By NHI Mgmt Group Editorial TeamPublished 2026-05-25Domain: Cyber SecuritySource: Swarmnetics

TL;DR: Verizon’s 2026 DBIR says vulnerability exploitation now accounts for 31% of breaches, overtaking credential abuse for the first time in 19 years, while critical KEV patching fell to 26% and median patch times reached 43 days. The operational problem is no longer awareness but remediation capacity, and patch visibility has become an access-control issue as much as a vulnerability issue.


At a glance

What this is: Verizon’s 2026 DBIR shows vulnerability exploitation has become the leading initial breach cause, ahead of credential abuse.

Why it matters: That shift matters because IAM, PAM, and secrets teams now have to treat patch lag, exposed services, and third-party access as a single governance problem, not separate workstreams.

By the numbers:

👉 Read Swarmnetics’ analysis of the 2026 DBIR shift to vulnerability exploitation


Context

Vulnerability exploitation now sits at the centre of breach patterns because exposed software often gives attackers a faster path than credential guessing or phishing. In practical terms, the security model breaks when patch backlogs, internet-facing assets, and third-party dependencies are managed separately instead of as one exposure surface.

The identity connection is real even in a vulnerability-led breach landscape. Exploited systems still need credentials, privileged paths, and service accounts to turn initial access into impact, which means IAM and PAM teams cannot treat patch management as someone else’s problem. This is now a cross-functional governance issue, not a narrow vulnerability management issue.


Key questions

Q: What breaks when critical vulnerabilities stay exposed in production?

A: When critical vulnerabilities stay exposed, attackers get a faster entry path than credential theft or phishing, and the organisation loses control of the initial breach window. The main failure is not only technical. It is governance failure, because unpatched internet-facing systems become launchpads for privilege escalation, lateral movement, and data theft. That is why exposure and remediation must be measured together.

Q: Why do unpatched systems increase lateral movement risk for NHIs?

A: Unpatched systems increase lateral movement risk because attackers often use the first compromised host to reach service accounts, tokens, shared admin paths, and other non-human identities. Once inside, identity controls determine blast radius. If those NHIs have standing privilege or weak segmentation, a vulnerability becomes a broader access problem rather than a contained incident.

Q: How do security teams know whether patching is actually reducing risk?

A: Security teams know patching is reducing risk when the number of reachable exploit paths falls, not just when ticket counts go down. Useful signals include internet exposure, asset criticality, privileged identity adjacency, and whether compensating controls exist for partially remediated systems. Completion metrics alone can hide active attack windows.

Q: Who is accountable when vulnerability exploitation leads to a breach?

A: Accountability should sit with the owners of the exposed service, the remediation process, and the connected access model. If a vulnerability remains reachable, the issue is not only security operations. It is also governance over asset ownership, patch prioritisation, and privileged access containment across internal and third-party systems.


Technical breakdown

Why vulnerability exploitation now outruns credential abuse

Attackers prefer the fastest reliable path into an environment. When public-facing applications, appliances, or services remain unpatched, exploitation can bypass the slower work of stealing or guessing credentials. That changes the economics of intrusion: the attacker no longer needs a trusted user to make the first move. In breach terms, vulnerability exploitation functions as a short-circuit around identity controls, then often uses legitimate access paths after entry. The DBIR’s shift suggests organisations are accumulating more exposed attack surface than they can remediate, which makes speed of remediation part of the control plane.

Practical implication: prioritise exposure-based patching for internet-facing assets and tie it to privileged access review windows.

Why patching fatigue becomes a governance failure

Patch fatigue is not just an operations issue. If critical vulnerabilities are only partially remediated, the organisation is effectively accepting a rolling window of exploitable risk across estates, vendors, and legacy systems. The governance failure appears when teams measure patch activity but not actual closure of exploitable paths. That is especially dangerous in mixed environments where one unpatched system can be used to reach credentials, shared services, or administrative tooling. In this sense, vulnerability management and identity governance intersect at the point where an exploited system becomes a launchpad for privilege abuse.

Practical implication: track remediation by exploitability and asset criticality, not by ticket completion alone.

How exposed services still lead back to identity and NHI controls

Even when the initial breach cause is a vulnerability, attackers usually need identities to sustain access. Service accounts, API keys, tokens, and administrative accounts are often the next layer they target after entry. That is why NHI governance remains relevant in a vulnerability-led era: exposed software creates the opening, but over-permissioned non-human identities often determine the blast radius. Continuous discovery, secrets hygiene, and privilege minimisation reduce the chance that a single exploited host becomes persistent access. This is where patch governance and machine identity governance converge.

Practical implication: pair vulnerability prioritisation with secrets inventory and NHI privilege checks on the same asset set.


Threat narrative

Attacker objective: The attacker’s objective is to turn an unpatched system into a reliable foothold that can be expanded into privileged access and business impact.

  1. Entry occurs through exploitation of a known vulnerability in a public-facing system before defenders can patch it.
  2. Escalation follows when the compromised host is used to reach credentials, administrative paths, or other privileged resources.
  3. Impact occurs as the attacker converts the foothold into breach activity, often including lateral movement, data theft, or ransomware deployment.

NHI Mgmt Group analysis

Vulnerability exploitation is now an identity problem as much as a patching problem. Once an attacker enters through an exposed service, the question becomes which credentials, tokens, and privileged paths they can reach next. That means IAM and PAM teams must treat exploitability as a downstream access risk, not just a vulnerability backlog. The practitioner conclusion is simple: exposed software and standing privilege now combine into one breach pathway.

Patch fatigue has become a measurable governance failure, not an execution inconvenience. When organisations can only partially remediate critical vulnerabilities, they are signalling that attack windows remain open longer than the business can tolerate. The DBIR’s shift away from credential abuse shows that attack selection changes when defenders slow down. The practitioner conclusion is to govern remediation as a risk control with executive accountability, not as an IT hygiene metric.

Exposure management and machine identity governance now need to be linked in the same operating model. Vulnerability exploitation often creates the first foothold, but service accounts and other NHIs determine how far an attacker can move once inside. Exposure-driven blast radius: this is the control gap where unpatched assets and over-permissioned identities meet. The practitioner conclusion is to measure whether exploitable systems also hold privileged NHI access.

Third-party and contractor paths deserve the same scrutiny as direct enterprise access. The DBIR notes a rise in human element failures tied to vendors and contractors, which means external trust paths are still easy to overestimate. A vulnerability-led breach often becomes worse when the exploited environment includes shared administration, remote support, or unmanaged service credentials. The practitioner conclusion is to align third-party access review with vulnerability prioritisation and privilege containment.

This shift validates continuous visibility as a control requirement rather than a maturity aspiration. Organisations cannot defend what they cannot inventory, and they cannot prioritise what they cannot map to business-critical exposure. The significance for identity programmes is that visibility must span assets, identities, and remediation state together. The practitioner conclusion is to unify asset discovery, NHI discovery, and remediation reporting into one operational view.

What this signals

Exposure management is becoming a prerequisite for identity governance. When patch lag stretches into weeks, the boundary between vulnerability management and IAM collapses in practice, because exposed assets often hold the identities that attackers want next. Teams should expect stronger board attention on whether remediation state and privileged access state are being assessed together.

Service account and token inventory will matter more in exploit-driven breach paths. Once attackers gain foothold through an unpatched system, the quality of NHI discovery and privilege containment shapes the blast radius. Programmes that can map exposed assets to connected machine identities will be able to explain residual risk far more clearly than teams that track infrastructure and identity separately.

Operationally, the next maturity step is continuous correlation between exposure, privilege, and recovery readiness. The organisations that cope best will be the ones that can answer three questions quickly: what is exposed, what identities can it reach, and how fast can the path be closed. That is where the Ultimate Guide to NHIs , Static vs Dynamic Secrets becomes relevant to remediation planning.


For practitioners

  • Prioritise exploitable internet-facing assets first Rank vulnerabilities by exposure, known exploitation, and business-critical privilege adjacency so the highest-risk systems are patched ahead of low-value backlog items.
  • Tie patch workflows to identity risk review When a critical system is exposed, review the service accounts, API keys, and administrative roles attached to it before declaring remediation complete.
  • Track partial remediation as open risk Do not count a vulnerability as managed until the exploitable path is closed, including compensating controls on the asset and any connected NHI access.
  • Unify third-party access and exposure management Include contractor and vendor-administered systems in the same remediation queue as internal assets, especially where remote access or shared credentials exist.
  • Measure patch latency by attack window Use median days-to-close only as a secondary metric and prioritise the time a critical exposure remains reachable from the internet.

Key takeaways

  • Vulnerability exploitation now leads breach initiation, which means exposed software has become a first-class access risk.
  • The biggest operational weakness is not awareness but incomplete remediation, especially where critical exposures remain reachable for 43 days on average.
  • Identity teams should treat patch lag, privileged access, and NHI exposure as one combined blast-radius problem.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0001 , Initial Access; TA0004 , Privilege Escalation; TA0008 , Lateral MovementThe article centers on exploit-led entry followed by downstream access expansion.
NIST CSF 2.0PR.IP-12Remediation process maturity is the central control issue in the article.
NIST SP 800-53 Rev 5SI-2SI-2 directly supports flaw remediation and patch management for exploitable systems.
CIS Controls v8CIS-7 , Continuous Vulnerability ManagementThe article is fundamentally about failure to close known vulnerabilities quickly enough.
NIST AI RMFMANAGEAI-related commentary in the article touches operational risk handling and monitoring.

Map exposed assets to initial access and later privilege paths, then prioritise controls that cut off escalation.


Key terms

  • Exposure-driven blast radius: The amount of damage an attacker can cause after entering through an exposed system. The concept links vulnerability management to identity governance because the real risk is often determined by which accounts, tokens, and admin paths the compromised asset can reach.
  • Patch fatigue: A state where organisations cannot remediate vulnerabilities as quickly as they are discovered or exploited. It is more than backlog pressure. It indicates that staffing, tooling, legacy systems, and governance are no longer aligned with the pace of exposure.
  • Standing privilege: Persistent access that remains available outside a specific task or time window. In exploit-driven breaches, standing privilege turns a foothold into larger compromise because attackers can reuse legitimate access paths without first creating their own elevated permissions.
  • Critical exposure window: The time between a vulnerability becoming reachable and the point at which effective remediation or compensating controls close it. Shortening this window is often more important than counting tickets closed, because attackers act on availability, not process completion.

What's in the full report

Swarmnetics' full analysis covers the operational detail this post intentionally leaves for the source:

  • The DBIR’s year-over-year breach category breakdown, including the underlying shifts behind the 31% vulnerability exploitation figure.
  • The patching and remediation context around CISA KEV items, including the 50% increase in critical vulnerabilities and the 26% full-remediation rate.
  • The article’s discussion of shadow IT, AI, ransomware, and third-party failures that sit behind the headline breach trend.
  • The source’s interpretation of why patching fatigue, legacy systems, and interoperability issues are shaping breach patterns.

👉 Swarmnetics’ full post covers the breach trend breakdown, remediation data, and the operational pressures behind the shift.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and identity lifecycle fundamentals. It helps security practitioners connect identity controls to broader breach paths and operational risk.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-25.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org