The Cyber Threat Perspective·May 27, 2026·30m·Episode #182

Episode 182: Patching Crisis — Vulns Now #1 Attack Vector (2026 Verizon DBIR)

Show notes

Hosts Brad Causey and Spencer Alessi break down the 2026 Verizon Data Breach Investigations Report, focusing on the findings that actually matter for IT and security teams.

The biggest surprise: vulnerability exploitation has overtaken stolen credentials as the top initial access vector, accounting for 31% of attacks, while credential abuse dropped to just 13%. This completely flips the script on years of "identity is the new perimeter" thinking.

Topics covered include:

Vulnerability explosion and remediation crisis: Why there are too many vulnerabilities and not enough time for patching, with only 26% of CISA KEV vulnerabilities fully remediated (down from 38%)
The patching time paradox: Median remediation time increased from 32 days to 43 days despite organizations initially getting faster at patching from 2022-2024
Web application sprawl: How the push to cloud and SaaS has created massive attack surfaces organizations don't own and can't patch
The top 4 initial access vectors: Vulnerability exploitation, phishing, credential abuse, and pretexting
Ransomware economics shifting: 48% of breaches involved ransomware, but 69% of victims didn't pay and median payments dropped to $139,875
Mobile phishing success: Mobile-centric phishing had 40% higher success rates than email phishing as users get better at spotting email threats
Social engineering evolution: The human element appeared in 62% of breaches, with pretexting requiring different countermeasures than traditional phishing
Shadow AI explosion: 45% of employees are regular AI users on corporate devices (up from 15%), with 67% using non-corporate accounts
AI data exfiltration: Shadow AI is now the third most common non-malicious insider risk, with source code being the top data type leaked
MCP and IDE extension risks: Real-world examples including PocketOS having their entire production database deleted by Claude connected to a railway CLI MCP

Brad and Spencer emphasize that while the threat landscape is shifting dramatically, the fundamentals still matter. Organizations need to get comfortable with not being able to patch everything and focus on what matters most.

Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov

Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com

Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

← Previous

[Replay] Episode 159: How to Break Into Cybersecurity — What Actually Works

Hosts Brad Causey and Spencer Alessi break down the 2026 Verizon Data Breach Investigations Report, focusing on the findings that actually matter for IT and security teams. The biggest surprise: vulnerability exploitation has overtaken stolen credentials as the top initial access vector, accounting for 31% of attacks, while credential abuse dropped to just 13%. This completely flips the script on years of "identity is the new perimeter" thinking. Topics covered include: Vulnerability explosion and remediation crisis : Why there are too many vulnerabilities and not enough time for patching, with only 26% of CISA KEV vulnerabilities fully remediated (down from 38%) The patching time paradox : Median remediation time increased from 32 days to 43 days despite organizations initially getting faster at patching from 2022-2024 Web application sprawl : How the push to cloud and SaaS has created massive attack surfaces organizations don't own and can't patch The top 4 initial access vectors : Vulnerability exploitation, phishing, credential abuse, and pretexting Ransomware economics shifting : 48% of breaches involved ransomware, but 69% of victims didn't pay and median payments dropped to $139,875 Mobile phishing success : Mobile-centric phishing had 40% higher success rates than email phishing as users get better at spotting email threats Social engineering evolution : The human element appeared in 62% of breaches, with pretexting requiring different countermeasures than traditional phishing Shadow AI explosion : 45% of employees are regular AI users on corporate devices (up from 15%), with 67% using non-corporate accounts AI data exfiltration : Shadow AI is now the third most common non-malicious insider risk, with source code being the top data type leaked MCP and IDE extension risks : Real-world examples including PocketOS having their entire production database deleted by Claude connected to a railway CLI MCP Brad and Spencer emphasize that while the threat landscape is shifting dramatically, the fundamentals still matter. Organizations need to get comfortable with not being able to patch everything and focus on what matters most. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇ Spencer's Links: https://spenceralessi.com Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here .