Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more
blog

Half of All Breaches Now Involve a Third Party. The 2026 DBIR Makes the Case You Can't Ignore.

Published

Jun 3, 2026

Authors

Jessica Stanford

In this article

In this article

See Black Kite in action

Book a Demo

Introduction

The 2026 Verizon Data Breach Investigations Report analyzed more than 22,000 confirmed breaches across 145 countries, the largest dataset in the report's 19-year history. And for the first time in those 19 years, the #1 initial access vector is not credential abuse. It's not phishing. It's vulnerability exploitation.

Black Kite's Chief Research & Intelligence Officer, Dr. Ferhat Dikbiyik, has been making that argument publicly for years. The DBIR just put it in print with 22,000 confirmed breaches behind it.

Here are the three numbers that matter and what they mean for your third-party cyber risk management program.

Three DBIR Stats That Change the Conversation

Read these together. The real story is in the overlap.

The 2026 DBIR surfaces a convergence that most security programs aren't built to handle:

  • 31% of confirmed breaches started with vulnerability exploitation, up from 20% the prior year, displacing credential abuse, which fell to 13%. For the first time in the report's history, unpatched software is the leading entry point.
  • 48% of confirmed breaches involved a third party, a 60% increase over the prior year. Nearly half of every confirmed breach now traces back, at least in part, to a vendor, supplier, or partner in the ecosystem.
  • Median time to patch increased to 43 days, up from 32 days the year before. Organizations are patching slower as the volume of vulnerabilities accelerates.

Layer in one more data point from Mandiant's M-Trends 2026 report: mean time to exploitation is now negative seven days. Attackers are exploiting vulnerabilities, on average, a full week before organizations know those vulnerabilities exist.

Put it together on a timeline:

  • Attackers exploit at Day -7
  • Security teams learn about it around Day 0
  • The patch arrives at Day +43

That is a 50-day exposure window. Ferhat no longer refers to it as a “gap,” but now calls it a “canyon”, and the data backs him up. Last year that exploitation timeline was negative one day. The year before, it was still positive. The direction is not ambiguous.

What "Vulnerability Exploitation at #1" Actually Signals

This shift didn't happen overnight. The conditions have been building for years.

The trajectory in CVE disclosures tells part of the story. Before 2024, new vulnerability publications were growing incrementally. In 2025, 48,000 CVEs were published, a volume that arrived before AI-powered discovery tools entered production at scale. With frontier models now beginning to analyze codebases at depth, projections for 2026 run from 60,000 to 70,000 CVEs, possibly higher.

The DBIR's 31% figure reflects what attackers have already concluded: vulnerabilities are the most reliable, scalable, and increasingly automated entry point into enterprise environments. Phishing requires someone to click. Credential abuse requires a password to steal. An unpatched vulnerability just requires a scanner and a known exploit, and threat actors have both in abundance.

As Ferhat noted at the SANS AI Cybersecurity Summit 2026, the problem isn't just the volume of new vulnerabilities. It's that the tools available to attackers for discovering and chaining them are improving faster than the tools available to most defenders, especially those defending mid-market vendors without enterprise security budgets.

Your Vendors Make a Bad Problem Worse

The 31% exploitation figure and the 48% third-party figure aren't separate findings. They describe the same attack surface.

When an attacker exploits a vulnerability, there's a near-50% chance that entry point runs through a vendor, one that likely has fewer resources, slower patch cycles, and less visibility than you do. Their exposure becomes your exposure. And the CISA Known Exploited Vulnerabilities (KEV) data makes the remediation picture worse: the share of KEV vulnerabilities organizations fully remediated dropped from 38% to 26% in a single year. Volume is outrunning capacity.

The reflexive response, prioritize by CVSS severity, doesn't hold up at scale. In 2025, there were 48,000 CVEs published:

  • Filter to CVSS 7.0 and above: roughly 19,000 to manage
  • Filter to CVSS 9.0 and above: still approximately 4,000
  • Actual CVEs exploited in the wild: approximately 800

No vendor program has the bandwidth for 4,000. And CVSS doesn't tell you whether a vulnerability is actively exploited, how discoverable it is via OSINT, or how many of your vendors are exposed to it.

Go from 48,000 CVEs to 58 That Matter to Supply Chains

The goal isn't to manage more vulnerabilities. It's to manage the right ones.

The Black Kite Research Group™ applied a three-dimensional framework, severity, exploitability, and OSINT discoverability, to the full 2025 CVE dataset. Detailed in the 2026 Supply Chain Vulnerability Report, the analysis produced a greater level of filtering.

  • 329 OSINT-discoverable, high-priority vulnerabilities (flagged by FocusTags® in the Black Kite platform)
  • Of those, only 58 met the bar for genuinely high exploitability and supply chain exposure 

58 out of 48,000. That's a list vendors can act on. That's the difference between “patch everything” and “patch these five, this week, here's the evidence.” And by the way, Black Kite surfaced 95.2% of those 329 vulnerabilities before they appeared in CISA's KEV catalog.

As Project Glasswing disclosures move through their 135-day MITRE embargo and CVE volume pushes toward 70,000 or higher, the ratio holds, the signal stays extractable. The question is whether your program has the infrastructure to surface it. If your prioritization still runs on CVSS scores alone, the answer is no.

Faster isn't the solution. Smarter is. See how Black Kite maps vulnerability exposure across your vendor ecosystem and surfaces the threats that demand immediate action.