The Verizon DBIR Report, Project Glasswing Update Expose the Risk of Legacy Remediation Workflows

Last week, Verizon released its 2026 Data Breach and Incident Report highlighting trends across 31,000 security incidents and 22,000 confirmed data breaches in 145 different countries. For the first time in the history of the report, “exploitation of vulnerabilities” was the most common initial access vector for breaches.

The details of Verizon’s report highlighted two startling metrics:

• The median organization saw 50% more critical vulnerabilities to patch compared to last year
• The mean time for full resolution increased year-over-year from 32 days to 43 days

In other words, the volume of findings to patch is increasing and the speed of remediation are heading in opposite directions – and these findings came in a pre-Mythos world. 

A few days after the annual Verizon report hit, Anthropic released an update on Project Glasswing, an exclusive project with 50 partners (including Zscaler) designed to identify and fix the critical software vulnerabilities using a preview of Mythos. In less than two months, Mythos Preview has found an estimated 6,202 high- or critical-severity vulnerabilities.

As Anthropic discloses in its update, significant delays and challenges have plagued the process from discovery to disclosure to patch, particularly when it comes to open source maintainers – as of that update, only 75 high- or critical-severity vulnerabilities had been patched.

Bear in mind that this early volume of findings resulting from Project Glasswing come from just a few dozen partners. When Claude Mythos and similar models become generally available, floodgates will open, with AI-powered vulnerability discovery hitting the entire software ecosystem.

Bottom line: security teams are struggling to patch critical vulnerabilities in a timely manner today, and the challenge is about to multiply to a previously unimaginable scale.

Two familiar challenges in vulnerability management: volume and speed

Security teams are quite familiar with flooded vulnerability queues and shrinking exploit windows.

Within a similar number of distinct organizations studied, Verizon cites almost eight times the aggregate number of CISA KEV findings in 2025 compared to a few years earlier in 2022. Despite more vulnerabilities getting closed in 2025 vs. any other year, the backlog of unaddressed KEVs has grown. The report draws a direct line from the exponentially increasing volume to the 8% increase in CISA KEV findings still open at Day 28.

In other words, the pace of vulnerability resolution hasn’t slowed. Instead, current tooling and processes simply do not scale for today’s reality.

Again, these data points come pre-Mythos, which demonstrated an ability to find and exploit previously unknown vulnerabilities at machine speed. In two short months, that code is already producing POC exploits that open source maintainers are struggling to patch.

When it comes to vulnerability discovery and exploitation, the game has changed. Security teams need to change their game accordingly.

Start with machine-speed analysis and prioritization

The first place to audit your workflow is prioritization.

Static scoring like the Common Vulnerability Scoring System (CVSS) and Exploit Prediction Scoring System (EPSS) lack environmental context about your assets, multiplying risk factors such as open ports or misconfigurations, and mitigating controls blocking attack paths. As a result, security teams waste precious time and resources chasing “false criticals,” reporting on generic findings and patches without a perspective on the reduction of actual business risk.

Traditional prioritization methods slow down response times by junking up remediation pipelines with issues that don’t rise to the level of emergency response. 

In a previous post, we covered the need for CISOs to “adjust their definition of exploitability.” AI-powered vulnerability discovery will soon outpace the traditional scoring and threat intelligence models. While previous models can indicate “theoretical exploitability,” security teams instead need a finely-tuned model that understands exploitability in context of their environmental factors, mapped against their mitigating controls.

In the post-Mythos world of machine-speed exploits, prioritization must also happen at machine-speed. The manual process of exporting scan results into spreadsheets and mapping to asset criticality and controls will never keep pace.

Your Exposure Management solution must handle each of the following items without the need for human analysis:

• Incorporate all relevant context from assets, identities, and alerts connected to each exposure finding – whether it originates from a traditional scanner or an AI model
• Apply multiplying risk factors from all relevant sources to adjust severity scoring
• Automatically reduce severity scoring based on the presence of mitigating controls (such as your ZIA/ZPA policies)
• Allow you to customize or adjust the weight of each contributing factor

No one can afford to build context manually – security teams must get the priority list for risk burndown much faster to keep pace.

“Design for triage”

In its executive briefing in response to Claude Mythos, the Cloud Security Agency calls for organizations to “Stand up VulnOps,” a risk reduction program staffed and automated like DevOps.

In its description of VulnOps, CSA instructs security teams to “design around triage discipline from the start.”

As the number of vulnerabilities and subsequent patches increase, it is imperative to group and route findings to rightful owners automatically. Ticket grouping and triage are low hanging fruit that can deliver dramatic improvements in response time.

If triage in your organization is manual today, think about the ways your teams work and how you might automate it. We see Zscaler customers group and assign tickets according to many of the following attributes:

• Asset type
• Asset owner
• Asset tags (such as PII or PCI)
• Available fixes
• Finding type (vulnerability, misconfiguration, etc.)
• Finding severity

By managing one ticket for numerous findings and automatically assigning the ticket, you’re moving the starting line of the race to your advantage. Any triage dwell time is wasted time in the age of AI-powered exploits.

Don’t wait for patch windows to reduce risk

The Verizon DBIR Report and the Project Glasswing update each provide evidence that faster patching and remediation can no longer outpace the AI-powered adversary, no matter how efficiently your teams operate.

As frontier AI models discover vulnerabilities and code flaws, security teams will often be tasked to reduce risk outside of patching windows – or even before a patch is available.

In addition to efficient patch management workflows, automated response playbooks can block attack paths and minimize the potential blast radius while you wait for an available patch. For example, a risky asset with an exploitable vulnerability could be isolated from the network. The associated user could be restricted from crown jewel applications. Sure, the finding is still present, but risk and reachability have greatly reduced.

By evaluating risk holistically – with the context of asset relationships, identities, and alerts – your exposure management program is positioned to reduce risk in near real-time rather than waiting for the next available patch.

AI-powered attackers will not wait for patch windows, and neither should you.

Learn how Zscaler Exposure Management is helping customers keep pace with a new generation of AI-powered exploits.