Qualys has contributed analysis to the Verizon 2026 Data Breach Investigations Report (DBIR), drawing on more than one billion anonymised vulnerability remediation records linked to CISA’s Known Exploited Vulnerabilities (KEV) catalogue across four consecutive DBIR reporting cycles.
The data is also published in Section 7 of Qualys TRU’s “The Broken Physics of Remediation” report, which examines remediation timelines and argues that common patching metrics may not reflect actual business exposure as exploitation timelines accelerate.
According to the figures provided, the number of KEV vulnerability instances increased 7.7 times over four years, from 68.7 million to 527.3 million. Qualys said median detection-to-closure time remained about nine days, but the overall backlog grew as volumes increased faster than teams could remediate.
Qualys’ survival analysis approach, referenced in the DBIR, tracks the proportion of known-exploited vulnerability instances still open after a CVE is added to the KEV catalogue. In the latest cycle cited, Qualys said 35% of instances remained open by Day 28, compared with 27% in 2024. It also reported that at the end of a year-long observation window, millions of KEV instances were still not remediated.
The company said the absolute number of open instances at Day 28 grew from 31 million to 184 million, characterising the trend as a scale problem rather than a decline in remediation effort.
Qualys also pointed to growth in proactive remediation—fixing vulnerabilities before they are listed in KEV—reporting 63.7 million instances were patched ahead of KEV listing in 2025, a 30% year-on-year increase. However, it said the proactive remediation rate fell from 16.6% to 12.1% as overall KEV-linked workload rose 78% over the same period.
The analysis presented alongside the DBIR argues that organisations may need to shift remediation practices toward faster, more automated and risk-driven processes, as human-led triage and change windows may not keep pace with increasing vulnerability volumes.
