Verizon's DBIR Says Exploitation Just Beat Credential Theft. Our PoC Harvest Confirms It.

The Verizon Data Breach Investigations Report for 2026 has a headline number that the security industry should sit with: vulnerability exploitation is now the leading breach vector, at 31 percent of confirmed breaches. Credential abuse — the phishing-to-stolen-password-to-reuse chain that has dominated the threat landscape for years — dropped to 13 percent. This is the first time exploitation has been the top vector.

We run an automated exploit harvester that sweeps GitHub every six hours, extracts proof-of-concept code, and converts it into detection rules. We have been doing this for months. Our harvest data confirms what Verizon measured — and adds the texture that aggregate statistics cannot carry.

The DBIR's top-line numbers are worth holding together.

Confirmed breaches nearly doubled from 2024 to 2025 — 22,000 against 12,195 the year before. Ransomware was involved in 48 percent of confirmed breaches, up from 44. Third-party breaches increased 60 percent and were present in 48 percent of incidents. Median patching time grew from 32 days to 43 days. Only 26 percent of CISA's Known Exploited Vulnerabilities catalog was patched in 2025, down from 38 percent in 2024. The volume of critical CVEs increased 50 percent year over year. There were more than 21,500 CVEs disclosed in the first half of 2026 alone.

The sentence from the report that captures the structural problem: "The window for defense has decreased from months to hours."

That is not an abstraction. It is measurable.

Here is what our PoC harvest data looks like in that context.

This week we documented the WP Maps Pro plugin vulnerability, CVE-2026-8732, with a CVSS score of 9.8 allowing unauthenticated WordPress admin account creation. Our harvester indexed the first proof-of-concept code for this vulnerability on May 30. Active exploitation — Wordfence blocking over 2,000 attacks in 24 hours — was confirmed on June 2. Three days from PoC to active campaign.

The SharePoint spoofing vulnerability CVE-2026-32201 had a PoC repository appear on April 22. Microsoft confirmed active targeting in June. Six weeks from PoC to named targeting.

The AI-assisted ransomware framework that Sophos documented this week — the one using Claude Opus as a coordinator for iterative EDR evasion development — generated nearly 80 modules tested against more than 70 evasion techniques in what appears to have been a matter of weeks, not the months that manual development would have required.

The Verizon report states that AI tools are shortening the period between the publication of offensive security research and its practical implementation. Our harvest data shows this in specific numbers rather than generalizations.

The 43-day median patching time against a 3-day PoC-to-exploitation window is the gap that matters.

Defenders are operating on a timeline where patching takes six weeks on average while attackers move from published research to active campaigns in days. The remediation deadline system — CISA requiring federal agencies to patch within days of KEV additions — exists precisely because the voluntary patching timeline is structurally too slow for the current environment. Only 26 percent of KEV entries were patched at all in 2025.

The third-party increase is the piece that the industry has not yet fully priced in. Third-party breaches up 60 percent, present in 48 percent of incidents. The Salesloft breach we documented earlier this week — one compromised SaaS platform giving attackers access to 760 organizations through OAuth tokens — is the shape of that number. The Miasma campaign compromising Red Hat npm packages and attempting to spread to every package the infected developer could publish to is the shape of that number. Vercel breached through Context.ai is the shape of that number.

Vulnerability exploitation overtaking credential theft as the top vector does not mean credential theft is going away. The 62 percent human element number — breaches involving human action or error — persists. The shift means that waiting for users to fail is now secondary to finding the vulnerable component in the stack that nobody has patched yet. Attackers have learned that the infrastructure is more reliably exploitable than the humans, and that AI can test exploitation faster than defenders can rotate.

Our PoC harvest now tags every detection rule by vendor. Across the current corpus of detection content, the top vendor by PoC volume is Linux at 50 rules, followed by Meta at 41, Palo Alto Networks at 15, Microsoft at 11, and Fortinet at 9. The DBIR's exploitation-first finding maps directly to what our harvester is seeing in public research repositories: researchers and threat actors are both producing CVE exploitation content at a pace that patching cycles cannot match.

The feed is live. The detection rules are in it. The gap between publication and exploitation is measured in days. The gap between exploitation and patching is measured in weeks.

That asymmetry is the DBIR headline, translated into operational terms.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com