Key findings from the Verizon DBIR 2026: Slower vulnerability remediation meets faster exploitation

## Executive summary: The 2026 Verizon DBIR (with Tenable Research analysis) finds vulnerability exploitation is now the leading initial access vector (31%), median time-to-patch has risen from 32 to 43 days, and organizations remediate only about 26% of CISA KEV vulnerabilities; the report warns that explosive CVE growth and AI-driven vulnerability discovery could further overwhelm patching and recommends an exposure-management approach to prioritize and automate remediation.