///
For the sixth consecutive year, exploitation of vulnerabilities leads all initial access vectors in Mandiant’s M-Trends 2026 report, accounting for 32% of all intrusions. The Verizon 2025 DBIR documented a 34% surge in vulnerability exploitation, which now accounts for 20% of all breaches — overtaking phishing at 15% for the first time. The most alarming finding: the mean time to exploit newly disclosed vulnerabilities has collapsed to negative seven days, meaning exploitation routinely occurs before a patch is even available.
The Numbers Tell the Story
Mandiant’s M-Trends 2026, based on over 450,000 hours of incident response, provides the clearest picture of how the threat landscape has shifted:
- Exploits: 32% of initial intrusions (first for sixth consecutive year)
- Phishing: 11% (down from 22% in 2022)
- Prior compromise: 10%
- Stolen credentials: 9%
The Verizon DBIR tells a complementary story from a larger sample size: vulnerability exploitation rose to 20% of breaches, a 34% year-over-year increase, while phishing dropped to 15%. The convergence of both reports confirms that the attack surface has fundamentally shifted from human manipulation to technical exploitation.
Why Exploitation Is Winning
Patch windows are collapsing. The concept of a patch window — the time between vulnerability disclosure and exploitation — has been destroyed. With a mean time to exploit of negative seven days, attackers are exploiting vulnerabilities before defenders even know they exist. This represents a fundamental advantage for attackers that no amount of traditional patch management can overcome.
Internet-facing applications are the target. The three most exploited vulnerabilities in 2025, according to Mandiant, were all zero-days targeting internet-facing enterprise application servers: CVE-2025-31324 in SAP NetWeaver, CVE-2025-61882 in Oracle EBS, and CVE-2025-53770 in SharePoint. These are not obscure systems — they are the backbone of enterprise operations, and they are directly exposed to the internet.
Access handoff has reached machine speed. One of M-Trends 2026’s most striking findings: the median time between initial access and handoff to a secondary threat group has collapsed from over 8 hours in 2022 to just 22 seconds. Initial access brokers are now operating automated pipelines that exploit a vulnerability, establish persistence, and hand off access to ransomware operators or espionage groups in under a minute.
Exploit code is commoditized. Proof-of-concept exploits appear on GitHub within hours of vulnerability disclosure. AI-assisted vulnerability research accelerates the development of working exploits. The technical barrier to exploitation has dropped dramatically, enabling less sophisticated threat actors to leverage zero-day and n-day vulnerabilities.
Advertisement
The Decline of Phishing
Phishing has not disappeared — it still accounts for 11% of intrusions in M-Trends data. But its relative importance has declined sharply because:
- Email security has improved. Years of investment in email filtering, DMARC adoption, and user training have made traditional phishing harder
- Exploitation scales better. A single vulnerability in a widely deployed application gives attackers access to thousands of organizations simultaneously, while phishing campaigns require targeting individual users
- Automation favors exploitation. Exploit scanners like those from initial access brokers can scan the entire internet for vulnerable instances in hours. Phishing requires more human effort per target
What This Means for Defenders
Vulnerability management must become continuous. Annual or quarterly patch cycles are no longer viable when exploitation occurs before disclosure. Organizations need continuous vulnerability scanning, asset discovery, and automated patching for internet-facing systems.
Assume zero-day exposure. If your organization runs SAP, Oracle, Microsoft, or any widely-deployed enterprise application, assume that zero-day vulnerabilities exist and will be exploited before patches are available. Compensating controls — network segmentation, Web Application Firewalls (WAF), application-level monitoring — must be in place as permanent layers, not temporary measures.
Prioritize internet-facing attack surface. Not all vulnerabilities are equal. The data is clear: attackers target internet-facing application servers first. External attack surface management (EASM) tools that continuously discover and assess exposed assets provide the most direct risk reduction.
Implement virtual patching. When vendor patches are not yet available or cannot be deployed immediately, WAF rules and intrusion prevention system (IPS) signatures that block known exploit patterns provide interim protection.
Monitor for exploitation indicators. Beyond vulnerability scanning, monitor for signs of active exploitation: unexpected outbound connections from application servers, new processes on web-facing hosts, anomalous database queries, and lateral movement from DMZ systems.
Key Takeaway
The primary attack vector has shifted from manipulating humans (phishing) to exploiting technology (vulnerability exploitation). This demands a corresponding shift in defensive investment: from awareness training as the first priority to attack surface management, continuous patching, and compensating controls for zero-day exposure. The 22-second handoff time between exploitation and secondary access means the window for detection and response is smaller than ever.
Frequently Asked Questions
Sources & Further Reading
- M-Trends 2026: Data, Insights, and Strategies From the Frontlines — Google Cloud Blog
- M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 Seconds — SecurityWeek
- Vulnerability Exploitation Emerges as Top Initial Access Vector — Infosecurity Europe
- The Rise of Vulnerability Exploitation as an Initial Attack Vector — Oligo Security
- Attackers Are Handing Off Access in 22 Seconds — Help Net Security
