Verizon 2026 DBIR — vulnerability exploitation is the #1 breach vector for the first time in 19 years; patching cadence regressed

The 19th Data Breach Investigations Report (published 2026-05-19, covering Nov 2024 – Oct 2025) records vulnerability exploitation as the most common initial-access vector at ~31%, overtaking credential abuse (~13%) for the first time in the report's history — Verizon attributes the shift in part to AI-assisted weaponisation compressing the disclosure-to-exploit window. The operationally relevant findings for a public-sector SOC are the defensive regressions, not the headline: the median time to fully patch slipped to ~43 days (from ~32), and organisations remediated only ~26% of CISA KEV-listed vulnerabilities (down from ~38%) against ~50% more critical bugs than the prior dataset. Third-party involvement in breaches rose to ~48% of incidents. These are the precise gaps this week's actively-exploited CVEs (Drupal, Apex One, Langflow, Defender) target; under NIS2 Art. 21(2)(e) the patching-process regression is also a supervisory-audit exposure. "Shadow AI" (unapproved AI tooling) emerged as a notable data-loss action — scope DLP and data-classification controls to LLM upload endpoints.