The Verizon 2026 Data Breach Investigations Report has been published. Qualys is proud to have served as a research partner and contributor, contributing analysis of more than one billion anonymized vulnerability remediation records across four consecutive DBIR reporting cycles of CISA Known Exploited Vulnerabilities (KEV) data.
The DBIR described the picture our data painted in plain terms: a treadmill picking up speed. Defenders are running harder than ever, and still falling behind. The full extended analysis of the data that we provided Verizon is published as Section 7 of our research report, The Broken Physics of Remediation.
Reading the Survival Curve
The chart below shows the percentage of known-exploited vulnerability instances still open at weekly intervals after CISA adds a CVE to the KEV catalog. The DBIR adopted this survival analysis approach to capture the full lifecycle of each vulnerability, rather than the year-end closure snapshot that most remediation metrics rely on.
The 2025 DBIR Was the High-Water Mark. The 2026 reading reversed it. From the 2022 through 2025 DBIR cycles, remediation performance improved at every milestone on the curve. By Day 28, only 27% of KEV instances remained open in the 2025 reading. Then the 2026 cycle reversed the trajectory. At Day 28, 35% of instances were still open, and the long tail hardened at 9%. That 9% translates to roughly 47 million vulnerability instances with no near-term path to closure under current operating models.
Defender effort did not regress. Median detection-to-closure held steady at 9 days. Organizations closed more vulnerabilities in absolute terms than in any prior year. The engine did not slow. The load grew. Total KEV-linked instances grew 7.7x in four years, from 68.7M to 527.3M. At Day 28, the absolute open backlog grew from 31 million to 184 million instances. Volume scaled past the capacity that years of tooling and process investment had built.
What Mature Vulnerability Management Looks Like
A minority of organizations consistently outperform the curve. They share a defining behavior: they do not wait for CISA to add a CVE to KEV before committing to patch it. Operating with the same disclosures and advisories available to every other defender, they apply risk-based prioritization, embedded threat-actor context, and advanced scoring systems to route likely-exploitable vulnerabilities into remediation workflows days, sometimes weeks, ahead of the formal KEV listing.
The numbers show the discipline works, and that even this is no longer enough. Defenders proactively patched 63.7 million vulnerability instances before CISA added them to KEV in 2025, a 30% year-over-year increase. Yet the proactive remediation rate fell from 16.6% to 12.1%. The reason is volume. Total KEV-linked workload grew 78% in the same window, from 295.8M to 527.3M instances. Proactive output scaled linearly. The threat economy compounded exponentially.
The Operating Thesis Has Changed
For more than a decade, the operating thesis of vulnerability management has been that faster manual remediation could outrun the attacker. The four-year survival analysis retires that thesis. The remediation engine is running at the same RPM. The load has increased nearly eightfold. No incremental investment in staffing, tooling, or process closes a structural gap of this shape.
Reflecting on the combined findings, the DBIR offered an interpretation that warrants careful attention: this dataset may be an initial measurement of a “speed of light” for vulnerability remediation processes, a theoretical limit on what any model bound by human triage, change-windows, and approval gates can deliver. More than one billion records, four reporting cycles, and three years of additional tooling and mandate pressure have not moved that limit.
What closes the gap is an architectural shift: machine-speed pipelines that route validated, environment-confirmed exposures into autonomous remediation. We refer to this model as the Risk Operations Center (ROC).
The 2026 Verizon DBIR delivers the headline survival curve and frames the patching capacity problem at industry scale. The extended analysis, the four-year cohort KEV survival curve breakdown, absolute backlog growth, the proactive-defense subset, the first-week ceiling, and the operational architecture that responds to it live in the appendix of The Broken Physics of Remediation. The data is the strongest case we have made to date for changing the model.
Get your own copy of The Broken Physics of Remediation.
