The Patch You Skipped and the Password You Reused Are Both Coming for You

Two major 2026 threat reports appear to contradict each other. They don't. They describe the same disaster from different angles.

Two of the most authoritative annual threat intelligence reports published in 2026 reach conclusions that, on the surface, appear mutually exclusive. Read one, and you will conclude that credentials are the primary battlefield of modern corporate security. Read the other, and you will conclude that unpatched vulnerabilities have just overtaken credentials as the number one entry point into enterprise environments for the first time in nineteen years. Both reports are backed by enormous datasets, credible researchers, and careful methodology.

Both reports are correct.

That is the point. That is the uncomfortable, operationally important, budget-conversation-changing point that tends to get lost when the headlines reduce the findings to a single narrative. Organisations are not failing at patch management or identity security. They are failing at both, simultaneously, and the attackers are exploiting that double failure with accelerating efficiency.

This article is about what those two reports actually say, why the apparent contradiction resolves into something worse than either finding alone, and what a senior infrastructure professional should do about it before the next budget cycle closes.

The Two Reports and What They Found

The Darktrace Annual Threat Report 2026, published in February, covers Darktrace's global telemetry from across its customer base throughout 2025. Darktrace is positioned at the network and behavioural detection layer, which means its data reflects what attackers actually do once they are inside, and how they get there. The headline finding is unambiguous: identity is now the primary target of attack. In Europe, 58% of incidents began with compromised cloud accounts or email, overtaking traditional network-layer breaches, which accounted for the remaining 42%. In the Americas, the figure is even starker: nearly 70% of incidents began with a stolen or misused account.

To contextualise that: nearly three in five breaches in European organisations in 2025 did not involve a firewall misconfiguration, an unpatched server, or a network-layer exploit. They involved somebody's credentials. The front door was opened with a key that did not belong to the person holding it.

At almost the same time, Verizon was preparing the 2026 edition of its Data Breach Investigations Report, published in May. The DBIR draws on a different dataset: confirmed breach investigations from Verizon's own incident response practice, contributions from dozens of partner organisations, and forensic evidence from thousands of incidents. The 2026 DBIR covers the period from November 2024 to October 2025, which overlaps significantly with the Darktrace reporting window. The DBIR's headline finding is equally unambiguous, and it stops the cybersecurity industry in its tracks: for the first time in the report's nineteen-year history, vulnerability exploitation has overtaken stolen credentials as the number one initial access vector in confirmed breaches. Unpatched vulnerabilities accounted for 31% of breaches. Credential abuse accounted for 13%.

So one report says credentials are the primary battlefield, and the other says vulnerabilities have just leapfrogged credentials to become the leading cause of breaches. If both reports are credible, and they are, how do you reconcile them?

Why Both Are Right, and Neither Is the Complete Picture

The first thing to understand is that these reports are measuring different things.

Darktrace's telemetry captures a very large sample of security incidents, including events that do not constitute confirmed data breaches. A suspicious login from an unusual geography, a compromised account used to send internal phishing emails, a cloud account being enumerated by an attacker who then achieves nothing further. All of those show up in Darktrace's numbers. The report reflects the full attack surface, including attempts that were stopped, intrusions detected before exfiltration, and behaviours that constituted an incident without becoming a full breach.

The Verizon DBIR, by contrast, is specifically about confirmed breaches. Incidents in which data was actually exfiltrated, systems were actually compromised, and the chain of causation was actually established through forensic investigation. The DBIR does not count near-misses. It counts confirmed damage.

When you keep that distinction in mind, the two findings sit side by side without contradiction. Credential abuse remains the most common initial attack vector across the broader landscape of security incidents. It is the method attackers try most often, the background noise of the threat environment, the thing that fires every day against every organisation with a Microsoft 365 or Google Workspace tenancy. Vulnerability exploitation in the Verizon data is now the most reliable method for confirming a breach, precisely because when an attacker finds an unpatched, known-exploited vulnerability, the success rate is high, and the speed of exploitation has become devastating.

Both trends are real. One tells you what your logs will show tomorrow morning. The other tells you what your incident response team will be working on in six weeks.

The Credential Threat in Numbers

The scale of the credential problem is genuinely difficult to internalise. In 2025, researchers tracked 2.9 billion compromised credentials, a figure so large it has become an abstraction. Let me make it concrete.

Infostealer malware has become the quiet engine of the credential economy. These are small, focused programs designed to do one thing: find every stored password, session token, saved form field and authentication artefact on an infected machine and exfiltrate the lot to a central collection infrastructure. The resulting logs are sold, bundled and traded on criminal marketplaces.

The Verizon 2025 DBIR found that 30% of enterprise-managed devices appeared in infostealer logs with company credentials captured. Not personal devices. Not unmanaged endpoints. Corporate, managed, enterprise-licensed devices, presumably with endpoint protection, presumably on managed networks, presumably subject to security policies. Nearly one in three of them was compromised sufficiently for an infostealer to collect corporate credentials and send them to an attacker.

The figure for unmanaged or personal devices used for work was 46%. And once those credentials are in an attacker's hands, the application-layer damage is swift: 88% of basic web application attacks in the 2025 DBIR involved stolen credentials as the primary technique. Most web application compromises are not sophisticated. They are credential-stuffing exercises against applications that were never tested for this threat.

Among organisations that subsequently suffered a ransomware incident, 54% had documented credential exposure in infostealer logs prior to the ransomware deployment. The credential theft was not a side effect of the ransomware. It was the prerequisite. Attackers collected the credentials, used them to gain initial access, moved laterally, established persistence, and then deployed the ransomware when they were ready. The credential theft happened weeks or months before anyone noticed anything was wrong.

The credential threat sits inside a broader escalation: globally disclosed software vulnerabilities rose 20% in 2025, yet attackers chose credential abuse for the majority of initial access attempts rather than direct exploitation. The path of least resistance runs through identity, and that path is widening.

In the Darktrace data, Azure was the most targeted cloud provider, attracting 43.5% of observed malware samples. Google Cloud Platform received 33.2% and AWS 23.2%. That distribution roughly mirrors enterprise market share, but it is not random: Azure is the primary identity layer for the majority of European and global enterprise environments due to its Microsoft 365 integration. Owning an Azure identity often means owning the email, files, calendar, collaboration platform, and connected SaaS applications simultaneously. It is an extraordinarily efficient target for attack.

The Vulnerability Threat in Numbers, and Why 2026 Is Different

Vulnerability exploitation is not new. The 2026 DBIR identifies a structural shift in the balance between attacker speed and defender capacity.

The median time to fully patch a critical vulnerability increased to 43 days in 2025, up from 32 days in 2024. That is not a marginal slip. That is a 34% increase in the window during which a known, documented, actively exploited vulnerability remains open in production. At the same time, the exploitation window, the time between a vulnerability being published and attackers actively weaponising it, has collapsed from months to hours in many cases, particularly for vulnerabilities in edge devices, VPN appliances and perimeter-facing services, where AI-assisted exploit development has dramatically accelerated the timeline.

The 2026 DBIR introduces what it calls the Remediation Paradox. Exploitation timelines and remediation timelines are on fundamentally different trajectories. By Day 7 after a vulnerability enters CISA's Known Exploited Vulnerabilities catalogue, between 60% and 70% of affected organisations still have the vulnerability open, regardless of their size, investment level or tooling. The probability that an organisation has patched something by the time it becomes actively exploited is, statistically, quite low.

To make that concrete: CISA's KEV catalogue lists vulnerabilities that have confirmed, active exploitation in the wild. These are not theoretical risks. They are documented, named vulnerabilities where someone has already been breached. In 2025, organisations patched only 26% of the defects on the KEV catalogue. That figure was 38% in 2024. The remediation rate is declining while the catalogue and the attacker's capability to exploit it are growing.

The result is that vulnerability exploitation, as a breach pathway, has never been more reliable for attackers. They do not need to develop novel zero-days. They do not need nation-state resources. They need a scanner, the KEV catalogue, and the patience to wait until the 74% of organisations that have not patched a known-exploited flaw appear on the network.

AI Is Accelerating Both Sides of the Problem

The threat landscape in 2026 has an additional accelerant that neither report underplays: artificial intelligence is making both attack vectors faster, cheaper and more scalable.

On the credential side, Darktrace observed that AI-assisted phishing emails have become significantly harder to distinguish from legitimate correspondence. Across Darktrace's global fleet, 32 million phishing emails were detected in 2025 alone, illustrating the sheer industrial scale of the credential-harvesting operation running continuously against enterprise environments. Novel social engineering techniques grew from 32% of observed phishing campaigns to 38% year-on-year. Long-form, AI-generated phishing messages, constructed to mimic the writing style, subject matter and tone of legitimate business communications, rose from 27% to 33%. QR code phishing grew by 28%, from 940,000 attacks in 2024 to over 1.2 million in 2025. These are not incremental refinements. They represent the industrialisation of social engineering at a quality level that previously required skilled human writers.

The downstream consequence is that the phishing email your users see today is not the phishing email from the security awareness training they completed six months ago. The bad grammar, the implausible urgency, the mismatched logo, all of the tells that traditional awareness training teaches people to spot are being eliminated by language model outputs. Your organisation's internal tone of voice, calendar patterns, common project names and supplier relationships are likely available in some form through public sources, LinkedIn data and prior credential exposures, and a sufficiently motivated attacker can prompt a model to craft something indistinguishable from internal correspondence.

On the vulnerability side, AI is dramatically compressing the time between proof-of-concept publication and production exploitation. Security researchers now document cases where a vulnerability disclosed on a Monday has a weaponised, scan-and-exploit tool circulating by Wednesday. The defence window, once measured in weeks, is now measured in days or hours for high-profile vulnerabilities. This is not speculative. It is what the DBIR data reflects in its timeline statistics.

The False Choice That Is Killing Corporate Security

Here is the conversation I have repeatedly seen play out in organisations. The CISO presents the annual threat report findings. The board notes that credentials are the primary attack surface. The resulting investment decision favours the MFA rollout, the identity governance platform, and the phishing simulation programme. The patch management roadmap gets deferred because the budget ceiling is fixed, and the identity work is clearly the priority.

Or the reverse. The vulnerability-exploitation headline lands, and the board demands to know why the patch cycle is 43 days. Resources go to vulnerability management, remediation SLAs, and a new scanning tool. The identity programme loses its allocated budget headcount.

Both versions of this conversation produce the same outcome: a security posture that addresses half of the problem with full investment while the other half remains exposed. Attackers, who are under no obligation to use a single technique, route around the defended half and walk through the undefended half.

The 2026 data makes one thing clear: organisations need to treat credential abuse and vulnerability exploitation as simultaneous, persistent, equally funded threats. Not sequential priorities. Not competing line items. The attackers are not choosing between them. Neither can the defenders.

What I Would Actually Do, in Priority Order

Start with identity hygiene, because it is faster to act on. Credential abuse is the higher-volume and faster-moving threat. The actions required are largely policy-level: enforce phishing-resistant MFA (FIDO2 hardware keys for privileged accounts, passkeys for everyone else), review conditional access policies to block authentication flows that have no legitimate business use in your environment, and audit your tenant for devices registered in unusual geographies or from unexpected user agents. None of those requires a procurement cycle. They require an afternoon with the right admin console access and the willingness to break a few legacy integrations that should have been migrated years ago.

The infostealer exposure is the piece that organisations consistently underestimate. Your employees' personal devices are a source of credential leakage. This is not a comfortable conversation to have, but the DBIR data is explicit: 46% of unmanaged personal devices in infostealer logs carried corporate credentials. An acceptable use policy, device posture checks at authentication time, and the separation of corporate identity from personal device storage are the operational responses. Telling people to be careful is not a control.

Then fix your patch cycle, because the window is collapsing. A 43-day median remediation time is indefensible against an attacker capable of routinely weaponising vulnerabilities within hours. The CISA KEV catalogue is the most practical place to start: those vulnerabilities are confirmed as actively exploited. They are not theoretical. If you are only patching a quarter of them, you are leaving the majority of the most dangerous known vulnerabilities open in production.

The answer is not to accelerate every patch. It is to create tiered remediation SLAs with the KEV catalogue as the top tier, mandate a maximum seven-day remediation window for KEV entries on production systems, and build the organisational muscle to meet that target. For most organisations, that means reducing change advisory board friction for security patches, investing in automated patching for operating systems and common application layers, and accepting that some brief service disruptions during patching are preferable to a confirmed breach.

Segment your critical assets so that neither attack vector reaches the crown jewels. The most dangerous breach scenarios in both reports involve lateral movement: an attacker who gains initial access through a stolen credential or an exploited vulnerability and then spends days or weeks moving through the environment toward high-value targets. Segmentation is the friction that slows or stops that movement. If your entire flat network is accessible from a compromised Microsoft 365 account, you have traded the security benefit of every other control for the convenience of not managing network boundaries.

Invest in detection for post-compromise behaviour, not just perimeter prevention. Both the Darktrace and Verizon findings describe attacker dwell times that are measured in weeks. In that window, the attacker is doing things: creating inbox rules, registering devices, exfiltrating data in small increments, mapping internal systems, and establishing persistence mechanisms. Those behaviours have signatures. Monitoring for unusual inbox rule creation, anomalous OAuth token issuance, unexpected cloud storage access patterns, and new device registrations from unusual locations will catch post-compromise activity that perimeter controls never see.

The Structural Problem Nobody Wants to Admit

The 2026 data points at a structural reality that goes beyond any specific toolkit or technique. Defenders are on annual budget cycles, quarterly board reports and monthly change windows. Attackers are on continuous delivery with AI-assisted tooling, global infrastructure and no change advisory board. That asymmetry does not compress when defenders buy better tools. It compresses when defenders change how they operate.

The organisations in the Darktrace and Verizon data that fared best are not the ones with the largest security budgets. They are the ones who have built operational reflexes to act on threat intelligence within hours rather than weeks, who treat security as a continuous process rather than an annual audit, and who have eliminated the bureaucratic friction that turns a forty-eight-hour patch into a forty-three-day one.

That is as much a management and culture problem as a technical one. The DBIR Remediation Paradox is not primarily a technology gap. It is a decision-making gap. The decision to patch something known to be exploited in seven days instead of forty-three requires an organisational process that supports it. Building that process is not glamorous work. It does not generate a compelling conference talk or a vendor case study. But it is the work that determines whether your organisation appears in next year's breach statistics.

The Takeaway

The next person who tells you that credentials are the primary threat, or that vulnerability exploitation is the primary threat, is telling you a truth that is one data-source-wide and one board-presentation-deep. The actual threat environment is simultaneously AI-accelerated on both fronts.

Two questions are worth sitting with after this. First: what is your organisation's median remediation time for CISA KEV entries, and is it under seven days? If the honest answer is no, or if nobody knows, that is the first thing to fix. Second: What percentage of your corporate credentials have appeared in Infostealer logs in the last twelve months, and what was done about it? If the answer is also unknown, that is the second thing to fix.

The reports are in. The data is public. The decision about whether to act on it is entirely yours.