We Spent Twenty Years Teaching People Not to Click. Attackers Just Stopped Needing the Click.
- Patrick Duggan
- 2m
- 4 min read
Verizon's 2026 Data Breach Investigations Report contains a sentence that quietly reorganizes an entire industry's priorities: software vulnerabilities now start more breaches than stolen credentials. Read that again. For two decades, the reigning wisdom held that the human is the weakest link — that the breach begins with someone clicking a link they shouldn't. We built an industry on it: phishing simulations, security-awareness training, "think before you click" posters in every breakroom. And while we were busy hardening the human, attackers made a quieter decision. They stopped needing the human at all. Why trick someone into opening a door when there's an unpatched one standing wide open around the back?
The week that proved the sentence
We do not have to argue this in the abstract, because the last several days handed us the demonstration. Look at what actually breached things, and count the phishing emails.
The Department of Homeland Security's own information-sharing network was compromised through ToolShell — an unpatched SharePoint exploit chain that has been on CISA's Known Exploited Vulnerabilities list since 2025. No one clicked anything. Adobe shipped five perfect-10 CVSS flaws in ColdFusion, an unrestricted-file-upload-to-webshell class of bug older than the commercial web. No inbox required. Progress Kemp LoadMaster was under active exploitation via a command-injection flaw. Citrix NetScaler bled through a SAML bug being mass-scanned. Down the entire list, the pattern is identical: find an internet-facing system, exploit a vulnerability that was already public, own the box. The human never enters the story.
This is not a coincidence of one bad week. It is the new baseline, and Verizon just put a number on it.
Why the phishermen lost
Here is the uncomfortable part, and it is worth sitting with. Attackers did not abandon phishing because it stopped working — it still works, and social-engineering crews like the Scattered Spider and ShinyHunters cluster remain devastatingly effective. They diversified because exploitation got easier and more reliable than manipulation.
A phishing campaign depends on a person: they have to receive it, believe it, and act on it, and every one of those steps is a coin flip you have partially trained them to lose. An exploit depends on a patch that was not applied. And patches, it turns out, are the more dependable failure. There is always an unpatched SharePoint server. There is always a ColdFusion box nobody has looked at since 2019. There is always an edge appliance whose firmware update is "scheduled." The human you spent twenty years training can say no. The unpatched server cannot.
And the exploits winning this race are not even sophisticated. That is the throughline we have been documenting all week: the DHS chain was known-exploited for a year. The ColdFusion technique is older than most of the developers who will patch it. The AI coding agents getting cracked are falling to Bash tricks from 1989. This is not a story about attackers getting smarter. It is a story about patching losing, quietly, at scale, while the industry stared at the inbox.
Generative AI put its thumb on the scale
The tilt is accelerating, and AI is the accelerant — not in the way the headlines imagine. The interesting effect is not AI writing better phishing lures. It is AI compressing the time between a vulnerability becoming public and a working exploit existing. The window between "patch released" and "proof-of-concept in the wild" is where breaches are now decided, and generative tooling is shrinking that window from weeks to days to hours. The defender's grace period is evaporating precisely as the attack surface is exploding.
What this actually changes for defenders
If the breach now starts at the exploit instead of the inbox, then the center of gravity of your defense has to move with it. This is not permission to stop training people — phishing is still a top vector, and the human firewall still matters. It is a demand to stop treating patch management as hygiene and start treating it as the front line, because it is now the front line.
Concretely: treat the CISA Known Exploited Vulnerabilities catalog as a work order, not a newsletter — the single control that would have prevented the DHS breach is "patch what the government already told you is being exploited." Instrument the window between disclosure and weaponization, because that window is where you live or die now. Get your internet-facing systems inventoried and patched on a cadence measured against how fast exploits actually ship, not how fast your change-advisory-board meets. And move your attention left of boom — to the pre-staging, the mass-scanning, the known-exploited catalog — because by the time the breach is in your logs, the exploit was public days ago and you simply did not close the window.
Why this is the beat we built
We will be straight about our own position, because the accuracy half of the job requires it: we did not predict this shift, and we will not claim we did. We built toward it because the data kept pointing here. We mirror the KEV catalog and cross-reference it on every scan. We track the weaponization clock — the lag between a proof-of-concept dropping and a campaign firing. We watch the edge, the pre-staging, the supply chain. Not because we are clairvoyant, but because for two years the breaches kept starting at the exploit, and the honest thing to do was follow them there.
Ninety-five percent, as always: phishing is not dead, credentials still get stolen by the millions, and the balance can tip back. But the balance has tipped, Verizon has measured it, and this week wrote it in federal agencies and perfect-10 CVEs. The lesson is not that awareness training was a waste — it worked, which is exactly why attackers went around it. The lesson is that the door you forgot to lock will always beat the person you taught to be careful. Go patch the door.
The threat feed this post is built on
1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.
