Inside the 2026 Verizon DBIR: What One Billion Records Revealed About Vulnerability Remediation

Summary

The Verizon 2026 Data Breach Investigations Report, with analysis from Qualys covering over one billion vulnerability remediation records, shows that despite defensive efforts holding steady, the volume of known-exploited vulnerabilities (KEV) has grown exponentially faster than remediation capacity. In 2025, 35% of KEV instances remained open at Day 28 (up from 27% in 2024), with approximately 47 million instances facing no near-term closure path. The report suggests vulnerability management has hit a theoretical speed limit under current human-driven models and that incremental investment alone cannot close the widening gap between vulnerability discovery and remediation.

Full text

Table of ContentsReading the Survival CurveWhat Mature Vulnerability Management Looks LikeThe Operating Thesis Has Changed The Verizon 2026 Data Breach Investigations Report has been published. Qualys is proud to have served as a research partner and contributor, contributing analysis of more than one billion anonymized vulnerability remediation records across four consecutive DBIR reporting cycles of CISA Known Exploited Vulnerabilities (KEV) data. The DBIR described the picture our data painted in plain terms: a treadmill picking up speed. Defenders are running harder than ever, and still falling behind. The full extended analysis of the data that we provided Verizon is published as Section 7 of our research report, The Broken Physics of Remediation. Reading the Survival Curve The chart below shows the percentage of known-exploited vulnerability instances still open at weekly intervals after CISA adds a CVE to the KEV catalog. The DBIR adopted this survival analysis approach to capture the full lifecycle of each vulnerability, rather than the year-end closure snapshot that most remediation metrics rely on. The 2025 DBIR, based primarily on data from 2024, was the high water mark. At every milestone in the survival chart, organizations were remediating faster than they ever had before, showing improvements from 2022 to 2023 and from 2023 to 2024. Then 2025 happened. The curve shifted back to 2023 levels, with 35% still open at Day 28 (up from 27% in 2024), and the long tail hardened at 9%. That 9% translates to roughly 47 million vulnerability instances with no near-term path to closure under current operating models. Defender effort did not regress. Median detection-to-closure held steady at 9 days. Organizations closed more vulnerabilities in absolute terms than in any prior year. The engine did not slow. The load grew. Total KEV-linked instances grew 7.7x in four years, from 68.7M to 527.3M. At Day 28, the absolute open backlog grew from 31 million to 184 million instances. Volume scaled past the capacity that years of tooling and process investment had built. What Mature Vulnerability Management Looks Like A minority of organizations consistently outperform the curve. They share a defining behavior: they do not wait for CISA to add a CVE to KEV before committing to patch it. Operating with the same disclosures and advisories available to every other defender, they apply risk-based prioritization, embedded threat-actor context, and advanced scoring systems to route likely-exploitable vulnerabilities into remediation workflows days, sometimes weeks, ahead of the formal KEV listing. The numbers show the discipline works, and that even this is no longer enough. Defenders proactively patched 63.7 million vulnerability instances before CISA added them to KEV in 2025, a 30% year-over-year increase. Yet the proactive remediation rate fell from 16.6% to 12.1%. The reason is volume. Total KEV-linked workload grew 78% in the same window, from 295.8M to 527.3M instances. Proactive output scaled linearly. The threat economy compounded exponentially. The Operating Thesis Has Changed For more than a decade, the operating thesis of vulnerability management has been that faster manual remediation could outrun the attacker. The four-year survival analysis retires that thesis. The remediation engine is running at the same RPM. The load has increased nearly eightfold. No incremental investment in staffing, tooling, or process closes a structural gap of this shape. Reflecting on the combined findings, the DBIR offered an interpretation that warrants careful attention: this dataset may be an initial measurement of a “speed of light” for vulnerability remediation processes, a theoretical limit on what any model bound by human triage, change-windows, and approval gates can deliver. More than one billion records, four reporting cycles, and three years of additional tooling and mandate pressure have not moved that limit. What closes the gap is an architectural shift: machine-speed pipelines that route validated, environment-confirmed exposures into autonomous remediation. We refer to this model as the Risk Operations Center (ROC). The 2026 Verizon DBIR delivers the headline survival curve and frames the patching capacity problem at industry scale. The extended analysis, the four-year cohort KEV survival curve breakdown, absolute backlog growth, the proactive-defense subset, the first-week ceiling, and the operational architecture that responds to it live in the appendix of The Broken Physics of Remediation. The data is the strongest case we have made to date for changing the model. Get your own copy of The Broken Physics of Remediation. Download Now

Entities