On May 20, 2026, Verizon released the 19th annual Data Breach Investigations Report and inverted a ranking that had held since the document existed. Vulnerability exploitation now drives 31% of confirmed breaches, ahead of credential abuse at 13%. That is the first time in 19 years a software flaw has outpaced a stolen password as the most common way attackers get in. The dataset is not small: 31,000 incidents and 22,000 confirmed breaches across 145 countries, with the breach count nearly doubling from the prior year's 12,195.
The mechanism is the obvious one. SecurityWeek's writeup of the report quotes the Verizon team directly: "The rapid weaponization of known vulnerabilities by AI can create a capacity crisis for security teams." The median time to patch a public-facing critical vulnerability in 2025 was 43 days, up from 32 days the prior year. Median time to weaponize a fresh advisory, per the same report, is now measured in hours. Those two numbers do not coexist in the same year without breaches.
For an SMB, none of this is hypothetical. The report's industry breakouts say the vector flipped across critical infrastructure too, and the patch backlog the DBIR describes is closer to the average MSP-served, sub-500-employee environment than it is to a Fortune 500 SOC. The shift here is not "the bad guys are smarter." It is that the calendar a 200-person company has been patching against assumes attackers move at human speed. Attackers no longer do.
What actually changed in this year's data
Five numbers are worth memorizing before the next budget review:
- 31% of breaches involved vulnerability exploitation as the initial entry vector. Credential abuse, last year's leader, fell to 13%. Trey Ford of Bugcrowd put it cleanly: "The DBIR's 19-year credential streak ending is not primarily a credential story; it is an economics story." Vulnerabilities became cheaper to weaponize than passwords became to steal.
- 43 days median patch time for public-facing critical CVEs, up from 32 days in the prior report. The number is going the wrong way despite a decade of CISA, ISACs, and patch-Tuesday discipline.
- 26% of CISA KEV entries were actually patched within deadline by the orgs the DBIR studied, down from 38% a year ago. The KEV deadline is shrinking and remediation against it is shrinking faster.
- 48% of breaches involved a third party, a 60% year-over-year increase in third-party involvement. The DBIR specifically calls out third-party MFA: only 23% of third-party organizations fully remediated missing or improperly configured MFA after notification.
- 48% of breaches involved ransomware, up from 44%. The median ransom paid fell below $140,000, and 31% of victims paid. Less leverage per victim, more victims overall.
The interesting line in the report is the AI one. Verizon's analysts found a median of 15 distinct AI-assisted techniques per documented threat actor, with the top actors using 40 to 50. AI is not a single attack class in the 2026 DBIR. It is a multiplier on every other attack class the report tracks.
Why the patch window already broke for SMBs
Forty-three days against hours is the headline. The number underneath it is more painful: the report's analysts measured a 50% higher median count of critical flaws requiring a patch in 2025 than in 2024, against a workforce that did not grow 50%. The math is the same math every SMB IT lead has been quietly running. There is more to patch, less time to patch it, and no help arriving on the org chart.
The KEV metric is the cleanest read. The federal Binding Operational Directive that created the catalog was always a benchmark, not a hard ceiling. The DBIR data says that benchmark is slipping in two directions at once. Average remediation-to-deadline ratio fell from 38% to 26%, which means almost three out of four KEV findings now miss the deadline they were given. Meanwhile, CISA shortened several of those deadlines this spring, including the May 26 deadline for CVE-2026-9082 (the actively-exploited Drupal Core SQL injection added on May 22) at three days from add to due. Three days is shorter than most SMB change-control cycles.
The practical SMB read is that "we patch monthly on the second Saturday" is now actively dangerous for any system that is exposed to the internet or used by privileged operators. Anything in the KEV catalog needs an emergency path, and "emergency" means a tested process with a rollback, not an ad hoc Friday-night ticket. The DBIR data is the evidence that the second-Saturday cadence is in fact breaking, not just at risk of breaking.
The shadow AI multiplier
The other number that should rearrange someone's quarter is shadow AI. The DBIR found that 45% of employees are now regular users of AI services, up from 15% a year ago. More telling: 67% of users accessing AI services on corporate devices were doing so through non-corporate accounts. Personal ChatGPT, personal Claude, personal Perplexity on the laptop the company issued, with the company data the user happened to be working on. There is no DLP rule in the average SMB that catches that, because the request looks like benign HTTPS to an approved domain.
Couple shadow AI to the vulnerability-exploitation finding and the picture sharpens. The same workforce that is pasting customer lists into a personal AI chat is also responsible for the patch backlog. The report does not draw the line, but it is the obvious one to draw: the same time-poor, attention-starved IT team is now responsible for both a faster patch clock and a brand-new data-exfiltration channel they cannot see. Neither problem gets solved by a memo.
The third-party tax went up 60%
The 60% year-over-year increase in third-party involvement in breaches is the line most large enterprises will care about, but it actually hits SMBs harder. A sub-500-employee company typically depends on three to five vendors that, if compromised, are compromise of the whole company: the email host, the identity provider, the payroll system, the RMM that the MSP runs, and whichever specialty SaaS owns the line-of-business data. The DBIR's 48% number is the average across all victim sizes. For SMBs the practical exposure is higher because the vendor list is shorter and more concentrated.
The most actionable third-party finding in the report is the MFA one. Of the third-party orgs whose missing or misconfigured MFA contributed to a downstream breach, only 23% fully remediated after notification. That is the number that should drive the vendor-risk conversation this quarter. Anyone who has not asked their three most critical vendors a single yes/no question — "is MFA enforced on every account, including service accounts, and can you show me the conditional access policy?" — is on the wrong side of that 23%.
The SMB action list for the next 30 days
The DBIR is a long document and a useful one, but most of its value collapses into five operational changes for an SMB. Run these.
1. Replace the monthly patch window with a KEV-driven cadence
The KEV catalog is published as JSON at a stable URL. Pull it on a schedule, parse the deadline, and let it open the ticket. Anything else is theater.
# PowerShell — pull KEV daily, flag entries due within 14 days against your inventory
$kev = Invoke-RestMethod -Uri "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
$soon = (Get-Date).AddDays(14)
$open = $kev.vulnerabilities | Where-Object {
[datetime]$_.dueDate -lt $soon -and
[datetime]$_.dueDate -gt (Get-Date)
}
$open | Select-Object cveID, vendorProject, product, dueDate, knownRansomwareCampaignUse |
Sort-Object dueDate | Format-Table -AutoSize
# Bash equivalent for piping into Slack/Teams webhook
curl -s https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json \
| jq -r --arg now "$(date -u +%Y-%m-%d)" '
.vulnerabilities[]
| select(.dueDate > $now)
| select((.dueDate | fromdate) < ((now) + 14*86400))
| "\(.cveID)\t\(.vendorProject) \(.product)\tdue \(.dueDate)\tknown_ransom=\(.knownRansomwareCampaignUse)"'That feed gets richer with the knownRansomwareCampaignUse flag, which is the single best ranking signal for "patch this first" if you have to triage. Any KEV entry flagged "Known" should jump the queue.
2. Measure your real time-to-patch and put it on a leadership dashboard
The DBIR median is 43 days. Most SMBs do not actually know their own number. Compute it for the last three KEV-listed vulnerabilities you patched. Subtract the CISA dateAdded from your remediation date. If the average is above 14 days, the patch cadence is the next thing to fix. If it is above 30, the cadence is broken and the executive team needs to know the dollar exposure that creates — because the carrier already does.
3. Treat third-party MFA as a contractual ask, not a hope
For the three to five vendors that, if compromised, would compromise you, send a one-page security questionnaire today. Three questions, not thirty: Is MFA enforced for every human account including admin? Is MFA enforced for every service account or API token? When was the last time you tested the configuration end-to-end? If the answer to any of the three is vague, that vendor is in your 60% third-party risk bucket. The fix is contractual, not technical.
4. Block the shadow AI exfiltration channel before it shows up in your DBIR row
The 67% non-corporate-account stat says the policy and the technical control both need to ship in the same week. Policy: a one-page acceptable-use rule that names ChatGPT, Claude, Gemini, Perplexity, and Copilot, says what data may and may not be pasted, and clarifies that personal accounts on corporate devices are out. Technical: at minimum, route corporate-device traffic through a forward proxy that logs requests to those domains, even if you do not block them. The log itself changes behavior. The longer move is provisioning enterprise AI accounts under SSO so the personal-account version becomes friction, not the path of least resistance.
5. Set a 72-hour KEV SLA internally — whether or not CISA changes the rule
CISA is publicly weighing a cut from 14 days to 72 hours for new KEV additions. Whether the rule ships matters less than what it signals: the federal agency with the best telemetry in the country no longer trusts a two-week clock. Pick a stretch internal SLA of 72 hours for any internet-facing KEV addition, 14 days for internal ones, and track exceptions as a single number that goes in front of leadership monthly. The DBIR is not a forecast. It is a description of the year that just ended. The 2027 edition will be written with the decisions made in the next 30 days.
Most years the DBIR is a thought-leadership artifact. This year's edition is operational. The flip from credentials to vulnerabilities is not the kind of trend that reverses on its own, and the gap between 43-day patches and hour-scale exploits is the kind of gap that closes through breaches if it does not close through process. Pick which kind of closure ends up in next year's data.
Need a vulnerability management cadence that survives a 72-hour clock?
Red Hound helps SMBs build the KEV ingestion, inventory mapping, and exception tracking that keeps remediation ahead of federal deadlines without a dedicated VM team. Book a 30-minute working session and we will walk through your last three KEV-listed remediations against the DBIR 2026 median, identify the two changes that would cut your time-to-patch in half, and leave you with a one-page leadership dashboard you can hand off the same week.