Patching is the new password
Verizon publishes a Data Breach Investigations Report every spring. It's the closest thing the security industry has to an annual census, built from real incident data submitted by hundreds of organizations and law-enforcement partners. The 2026 edition dropped yesterday, and it announced something that hadn't happened in the report's nineteen-year history.
For the first time, vulnerability exploitation has overtaken stolen credentials as the leading way attackers get into networks.
What changed
For eighteen years, the answer to "how did the attacker get in?" was most often some form of "they had an active username and password." Sometimes that was a phishing success and sometimes it was a credential reused from an old breach. Either way, the answer was pointing at the login.
Verizon’s report stated this year:
Vulnerability exploitation is the initial access vector in 31% of breaches. Last year it was around 20%.
Credential abuse is the initial access vector in 13% of breaches, down from the top spot it held in every previous DBIR.
Phishing accounted for 16%, which has been flat.
This was not an incremental change. The shift was substantial.
Why it shifted
Two things happened at once. Attackers got faster, and defenders got slower.
The attacker side is being accelerated by AI in ways that show up clearly in the data. Verizon partnered with Anthropic this year (the company that makes Claude) to study how bad actors are using large language models (LLMs). The median attacker session involved researching 15 different attack techniques in a single conversation; the high end was 40 to 50. What used to take a competent attacker hours of forum-searching and trial-and-error now takes minutes of asking a chatbot the right questions. The window between a vulnerability being publicly disclosed and a working exploit appearing in the wild has compressed from months to hours.
The defender side moved the wrong direction in the ever-ongoing arms race. The median time to fully patch a critical vulnerability rose from 32 days to 43. Of the vulnerabilities on CISA's Known Exploited Vulnerabilities list (the federal government's catalog of "these are actively being attacked, patch them now"), organizations remediated only 26% in 2025, down from 38% the year before. The number of critical vulnerabilities organizations had to deal with rose by 50% over the same period.
So defenders are tracking more vulnerabilities, patching a smaller fraction of them, and taking longer to do it, while attackers exploit them faster.
What it all means
You're going to read versions of this report all month with sweeping conclusions about zero-trust architectures and AI-native security platforms. Most of that is written for organizations with security teams. What this means for a small business or nonprofit is simpler.
The boring administrative discipline of installing updates is now the most important security control you have. More important than picking a strong password. More important than buying a security product. Credential theft used to be the thing everyone worried about. Vulnerability exploitation now hits at more than twice that rate.
This doesn't mean MFA stops being important. MFA still cuts off most of that 13%, and credential abuse still shows up in 39% of breaches when you count all the breaches it appears in anywhere, not just as the initial access. Both controls are important to have in place. The shift is that patching has moved from "good hygiene" to "the single most likely vector for the next attack."
I wrote a piece earlier this week about a WordPress plugin called Burst Statistics, where about 115,000 sites are still running a vulnerable version a week after the patch shipped. Owners didn't apply it and bad actors can still attack them.
What to do
Turn on automatic updates everywhere they're offered. Windows, macOS, your browser, your phone, your WordPress plugins. The default in 2026 should be automatic unless you have a specific reason otherwise.
Make a list of what you actually have. You can't patch a system you've forgotten exists. Walk through your office (or your home office) and write down every device that connects to your network, plus the cloud services your business uses. Old WordPress sites, abandoned cloud accounts, a printer with internet access, a network camera nobody has logged into since 2022. Those are the soft targets.
For anything internet-facing, treat patches as urgent. Your website, any remote-access tool, any cloud service with a public login page. If your IT vendor only schedules patches monthly, that needs to be changed.
Subscribe to one weekly security newsletter. Not for the entertainment of reading about breaches. So you find out about the patches that affect you before the news cycle moves on. Bleeping Computer and KrebsOnSecurity are both free.
If somebody else maintains your systems, ask them when they last applied updates to your domain registrar, your website host, your line-of-business apps, anything they manage.
Final thought
The threat mix has shifted. The next attack on a small business is more likely to come through unpatched software than through someone guessing or stealing a password. None of this means you should abandon the password and MFA habits you've been building. Both fronts are extremely important, but patching just took the lead.
Joel
If you've run into a patching nightmare lately, or you've got a system you know needs updating and can't quite figure out how, I'd be glad to hear about it. You can reach me at joel@freshfromcache.com.
Sources
Verizon 2026 Data Breach Investigations Report (primary):Verizon Business: DBIR.
SecurityWeek:Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector (May 19, 2026). Link.
Help Net Security:Verizon DBIR: Vulnerability exploitation is the dominant initial access vector (May 20, 2026). Link.
SC Media:Verizon DBIR 2026: Vulnerability exploits top initial access as patching coverage falls (May 20, 2026). Link.
