The DBIR Confirms the New Bottleneck in Security: Not Pointing, but Prioritizing

The 2026 DBIR puts a fine point on an insight we can no longer ignore: in an AI-accelerated world, finding vulnerabilities is going to get a lot easier. With Mythos and other systems shining an X-ray on the Internet, discovery is becoming cheaper, faster, and more scalable.

The real bottleneck is prioritization, and more specifically, deciding what to fix first in an environment that’s already overloaded.

The Verizon data gives a pretty clear picture of why. Exploitation of vulnerabilities is now the most common initial access vector in breaches, reaching 31% in this year’s dataset. The former leader, credential abuse, fell to 13%. That’s a major shift in how attackers are getting in, and it puts much more pressure on vulnerability management programs that were already under strain due to human beings needing to do time-wasting things such as sleep and eat.

What makes the report especially useful is that it does not stop with the top-line number; it also shows that organizations are falling behind on the operational side. Only 26% of CISA KEV vulnerabilities were fully remediated in 2025, down from 38% the year before. Median time to full remediation rose to 43 days, and the median organization had 50% more critical vulnerabilities to patch than it did in the previous year.  It’s extraordinarily clear that security teams are being overwhelmed by sheer volume, and that’s before AI-driven discovery truly hits its stride.

There’s more. In its remediation analysis, Verizon describes a patching capacity issue and notes that in the 2025 dataset, 35% of KEV vulnerability instances were still open at Day 28. Because the underlying volume is so large, that translates to 184 million open vulnerability instances. It also says organizations, even at their best, only get to fix about 30% to 40% of KEV instances in the first week after detection, which is why it’s critical to choose the correct ones to patch.

It’s clear that security teams are suffering from too much inventory, too many alerts, too many assets, and too little capacity to work everything with equal urgency. “Find more vulns” is not a strategy anymore, at least not by itself, and soon it may barely qualify as an achievement. If AI can surface vulnerabilities at industrial scale, then discovery becomes the easy part. The hard part is deciding which of those vulnerabilities are actually likely to be exploited, which are relevant in your environment, and which deserve time and focus right now..

The remedy? Prioritization has to become more predictive and more local. A global model like EPSS is an important starting point because it helps teams estimate which published vulnerabilities are more likely to be exploited in the near term. But even that is only part of the answer. Teams still need a way to understand how those probabilities change in their own environment, with their own assets, controls, configurations, cloud security data, and telemetry.

The DBIR makes the situation plain: exploitation is up, remediation is slower, and critical vulnerability volume is climbing. And by the way, this isn’t just a subset of their document: the vulnerability crisis is the core narrative of this year’s report.

(It’s worth noting that our own co-founder & Chief Data Scientist Jay Jacobs contributed heavily to the section on vulnerability prioritization, particularly on page 19, and Empirical gets a shoutout in the footnote. Empirical was co-founded by the people who literally invented risk-based vulnerability management, and our research and insights continue to engage and energize the larger community.)

And so trust us when we say the next stage of vulnerability and exposure management isn’t about finding more vulns. It’s about knowing what’s dangerous in an individual environment using the best predictive models that AI, data science, and local inputs can create. That’s what we’re building at Empirical, because we know that prioritizing likely exploits is no longer a human-scale problem.