Attackers are increasingly shifting from stolen credentials to exploited vulnerabilities
For nearly two decades, stolen credentials have been the focus of many analyses of security breaches. This picture is now changing. According to the Verizon 2026 Data Breach Investigations Report (DBIR), vulnerability exploitation has overtaken credential abuse as the top breach vector for the first time — accounting for 31% of breaches, compared to just 13% for credential theft. AI is accelerating attack development, compressing the window between vulnerability disclosure and exploitation from months to hours. ([Heise][1])
This shift is strategically significant. It means that companies can no longer rely solely on identity protection, phishing training, MFA, endpoint protection, or perimeter defense. While these controls remain essential, they do not address the central question that attackers are increasingly exploiting: Where is the company currently technically vulnerable?
AI is changing the pace of attacks
Generative AI and automation reduce the cost of reconnaissance, accelerate the development of exploits, and make it easier for attackers to scale their operations. The practical implication is clear: defenders must shorten the time between the disclosure, detection, prioritization, and remediation of vulnerabilities. In an environment where attackers can identify and exploit exposed vulnerabilities more quickly, vulnerability management is no longer just a periodic compliance measure. It is becoming an operational security discipline.
Vulnerability management closes the gap
Organizations must identify vulnerabilities before attackers exploit them. We view vulnerability management as the central process in which vulnerabilities in the IT infrastructure are uncovered, classified by severity, and remediation measures are recommended. This allows vulnerabilities to be eliminated before they become exploitable risks.
Vulnerability management examines the infrastructure from the attacker’s perspective and asks which systems, services, devices, and configurations are currently exposed. Greenbone explicitly positions this “outside-in” perspective as a complement to firewalls and other defense systems.
Why OpenVAS is the right vulnerability scanner right now
OPENVAS is our answer to this problem. We offer authenticated and unauthenticated testing, support for internet and industrial protocols, optimization of large-scale scans, and a powerful internal language for vulnerability testing. Our tests are sourced from a feed with daily updates, and have been since 2006.
Our enterprise vulnerability management solutions utilize more than 225,000 vulnerability tests, with new tests added daily. This is important because vulnerability management is only effective if it reflects the current threat landscape. A scanner that isn’t continuously updated will quickly be outpaced by attackers.
The economic case has become more compelling
AI is changing the economic case for vulnerability management. The need is not abstract. It is driven by measurable changes in attacker behavior. The 2026 DBIR found that the median time to full patching grew to 43 days (up from 32 days the year before) while organizations patched only 26% of vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog, down from 38% in 2024.
When exploited vulnerabilities become the primary entry point into organizations, identifying and reducing the attack surface is one of the most effective ways to lower the likelihood of security breaches.
Conclusion: Security teams need continuous visibility
The lesson from the latest attack data is simple: organizations must assume that their disclosed vulnerabilities will be discovered, correlated, and exploited faster than ever before. Protecting login credentials remains essential, but it is no longer sufficient. The new priority lies in continuous visibility into the attack surface, risk-based prioritization, and rapid remediation.
This is exactly where Greenbone and OPENVAS come into play. In a threat landscape where attackers are increasingly exploiting known and detectable vulnerabilities, vulnerability management becomes the first line of defense: identify the vulnerability, understand the risk, and act before the attacker does.
[1]: https://www.heise.de/news/KI-Aera-Laut-Verizon-mehr-Angriffe-ueber-Luecken-als-mit-gestohlenen-Zugangsdaten-11299991.html?utm_source=chatgpt.com “AI Era: According to Verizon, More Attacks via Vulnerabilities Than with Stolen Credentials”
[2]: https://www.securityweek.com/verizon-dbir-2026-vulnerability-exploitation-overtakes-credential-theft-as-top-breach-vector/?utm_source=chatgpt.com “Verizon DBIR 2026: Exploitation of vulnerabilities overtakes credential theft as the most common attack method”
[3]: https://www.verizon.com/business/resources/reports/dbir/ “2026 Data Breach Investigations Report (DBIR) | Verizon”
[4]: https://www.greenbone.net/en/ “Vulnerability Management | Open Source and GDPR-Compliant”
Elmar Geese has many years of experience in IT and IT security. He has been a member of the Greenbone management team since 2018 and a member of the Greenbone AG Executive Board since 2023.
He is particularly interested in the topics of management, security and the management of security, so-called artificial and human intelligence, especially in the context of cybersecurity.
As a trained musician, he still enjoys playing various instruments and is a great fan of classical music.
