|
Getting your Trinity Audio player ready...
|
For 19 years, every edition of the Verizon DBIR told the same story about initial access – credential theft was the number one entry vector, every time. The 2026 report broke that streak. Exploitation of vulnerabilities took the top spot at 31% of breaches, up from 20% the year before.
This is big news, of course. And the natural reaction of security teams might be “patch faster.” But I’d push back on that.
The reason? For the first time, the DBIR also ran attack graph analysis on real environments – mapping users, groups, and permissions to model what happens after an attacker gets in. What they found was stark: 16% of organizations had about 80% exposure. In nearly a fifth of organizations, an attacker with low-level privileges had an 80% or better chance of reaching a key administrative account. So, while a vulnerability may get an attacker through the door, the true path to privilege escalation (and ultimately, the crown jewels) is paved with permissions and configurations – things that no patch can touch.
In this blog, I’ll walk through what the DBIR data shows about how attackers escalate after initial access, why Verizon chose attack graph analysis to model it, and what the report’s own patching data says about the limits of vulnerability-first remediation.
After the Door Opens
Once the attacker is inside, the report found that 83% of privilege escalation incidents involve no vulnerability. So, what does stop escalation?
The DBIR broke down escalation mitigation into four categories: patches, passwords, configurations, and permissions. Patches address about 10% of escalation techniques. Password policies cover 30%. Configurations cover 33%. And privilege management covers a whopping 65%.
That points to a clear imbalance between where most organizations focus and where the exposures actually are. Despite the fact that the DBIR’s data shows patching addresses the smallest slice of the escalation surface, most security programs still put the bulk of their remediation energy there. I’ve seen the same pattern at nearly every organization I’ve worked with – patch management has a mature process, a dedicated team, and a dashboard that reports to leadership. Privilege hygiene has a spreadsheet and a quarterly review that no one looks forward to.
That gap is where the 16% / 80% finding comes from. The organizations with 80% exposure aren’t failing at patching. They’re running environments where the permissions layer gives an attacker a clear route from any low-privilege foothold to a key administrative account. The trick, therefore, is finding and blocking that route.
Verizon Ran the Attack Graph
Finding the route requires a different kind of visibility. To produce the escalation data in the DBIR, Verizon had to model real environments as a graph – users, groups, permissions, trust relationships – and trace the paths an attacker could take from an initial foothold to high-level access.
Verizon’s reasoning for doing this is captured in a line I wish I’d written: “What is a threat actor but an unapproved (and malicious) administrator?” The point is, an attacker who lands with low-privilege access doesn’t need another exploit. They need a path through the permissions, group memberships, and trust configurations that already exist. Verizon built the graph to see those paths. What they found was that in a significant share of organizations, the paths were wide open.
Once you can see the attack path, the next question is where to cut it. Many of those paths share common nodes – an over-permissioned service account, a nested group membership, misconfigured delegations. Fix one of those nodes and you can close dozens of paths – not just the one. In my world, we call those choke points, and they’re where remediation has the highest ROI.
Why Patching Everything Stalls Anyway
The attack graph shows that the road from foothold to domain admin doesn’t depend on vulnerabilities. So, it’s clear that patching won’t fix the escalation problem. But the harder truth is that it’s not really fixing the initial access problem either.
Verizon found that only 26% of CISA KEV vulnerabilities were fully remediated in 2025, down from 38% the year before. The median time to full resolution climbed to 43 days, up from 32. And organizations had 50% more critical vulnerabilities to patch than the previous year. Even the best teams hit a ceiling – seven days after detection, somewhere between 60% and 70% of KEV vulnerabilities remain open regardless of organizational maturity. The report calls the remediation trend “a treadmill picking up speed.” The belt moves faster every year, and no one is keeping up.
What’s the takeaway here? The DBIR recommends focusing on the vulnerabilities with recent exploitation activity rather than trying to patch the full catalog. In other words: prioritization – leverage the attack graph to tackle the vulnerabilities that matter. I’ve spent years telling security leaders that patching everything is not a strategy. It’s the first time I’ve seen Verizon’s data say it back.
What the DBIR Is Really Saying
For the first time in 19 years, the DBIR looked at what happens after the attacker gets in – and mapped the routes they take to privilege escalation. Verizon’s data is telling us that real exposures live in the permissions, configurations, and trust relationships along those routes.
The path forward is to map those routes in your own environment, find the choke points where one fix closes dozens of paths, and give privilege management the same operational maturity that patching has had for two decades. The industry’s most trusted breach report has changed how it assesses risk. Nineteen years of breach data said “keep the attacker out.” This year’s report asked what happens when you can’t?
XM Cyber maps these routes across real environments every day. See how it works.