from the outside, find a perimeter weakness, write a report) is testing for an attacker who doesn’t exist anymore. The realistic adversary already has a credential or a session. They got it from a help desk call, a SIM-swapped phone, a compromised vendor, or one of 16 unpatched KEVs you didn’t get to in time. The interesting test is what they can do from there: lateral movement, privilege escalation, app-to-network pivots, credential reuse across environments.
These are exactly the attack paths that scanners cannot construct and that annual pen tests routinely scope out. They are also the attack paths that, in the FireCompass platform, the chain and lateral movement agent is built specifically to validate. It takes an initial foothold (a leaked credential, an exposed token in a JavaScript file, a weak service account) and proves whether it actually leads to production data, admin access, or full domain compromise.
Shadow AI Is the New Insider Risk, and a New Attack Surface
The other major shift in this year’s report is shadow AI. 67% of users access GenAI services through non-corporate accounts on corporate devices. Regular AI tool usage among employees jumped from 15% in 2024 to 45% in 2025. Shadow AI is now the third most common nonmalicious insider risk in the DLP dataset, a 400% increase year over year. Source code, technical documentation, and intellectual property are routinely being pasted into LLMs that the security team has no visibility into.
This is partly a data loss problem, partly a new attack surface. Internal LLM integrations, RAG pipelines connected to enterprise data, AI-powered customer support agents, agentic systems with real tool-call capability. These are now part of the application stack at most enterprises. None of them are tested by a traditional web app pen test. Prompt injection, indirect prompt injection, tool abuse, agent jailbreaks, RAG poisoning. These are real classes of vulnerabilities with real business impact, and most pen test scopes don’t even mention them.
The broader point the DBIR makes is that attackers are using GenAI across 15 ATT&CK techniques (malware development, target reconnaissance, initial access, file obfuscation, forensic cleanup) and less than 2.5% of AI-assisted attacker actions involve uncommon techniques. AI is automating the well-known playbook, not inventing a new one.
The defensive answer can’t be slower. If attackers are using AI to scale the same attacks they were running last year, defenders need AI-driven validation that can keep up. The constraint isn’t reasoning capability. Frontier models are good enough. The constraint is execution: turning AI reasoning into validated, safe, auditable testing without DoS-ing your own production environment in the process. That’s the architecture problem FireCompass has spent the last two years solving, and the reason “LLM wrapper” tools aren’t the same category of solution as a governed, evidence-backed pen testing platform.
What the 2026 DBIR Is Telling Pen Testing Programs
The headline shift is vulnerability exploitation overtaking credentials. The deeper story is that every one of the top six findings in this year’s report points in the same direction: the attacker is operating continuously, opportunistically, and across boundaries that most pen test scopes refuse to cross.
Unpatched KEVs with 43-day remediation windows. Third parties in nearly half of all breaches. Mobile phishing 40% more effective than email. Shadow AI everywhere. Pretexting in high-profile ransomware cases. Generative AI scaling 15 different attacker techniques. None of these is solved by a once-a-year manual engagement that tests 20% of your apps and scopes out the interesting attack paths.
A pen testing program that mirrors the DBIR’s findings looks different. It runs continuously, not annually. It validates new CVEs against your environment in days, not quarters. It tests credential reuse across environments, business logic flaws, third-party trust relationships, and chained attack paths. Not just isolated vulnerabilities. And it produces evidence: proof-of-exploit, reproduction steps, chain-of-custody documentation. Not unvalidated scanner output that your team has to triage at a 70% false positive rate.
This is what FireCompass calls Continuous Offensive Security, and it’s the category the DBIR data has been quietly arguing for over multiple reports. In a recent Fortune 500 engagement, the platform extended pen testing coverage from ~200 applications annually to 2,000+, and surfaced chained attack paths the previous consulting firm had scoped out entirely, at roughly 11x lower cost than manual pen testing. Findings come with evidence, not hypotheses.
The Forward Look
The DBIR will tell the same broader story next year. The percentages will move by a few points. The conclusion won’t change: defenders are testing the wrong things, on the wrong cadence, with the wrong tools. The question is whether your offensive security program is still organized around the attacker the 2017 DBIR described, or whether it’s restructured around the one the 2026 report is documenting in real time.
If you want to see how the DBIR’s top findings (credential reuse, vulnerability exploitation, third-party access, chained attack paths) actually play out against your own environment, you can run a free pen test with FireCompass Explorer. It takes a few hours, requires no infrastructure, and produces evidence-backed findings with reproduction steps. The DBIR tells you what’s happening industry-wide. Explorer tells you what’s happening to you.
