TL;DR: The 2026 Verizon DBIR analysed more than 22,000 breaches and found vulnerability exploitation at 31% of cases, overtaking credential abuse at 13%, while third-party breaches reached 48% and ransomware appeared in 48%, according to Verizon. The data reinforces that continuous patching, MFA coverage, vendor oversight, and credential monitoring matter more than periodic compliance checks.
At a glance
What this is: The 2026 Verizon DBIR says vulnerability exploitation has overtaken stolen credentials as the leading initial access vector, while third-party exposure, ransomware, and social engineering remain persistent breach drivers.
Why it matters: IAM and security teams need this shift to recalibrate controls, because identity hardening alone will not stop attacks that enter through unpatched systems, vendor environments, or human-assisted pretexting.
By the numbers:
- The 2026 edition analyzed more than 22,000 confirmed data breaches and 31,000 security incidents across 145 countries, the largest dataset in the report's 19-year history.
- Exploitation of vulnerabilities climbed to 31% of breaches, up from 20% the prior year, a 55% increase.
- Breaches involving a third party jumped 60% year over year, now accounting for 48% of all breaches.
- The report found that the median time to fully patch a KEV vulnerability rose to 43 days.
👉 Read Secureframe's analysis of the 2026 Verizon DBIR threat trends
Context
The core issue in the 2026 Verizon DBIR is not that attackers became more creative, but that common control gaps still remain open long enough to be exploited. Vulnerability management, third-party access oversight, and identity controls now intersect more tightly because compromise often begins outside the login flow and then moves through authenticated trust paths.
For IAM, PAM, and NHI programmes, this matters because credential security is only one layer of exposure. Service accounts, vendor access, remote support paths, and over-privileged workflows all become easier to abuse when patching lags, MFA is missing, or monitoring is weak. The report's overall pattern is typical of today's enterprise environment, not an outlier.
Key questions
Q: What breaks when vulnerability exploitation becomes the main breach path?
A: When vulnerability exploitation overtakes credential abuse, the organisation can no longer rely on identity controls alone to stop initial access. The weak point is often an exposed VPN, web app, or third-party tool that bypasses login defences entirely. Security teams need exposure management, rapid patch prioritisation, and asset visibility to close that gap before attackers use it.
Q: Why do third-party cloud accounts increase identity risk?
A: Third-party cloud accounts increase identity risk because delegated access extends trust outside your direct control. If a vendor lacks MFA, retains stale service credentials, or misconfigures permissions, the weakness can be used to reach your data or workloads. The issue is not just vendor security. It is shared identity governance across the full access chain.
Q: How do security teams know whether patching is keeping up with real risk?
A: Patching is keeping up only when the most recently exploited vulnerabilities are being closed quickly and the backlog of exposed assets is shrinking. Age-based patch metrics are not enough. Teams should measure time to remediate KEV items, exposure on internet-facing systems, and repeat findings across the same asset classes.
Q: Who is accountable when a vendor or help desk workflow is abused?
A: Accountability sits with the organisation that owns the access path and approves the workflow, even when a third party is involved. If a vendor account, help desk reset, or remote support process enables compromise, the control owner must show how identity proofing, logging, and approval steps were enforced. Shared responsibility does not remove accountability.
Technical breakdown
Why vulnerability exploitation now leads initial access
Vulnerability exploitation becomes the preferred entry path when exposed services, VPNs, web applications, or third-party tools lag behind active threat activity. Attackers do not need to defeat identity controls first if they can use a publicly known flaw to gain a foothold. In practice, the initial access event often occurs before the security team has even mapped the affected asset into its current risk queue. The DBIR's KEV findings show that remediation delay is now a material exposure variable, not just an operational inconvenience.
Practical implication: tie patch priority to active exploitation data, not calendar-based patch cycles.
How third-party cloud and SaaS exposure turns identity into an external risk
Third-party breaches in the DBIR are largely driven by insecure authentication and misconfigured cloud environments, which makes identity governance a shared but uneven control surface. Vendor accounts, delegated access, and service credentials extend your trust boundary into environments you do not directly operate. If MFA is missing or service account credentials are not rotated, the external environment becomes part of your attack surface even when your own systems are well controlled. This is where IAM, vendor risk, and NHI governance converge.
Practical implication: review vendor access as an identity lifecycle problem, including MFA, rotation, and offboarding.
How social engineering is evolving beyond email phishing
Voice phishing, SMS, and collaboration-platform impersonation work because they compress persuasion and action into a single interactive session. Rather than tricking someone into clicking a link and waiting, attackers can coach a help desk agent or employee through a damaging reset, transfer, or approval in real time. That changes the control model: awareness alone is not enough if escalation procedures and callback verification are weak. The report's examples show that pretexting increasingly targets identity operations directly, not just end users.
Practical implication: harden help desk identity verification and recovery workflows before attackers use them as access paths.
Threat narrative
Attacker objective: The attacker aims to convert a single exploitable weakness into durable access, operational disruption, or monetisable theft across the victim's environment and trusted partners.
- Entry begins with exploitation of a publicly known vulnerability in a VPN, web application, or third-party tool, giving the attacker an initial foothold without needing valid credentials.
- Escalation follows when the attacker uses that foothold to abuse trusted access paths, harvest credentials, or move into adjacent systems and vendor-connected environments.
- Impact occurs when the attacker reaches ransomware deployment, data theft, or persistent access across internal and third-party systems.
NHI Mgmt Group analysis
Vulnerability exploitation is now an identity governance problem as much as a patching problem. The report shows that entry is increasingly achieved before credential controls are even tested, which means identity teams can no longer assume login protection is the primary choke point. When unpatched systems become the first line of compromise, access reviews and MFA programmes are necessary but insufficient on their own. Practitioners should treat exposure management as part of identity risk governance.
Third-party exposure creates a delegated identity risk that most programmes still under-model. If a vendor's cloud account lacks MFA or retains stale service credentials, the organisation inherits that weakness through shared access and data paths. This is where NHI governance becomes critical, because service accounts, API keys, and delegated OAuth access often outlive the business context that justified them. Practitioners should audit vendor identity lifecycles with the same seriousness as internal accounts.
Continuous control monitoring is replacing point-in-time compliance as the only model that matches today's breach tempo. The report's patching and credential-leak patterns show that annual review cycles are too slow when exploitation and follow-on ransomware can happen within weeks. That shift aligns with NIST CSF and NIST 800-53 thinking on ongoing monitoring, not checkbox attestation. Practitioners should design control signals that detect drift as it happens, not after the fact.
Pretext-driven access now targets the identity function itself, not just users. Help desks, remote support teams, and identity recovery workflows are now part of the attacker playbook, which means the boundary between cyber defence and identity operations is collapsing. If a caller can reset access by sounding legitimate, the organisation has an identity assurance problem, not just a training gap. Practitioners should tighten recovery assurance and escalation validation.
Attack velocity exposes the difference between having controls and operating them continuously. Verizon's numbers show that many organisations still know what to do, but cannot execute it fast enough across large, distributed environments. That gap is where the real governance risk sits: in delayed closure, stale access, and fragmented ownership. Practitioners should prioritise operational cadence over policy intent.
What this signals
Credential exposure windows are now short enough that quarterly or annual control cycles are structurally misaligned with attacker speed. For identity programmes, that means patch exposure, secret leakage, and vendor access all need continuous monitoring rather than periodic attestation. The governance challenge is not awareness. It is operational latency.
NHI governance needs to be integrated with vendor risk, not treated as a separate specialist track. Third-party cloud access, service account rotation, and OAuth visibility are all part of the same trust boundary once external systems can reach internal data. That is why continuous inventory and ownership mapping matter more than one-time reviews.
Identity operations are becoming the front line for social engineering and recovery abuse. Help desk hardening, step-up verification, and session-aware reset workflows should be evaluated alongside MFA and privileged access controls. The practical signal is simple: if the recovery path is weaker than the login path, attackers will choose the recovery path.
For practitioners
- Prioritise KEV-driven patch queues Use CISA KEV status and recent exploitation signals to rank remediation instead of relying on age, severity score, or batch schedules. Build explicit deadlines for externally exposed assets first, then track closure on a weekly basis.
- Extend MFA checks to third-party cloud access Verify that vendors, MSPs, and SaaS administrators enforce MFA on every account that can reach your data or workloads. Require evidence for privileged vendor accounts and reject shared accounts that cannot be tied to a named owner.
- Add credential exposure monitoring to incident readiness Monitor breach dumps and credential intelligence feeds so leaked employee or admin credentials trigger investigation before reuse. Pair alerts with reset, token revocation, and session review workflows so exposure does not become persistence.
- Harden help desk identity verification Require callback validation, step-up approval, and documented identity proofing for password resets, remote access enablement, and MFA changes. Treat voice and messaging requests as high-risk identity events, not routine support.
- Map service accounts and vendor tokens to owners Inventory non-human identities, assign a business owner, and define rotation, offboarding, and approval requirements for each. Remove orphaned API keys and stale service credentials from any environment that cannot prove current business need.
Key takeaways
- The DBIR shows a real change in breach entry patterns, with vulnerability exploitation overtaking credential abuse as the leading access vector.
- Third-party access, social engineering, and ransomware remain tightly linked, which means identity governance now spans internal systems, vendors, and human workflows.
- The strongest response is continuous control monitoring, fast remediation of actively exploited flaws, and tighter governance over delegated access and recovery paths.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0040 , Impact | The article covers exploitation, credential abuse, and ransomware-driven impact. |
| NIST CSF 2.0 | PR.IP-12 | The post stresses continuous monitoring, remediation, and recovery discipline. |
| NIST SP 800-53 Rev 5 | SI-2 | KEV remediation and vulnerable asset closure align to flaw correction controls. |
| CIS Controls v8 | CIS-7 , Continuous Vulnerability Management | The article's strongest theme is faster identification and closure of exploitable weaknesses. |
| ISO/IEC 27001:2022 | A.8.8 | Vulnerability management and technical patching are directly implicated by the report. |
Map exposed services and follow-on movement to ATT&CK and prioritise the tactics most likely in your environment.
Key terms
- Known Exploited Vulnerabilities: Known Exploited Vulnerabilities, or KEV, are flaws that have confirmed active exploitation in the wild and therefore represent immediate operational risk. In practice, KEV status should change remediation priority, because it signals that attackers are already using the issue rather than merely testing it.
- Third-Party Identity Risk: Third-party identity risk is the exposure created when vendors, MSPs, SaaS providers, or contractors can access your data or systems through their own accounts and controls. The risk is not just the vendor relationship itself, but the quality of authentication, privilege management, logging, and offboarding across that delegated path.
- Pretexting: Pretexting is a social engineering method that uses a believable story, role, or request to convince someone to take a harmful action. It often targets support desks, collaboration tools, and recovery workflows because those paths can bypass normal technical controls by using human trust as the access mechanism.
- Shadow AI: Shadow AI is the use of AI services or agents outside approved governance, usually through personal accounts or unmanaged workflows. It becomes a security issue when sensitive data, source code, or credentials leave controlled environments without logging, policy enforcement, or identity oversight.
What's in the full article
Secureframe's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step vulnerability management priorities for KEV items, including what to remediate first when patch capacity is limited.
- Vendor-risk questions for MFA, service account rotation, and cloud permission hygiene that go beyond high-level governance.
- Practical guidance for help desk and collaboration-tool hardening to reduce voice, SMS, and messaging-based pretexting.
- Specific recommendations for shadow AI policy, credential monitoring, and backup testing in SMB and DIB environments.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management in practical detail. It helps identity and security practitioners translate governance gaps into durable operating controls.
Published by the NHIMG editorial team on 2026-05-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org