By the numbers: 3 stats from Verizon’s DBIR reveal a patching problem

Do you want the bad news or the bad news?

Amid a 121-page report exploring more than 31,000 cyber incidents and attack trends over the course of a year (including mobile-centric social engineering, shadow AI, ransomware, and more), Verizon’s annual Data Breach Investigations Report (DBIR) also revealed a growing mismatch for the IT pro: Along with a rise in vulnerability exploits, there are more patches than a cybersecurity team can realistically implement.

“Put quite simply, there are often too many vulnerabilities and not enough time for patching all of them,” the report’s authors wrote in their study, published on May 19.

31%: That’s the proportion of data breaches between October 2024 and November 2025 that began with vulnerability exploits.

“That’s the first time in the history of the report that that’s the case. It’s surpassing credential abuse as the number-one threat vector,” Daniel Lawson, SVP of global solutions at Verizon Business, told IT Brew. “The ability to very quickly scan for vulnerabilities, and then try to exploit those vulnerabilities: That is really where it’s becoming the most visible.”

The median number of CISA’s Known Exploited Vulnerabilities (KEV) that organizations had to patch rose from 11 in 2024 to 16 in 2025, according to the report—an almost 50% hike.

“AI is being leveraged by threat actors to accelerate the time to exploit known vulnerabilities, shrinking the window for defense from months to mere hours,” Verizon wrote in its announcement of the report.

43 days: That’s the median amount of time it took IT pros to patch a KEV, according to the report; that’s up from last year’s figure of 32 days.

“It’s very easy to think, ‘Why can’t people just patch faster?’” Alex Pinto, associate director of threat intelligence at Verizon Business (and lead DBIR author) said during a May 19 presentation. But IT pros aren’t slacking off, he added; they’re just dealing with a high volume of patches: “‘Patch faster’ is not an argument anymore. It’s impossible.”

“We have reached the speed of light. With the volumes that we’re facing, we need to think differently about this problem,” Pinto said, adding that IT pros need to focus on defenses that limit attack surfaces, like network segmentation.

32%: That’s the proportion of exploit-related compromises assisted by GenAI, according to the DBIR. Verizon received data from Anthropic, maker of the Claude LLM, to see how threat actors are misusing the popular AI platform “for nefarious cyberactivity.” Pinto envisions AI being effective for surprise vulnerability exploits rather than everyday attacks. “If [AI] is being used for common things, it’s not a concern. It is a concern when it’s being used for novel things, which again ties back to the vulnerability discussion,” he said. “The problem is the novelty. The problem is the curveball.”

Ready, set, patch. An AI arms race has begun between attackers and defenders. Vendor-exclusive initiatives like Project Glasswing, announced in April, aim to give the advantage to defenders, but adversaries can also leverage the latest in automation. For example, Google identified its first criminal threat actor who allegedly developed and leveraged a zero-day exploit with the help of AI.

“Organizations at their very best only get to fix 30%–40% of KEV instances in the first week after detection, so choosing the correct ones to patch really is the key strategy,” the Verizon report read.

Following the launch of Project Glasswing, the nonprofit Cloud Security Alliance (CSA) released recommendations about patch strategy and prioritization. Rich Mogull, chief analyst at CSA, advised IT Brew readers in April to take inventory and prioritize “exposed” assets like web servers, app servers, internet gateways, and network routing equipment, along with email and desktops.

Even with all the AI, Lawson sees cybersecurity fundamentals like access control as an essential defense.

“All the things that are the most easily exploitable, they can be exploited at a broader scale and at a faster pace with the tools that are out there. So, it’s really about continuing to do an excellent job in the fundamentals,” he told IT Brew.