The Verizon Data Breach Investigations Report is the closest thing the security industry has to a yearly weather report. For more than a decade it has told the same basic story. Humans are the weak link, phishing is the most common breach entry point, train your users, deploy MFA, you know the rest.
The 2026 edition flipped it. Vulnerability exploitation is now the leading initial access vector for confirmed breaches at 36%, ahead of stolen credentials. The shift was building for two years and has now crossed the line decisively. It changes where security budgets should go.
Why it shifted
Two compounding causes.
The first is that MFA finally got deployed widely enough to matter. Phishing resistant authentication is now the default in most enterprise environments. Phishing campaigns still work (they always will) but the conversion rate dropped enough that the attacker economy moved.
The second is that the CVE pipeline got faster. Vulnerability disclosures, weaponized exploit publication, and attacker integration into automated scanning kits used to take weeks. They now happen in hours. By the time you read the CVE, mass exploitation against unpatched systems has already started.
An attacker today buys a working exploit kit on the open market for less than what running a believable phishing campaign costs. The math moved.
What it means for where money goes
If you are still allocating security budget according to the old DBIR (awareness training, phishing simulations, password managers) you are defending against the previous war. Three places where the marginal dollar moves in 2026.
Patch latency. The metric that matters is not whether you patch. It is how long between disclosure and full coverage. The 2026 attacker assumption is that you will patch within 30 days. A 30 day SLA is now table stakes. The frontier is 72 hour SLAs for critical CVEs, which requires actual operational investment. Automated dependency updates, deployment pipelines that run in minutes, and a runbook for "security patch arrived."
Asset inventory. You cannot patch what you do not know exists. The teams that struggled with the May Next.js disclosures were not the ones who failed to upgrade. They were the ones who took three days to even enumerate which deployments needed the upgrade. SBOM tooling, dependency graph visibility, and unowned asset hunting are the unglamorous work that pays off here.
Exploit aware monitoring. Not every CVE gets exploited at scale. The ones that do show up in attack telemetry within 24 to 48 hours. Wire your monitoring to known exploited vulnerability feeds (CISA KEV is free and updates daily) and prioritize patching against actual observed exploitation, not just CVSS scores.
What does not change
The shift in initial access vector does not mean phishing is dead or that user training is wasted. Stolen credentials are still 22% of breaches. MFA is still the highest ROI security control by a wide margin. Awareness training still has its place.
What changes is the proportion of effort. If your security spend is 70% on user facing controls and 30% on infrastructure hygiene, those numbers should flip. The attackers already flipped theirs.
How to pitch this up the chain
If you are pitching budget reallocation up the chain, the DBIR data is the lever. "Vulnerability exploitation is now the leading cause of breaches per Verizon" lands differently than "we should patch faster." Cite the report. Pitch the SLA. Ask for the operational investment to make 72 hour patches achievable.
The window for shifting will close. By the 2027 report, every CISO will have made this move and the budget conversations will have already happened. The teams that move now are the ones who get caught on the right side of the next major coordinated disclosure.
This is the new weather. Plan accordingly.
