The 2026 Verizon DBIR Just Confirmed What Endpoint Security Teams Have Been Saying for Years

A teaser of the HCLSoftware ebook The Executive's Playbook for Modern Cyber Threats: Turning Intelligence into Fewer Breaches by Robert H. Leong, Senior Director of Global Cybersecurity Product Management, HCLSoftware.

Download the full ebook here

The Two Lines That Should Change How You Read This Year’s Report

The 2026 Verizon Data Breach Investigations Report (DBIR) highlights a major shift in cybersecurity risk. Vulnerability exploitation has become the leading breach entry point, ransomware continues to grow, and AI-assisted attacks are becoming mainstream. For endpoint security and vulnerability management teams, the report reinforces a critical reality: organizations must improve patch management, asset visibility, and cyber risk prioritization to stay ahead of attackers. 

There's a moment Robert Leong recounts in The Executive's Playbook: he's interviewing a SOC team leader and asks what their biggest unresolved problem is. The SOC lead points across the room at a VP of IT and says, "Him." He has handed the VP a list of critical vulnerabilities, heard nothing back, and has no idea what's being patched. When Robert later asks the VP about it, the VP describes buying an extra 16GB of RAM so his laptop could open the spreadsheet of 65,000 identified vulnerabilities in their environment. His team's estimate to patch them all was six weeks of full company shutdown.

That conversation is from 2024. The 2026 Verizon Data Breach Investigations Report, released this month, suggests this kind of scenario is becoming the everyday reality for most defenders. Two findings in particular stand out, and they should change how endpoint management and endpoint security teams read the rest of the report.

First: exploitation of vulnerabilities is now the most common initial access vector for breaches at 31%, while credential abuse has fallen to 13%. The thing endpoint teams have always had the most control over, the state of the box, is now also the thing attackers exploit more than anything else.

Second: only 26% of CISA KEV vulnerabilities were fully remediated in 2025, a considerable drop from 38% the year before. Median time to full remediation climbed to 43 days, up from 32. And the median organization had 50% more critical vulnerabilities to patch this year than last.

The argument those two stats make, together, is the thesis of this year's report. The work that matters most for stopping breaches is the work most organizations are getting demonstrably worse at. This blog walks through five findings that build on those two, with what the ebook does about them.

Finding 1: The Patching Problem Is Getting Structurally Worse

A CVE only gets onto the CISA Known Exploited Vulnerabilities catalog once CISA has confirmed it's being actively used against real targets and a vendor patch is available. These are the patches that matter most.

Defenders fully remediated only 26% of them in 2025. The 38% rate from the year before was already inadequate. Median time to resolution at 43 days, against an adversarial mass-exploitation window measured in single digits, points to something deeper than a tactical gap. The operating model itself is broken.

The ebook digs into why, and the cause turns out to be structural. The control paradigm compliance frameworks were built on, the assumption that organizations could remediate their exploitable attack surface to zero, broke years ago. Most patching programs still operate as if it hadn't.

Finding 2: Ransomware Grew, but the Payment Economics Are Shifting

Ransomware appears in 48% of all breaches in this year's data, up from 44%. That's the bad news. Two pieces of good news rarely travel with the headline.

69% of ransomware victims in the dataset didn't pay. The median ransom paid dropped from $150,000 to $139,875.

For endpoint security teams, the takeaway is concrete. Organizations that prepared (offline backups, tested recovery, segmented environments, hardened endpoints) are increasingly able to say no. The ransomware economy is being squeezed at the wallet end, and attackers respond by going wider. Breach volume keeps climbing even as payment rates fall. Your endpoints are the front line of that fight, because exploitation of vulnerabilities is now also the number one initial access vector for ransomware specifically.

The ebook walks through how to make sure your endpoint estate is on the right side of that 69%.

Finding 3: GenAI Is Demonstrably in the Attacker Toolkit, and in Your Employees’ Browsers

The 2026 DBIR is the first to put hard numbers on AI-assisted attacks rather than speculating about them. Threat actors are using generative AI across targeting, initial access, and malware development. The median threat actor used AI assistance across 15 documented techniques, with some using it across 40 or 50.

Two pieces of nuance from the report matter for how you respond. Most AI-assisted malware development still maps to well-known attack techniques, with a median of 55 existing malware examples already performing the same functions. Less than 2.5% of AI-assisted malware observations involved genuinely novel techniques. The fundamentals still work because attackers are mostly using AI for speed, refinement, not revolution, in the DBIR team's words.

On the other side of the same coin, defender exposure to AI is exploding. The DBIR reports that 45% of employees are now regular users of AI tools on their corporate devices, up from 15% the previous year. Shadow AI, the use of unauthorized GenAI services, is now the third most common non-malicious insider action in the report's data loss prevention dataset, a fourfold increase year over year. The most common data type submitted to external GenAI models is source code.

The ebook treats both sides as one problem. The endpoint is where the attacker's AI lands and where your employee's AI behavior originates.

Finding 4: Social Engineering Went Mobile

Human element was present in 62% of breaches, a slight tick up from 60%. The composition is what changed. Median click-through rates on mobile-centric phishing (voice and text-message lures) ran 40% higher than email phishing in this year's simulations. Pretexting, where an attacker builds a fake trust relationship before pulling the trigger, has become a more common initial access vector to ransomware and extortion, reaching 6% of all breaches.

This belongs in an endpoint security conversation because mobile devices are endpoints too. The DBIR data treats them that way. Your endpoint management tools should treat them that way. Organizations that protect laptops to a high standard while treating company phones as a separate, lighter problem are running a security program the attackers have already noticed.

Finding 5: Third-party Exposure Is Now a First-Party Problem

Breaches involving a third party jumped 60% year over year, reaching 48% of all breaches in this dataset. The DBIR's survival analysis on third-party cloud exposure is brutal: only 23% of third-party organizations fully remediated missing or improperly secured MFA on their cloud accounts. For weak passwords and permission misconfigurations, the time to resolve half of all findings stretched to almost eight months.

Your contractors and your SaaS vendors run endpoints you can't see, and their unmanaged endpoint is your initial access vector. The ebook is direct on this point. Defenders who scope endpoint management at the boundary of their own org chart are scoping for a 2018 threat model.

A five-question Diagnostic Before You Download

The ebook gives readers a framework, a five-step plan, and a model for measuring cyber risk as a business variable. Before any of that becomes useful, a defender needs to know where they actually stand. Five questions, derived from the gaps the 2026 DBIR documents:

1. Of the CISA KEVs currently affecting your estate, how many are open past their CISA-mandated due date? If nobody on your team can answer this in an afternoon, that's the first finding.

2. When was the last time a business owner, not a security or IT leader, agreed to a specific number of days for patching a class of asset? A Protection Level Agreement with an actual number attached, beyond the usual generic SLA language.

3. When an employee submits source code to an external GenAI tool, do you see it? The DBIR puts shadow AI in the top three non-malicious insider actions. If you don't see it, you can't measure it.

4. Can a non-technical executive look at one chart and understand your organization's current exposure to known exploited vulnerabilities? If the chart needs a translator, the C-suite can't make business decisions with it.

5. What's your remediation cycle time for a third-party-introduced vulnerability versus a first-party one? If you've never measured the difference, that's the gap the 60% jump in third-party breaches is exploiting.

Two yeses out of five is roughly where most organizations sit right now. Three is solid. The ebook is written for organizations trying to get from two to four.

What the Ebook Does With All of This

The five findings above are descriptive. They tell you what's happening. The ebook is prescriptive, with a framework Robert Leong has been refining with CISOs, CIOs, and business leaders worldwide.

The framework starts from a diagnosis. The defender community is overwhelmed by too many vulnerabilities, misaligned because remediation is too slow, and disjointed because the teams that should be solving this together don't talk to each other. The counterstrategy is three words: accelerate, collaborate, consolidate. The ebook spends real time on what each one means in practice, with worked examples drawn from real customer environments.

From there it gets concrete. The Protection Level Agreement is introduced as a service-level contract between business owners, security, and IT for how quickly critical patches reach critical assets. CyberFOCUS-style analytics map exposure to CISA KEV and to named APT groups so all three audiences argue from a common picture. Automated security policy enforcement is shown working on the endpoint, the kind that turns disabled antivirus back on before the user remembers disabling it. The closing chapter is a five-step plan executives can start this quarter.

It runs about 35 pages, cites the 2026 DBIR throughout, and was written for business readers without an engineering background.

The Bottom Line

The 2026 DBIR's overarching message is calmer than its numbers suggest. Threats keep evolving, but the fundamentals still matter most. Organizations grounded in strong basics around asset visibility, patch discipline, and rehearsed response are better positioned for whatever comes next.

The catch is that the fundamentals are no longer easy. 43 days to remediate a known exploited vulnerability is a fundamentals problem in a very specific sense. The basics, at the current volume and velocity, exceed what most organizations are set up to handle. Endpoint management and endpoint security programs that don't change shape to meet that volume will keep falling behind the curve the DBIR just published.

The shape change isn't exotic, and that's the reason the ebook is worth thirty minutes. The fix is a tighter feedback loop between the business owners who carry the risk and the security and IT teams who own the tools to address it.

FAQs

What is the Verizon DBIR?

The Verizon Data Breach Investigations Report (DBIR) is an annual cybersecurity report that analyzes real-world data breaches and cyber incidents worldwide.

What does the 2026 Verizon DBIR say about vulnerability exploitation?

The report found that vulnerability exploitation accounted for 31% of initial breach access, making it the leading attack vector.

Why is patch management important according to the 2026 DBIR?

Only 26% of CISA Known Exploited Vulnerabilities were fully remediated, highlighting the growing challenge organizations face in reducing exploitable risk.

How is AI affecting cybersecurity threats?

The 2026 DBIR found increasing use of generative AI by attackers for phishing, malware development, and reconnaissance activities.

What role do endpoints play in breach prevention?

Endpoints are often the first point of compromise and therefore remain critical for patching, configuration management, threat detection, and policy enforcement.

Get the full ebook: The Executive's Playbook for Modern Cyber Threats: Turning Intelligence into Fewer Breaches, by Robert H. Leong, HCLSoftware. Download here

Inside: the full breakdown of the accelerate-collaborate-consolidate framework, the Protection Level Agreement model for measuring cyber risk as a business variable, and a five-step plan executives can start this quarter.