Verizon’s 2026 Data Breach Investigations Report (DBIR), based on analysis of more than 31,000 security incidents and over 22,000 confirmed data breaches across 145 countries, found that third-party involvement in breaches jumped to 48% of all incidents in 2025, up 60% from 30% in the prior year’s report. Verizon’s own official summary states this plainly: third-party supply chain breaches jumped 60%, now accounting for nearly half of all breaches studied.
This is not an isolated single-year spike. The 30% figure from the prior DBIR was itself already described as having doubled from an earlier baseline of approximately 15% the year before that. Across three consecutive DBIR editions, the trend line runs roughly 15% to 30% to 48%, an accelerating pattern across multiple years rather than a one-time anomaly.
| DBIR edition (data year) | Third-party breach share | Year-over-year change |
| Earlier baseline | Approximately 15% | Baseline reference point cited in 2025 DBIR coverage |
| 2025 DBIR (2024 data) | 30% | Doubled from the approximately 15% baseline |
| 2026 DBIR (2025 data) | 48% | Up 60% from the prior year’s 30% |
The Central Finding: Why Third-Party Risk Is Rising Specifically Now
The 2026 DBIR contains a related finding that explains much of why third-party and supply chain risk specifically is climbing: for the first time in the report’s 19-year publishing history, vulnerability exploitation overtook stolen or abused credentials as the single most common initial access vector for breaches. Vulnerability exploitation accounted for 31% of breaches in the 2026 report, compared to credential abuse at 13%, a sharp reversal from the prior year’s report, where credential abuse stood at 22% and vulnerability exploitation at 20%.
This shift connects directly to the third-party breach surge. A breach reaching an organization through a vendor or supply chain partner is, in practice, most often a breach that began with an attacker exploiting an unpatched software vulnerability somewhere in that vendor’s stack, rather than an attacker stealing or guessing a password. As organizations rely more heavily on external vendors and shared software components, and as attackers increasingly target vulnerabilities rather than credentials as their entry method, those two trends compound each other directly.
The Patching Data: Organizations Are Falling Further Behind
The 2026 DBIR’s patching statistics explain why vulnerability exploitation specifically is winning out over credential theft as an attack method. Several figures point the same direction, all worsening year over year:
- Median time to full patching increased to 43 days in 2025, up from 32 days the year before: organizations are taking longer, not less time, to close known security gaps, even as exploitation activity accelerates.
- Organizations patched only 26% of security defects listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, down from 38% the prior year: coverage of the vulnerabilities attackers are most actively exploiting in the wild specifically declined.
- The number of critical KEV-listed flaws requiring patching was 50% higher (median) compared to the prior year’s dataset: organizations face a larger volume of high-priority vulnerabilities at the same time their patching speed and coverage are both declining.
Chris Wysopal, co-founder and chief security evangelist at Veracode, summarized the dynamic directly: exploitation is now the leading breach vector, and organizations are still simply not fixing flaws fast enough.
The practical lesson several security researchers drew from this edition of the DBIR is that patch volume alone is the wrong metric to optimize. Collin Hogue-Spears, Senior Director of Solution Management at Black Duck, framed it this way: the losing strategy patches by volume, the winning one patches by reachability and contains the rest. Reachability analysis, meaning identifying which vulnerabilities are actually exploitable in an organization’s specific deployed configuration rather than treating every catalogued vulnerability as equally urgent, separates the flaws attackers can actually exploit from ones that only look dangerous on a severity score alone. With critical vulnerability volume up 50% and patch coverage declining, triaging by actual exploitability rather than raw count is what the data suggests separates organizations that contain the trend from those that get overwhelmed by it.
Related Findings From the Same Report, Briefly
The 2026 DBIR covers considerably more ground than the third-party and vulnerability story this article focuses on. A few adjacent findings worth noting without expanding scope away from the central topic:
- Ransomware presence rose to 48% of breaches (up from 44%): a separate metric from the 48% third-party figure; the two numbers happen to coincide but measure entirely different things and should not be conflated. Ransomware specifically hit small and midsize businesses hardest, accounting for 96% of ransomware victims where organization size was known.
- Ransom payment behavior shifted further toward refusal: 69% of organizations that were successfully attacked refused to pay, and the median amount paid when organizations did pay fell to $139,785, down from $150,000 the prior year.
- The human element remained a factor in 62% of breaches (up slightly from 60% the prior year): broadly stable, indicating the third-party and vulnerability trends are additive to, not replacing, longstanding human-factor risk.
- Shadow AI use was flagged as a rapidly growing internal risk: named the third most common nonmalicious insider risk in the report’s data loss prevention dataset, a 400% increase from the prior year, with 3.2% of DLP policy violations specifically involving employees leaking intellectual property to large language models.
How This Relates to Certificate and Vendor Trust Management
It is worth being precise about the relationship between this specific finding and certificate or SSL management, since the two are adjacent but not identical categories of risk. The DBIR’s third-party breach statistic is primarily about unpatched software vulnerabilities in vendor systems and supply chain components being exploited by attackers, a software patching and vulnerability management problem. SSL certificate management failures (expired certificates, misconfigured TLS, certificate lifecycle gaps) are a different, narrower category of infrastructure risk.
The connection between the two is conceptual rather than mechanistic: both are forms of dependency risk where an organization’s security posture is only as strong as the weakest link in a chain of trust it does not fully control, whether that link is a vendor’s unpatched software (the DBIR’s finding) or a certificate authority, hosting provider, or internal team’s certificate management practices (the focus of most of this site’s other coverage). Organizations building a vendor risk management program in response to this DBIR’s findings should treat certificate lifecycle visibility across vendor relationships as one specific, addressable line item within the broader third-party risk assessment the report’s findings argue for, rather than treating it as the primary finding of this particular report.
Frequently Asked Questions
Does the DBIR’s 48% third-party figure mean nearly half of all breaches are caused entirely by vendors, with the victim organization not at fault?
Not quite. Third-party involvement in a breach means a vendor, supply chain partner, or third-party software component played a role in how the breach occurred, which can range from the third party being the direct point of compromise to the third party’s software containing the specific vulnerability that was exploited within the victim organization’s own environment. The victim organization’s own patch management practices (the 43-day median patching time, the 26% KEV catalog coverage) are very much part of the picture, since an unpatched vulnerability in vendor software sitting unpatched inside the victim’s own systems for weeks is a shared failure mode, not solely the vendor’s responsibility.
Is the rise in third-party breaches because there are more vendors and integrations now, or because attackers changed tactics?
The available data points to both factors compounding each other rather than either alone explaining the full increase. Organizational reliance on external vendors and software supply chains has been increasing structurally for years, independent of this report. What the 2026 DBIR adds is the parallel finding that attackers specifically shifted toward vulnerability exploitation as their dominant tactic for the first time in 19 years, which is a more effective attack method against organizations with larger third-party and vendor footprints precisely because each additional vendor relationship represents additional unpatched-vulnerability surface area an attacker might exploit. The growth in vendor reliance creates more potential entry points; the tactical shift toward vulnerability exploitation is what allows attackers to actually take advantage of that larger surface more effectively than credential-based attacks would.
What is the single most actionable finding from this report for an organization trying to reduce third-party breach risk?
Based on the report’s own data and the expert commentary it generated, the most actionable shift is moving from volume-based to reachability-based vulnerability triage specifically for vendor and supply chain software. Given that critical vulnerability volume increased 50% while patch coverage of the most actively exploited vulnerabilities (the CISA KEV catalog) fell to 26%, organizations cannot realistically patch every flaw in every vendor relationship at the same priority level. Identifying which vulnerabilities in vendor and supply chain software are actually reachable and exploitable within an organization’s specific deployed configuration, and prioritizing patching and compensating controls accordingly, is the approach the report’s own data and the security researchers responding to it point toward as more effective than attempting comprehensive, volume-based patching across an ever-growing vendor footprint.
