Vulnerability Exploitation: The #1 Breach Entry Point

For the first time in 19 years, stolen credentials are no longer the most common way attackers gain access to organisations. According to Verizon's 2026 Data Breach Investigations Report, which draws on analysis of more than 31,000 security incidents across 145 countries, vulnerability exploitation now accounts for 31% of initial access vectors, up from 20% the previous year. Credential abuse has fallen to 13%.

The reason for the shift is in the remediation data. Only 26% of critical vulnerabilities listed in CISA's Known Exploited Vulnerabilities catalogue were fully remediated by organisations in Verizon's dataset during 2025, down from 38% the year before. The median time to patch rose to 43 days, up from 32. At the same time, both the NCSC and Verizon's own analysis point to exploitation cycles accelerating, with AI shortening the gap between a vulnerability being disclosed and it being weaponised. Remediation is slowing down at the same time that exploitation is speeding up.

The patch wave the NCSC is warning about

In May 2026, NCSC Chief Technology Officer Ollie Whitehouse set out a clear argument: AI is now capable of exploiting technical debt across the software ecosystem at scale. The result, he argues, will be a forced correction: a high volume of updates across open source, commercial, proprietary, and SaaS products that organisations will need to apply quickly and across their entire stack. He calls it a patch wave, and the NCSC's message is that organisations should be preparing for it now, not when it arrives.

The practical recommendations are clear: identify and minimise internet-facing attack surfaces first, enable automatic updates wherever they are available, and operate with an update-by-default policy. For third-party applications and embedded devices where automatic patching is available, the NCSC's position is that it should be switched on. Where it is not, organisations need processes capable of handling frequent, scaled patching without introducing disruption to operations.

There is also a harder point buried in the guidance. Patching will not always be enough. Where systems are end-of-life and cannot receive updates, they need to be replaced or removed from scope entirely. Internet-facing legacy systems with no update path are, in the NCSC's assessment, among the highest-risk exposures an organisation can carry, and the patch wave will not fix them.

That volume of incoming patches lands directly on top of a requirement that is already in place.

What Cyber Essentials requires

Cyber Essentials already has a hard patching requirement. Software rated high or critical severity must be patched or mitigated within 14 days of an update becoming available. Unsupported software with no available updates must be removed from scope or replaced. This is a pass/fail condition for certification, and it applies to the full in-scope estate, including third-party applications.

The DBIR's remediation figures put that requirement in sharp relief. A median patching time of 43 days across Verizon's global dataset suggests a significant gap between how most organisations currently approach patching and what CE demands. These are not UK-specific figures, and they describe a broad dataset rather than CE applicants specifically. But the direction is clear, and the 14-day window is not a soft target.

In May 2026, the ICO stated it expects organisations handling personal data to have the five Cyber Essentials controls in place. The government named CE as the supply chain baseline in its Cyber Resilience Pledge at CYBERUK 2026. The patching requirement has always been part of the scheme. What is changing is the weight being placed on it from outside.

For MSPs, that external pressure lands directly on how they deliver patch management to clients.

Why this matters for MSPs specifically

Patch management across multiple client environments at a 14-day cadence cannot be run manually. The volume is too high, the software estates are too varied, and the consequences of missing a critical update are now serious enough that it cannot be treated as a background task. For MSPs managing ten, twenty, fifty, or even more clients, the only realistic path to consistent compliance is automation.

The third-party application layer is where the gap tends to be largest. Standard RMM tooling handles OS patching adequately in most cases, but third-party software across Windows and macOS frequently falls outside that coverage. The NCSC explicitly identifies this as part of the attack surface that needs to be addressed, and it is the area where manual processes are most likely to slip.

Visibility matters as much as the patching itself. Knowing precisely what is running across each client environment, which vulnerabilities are present, and how to prioritise remediation is what makes patch management a service rather than a best-effort. Without that visibility, MSPs cannot demonstrate to clients, auditors, or supply chain customers that the 14-day window is being met.

That evidence is increasingly being asked for. The ICO expects CE controls to be in place across organisations handling personal data. The government has set CE as the supply chain baseline. Clients operating inside larger supply chains are facing increasing scrutiny of their security posture, and the expectation that it is actively managed and evidenced is part of that.

Most SME clients cannot build this capability themselves. The tooling, automation, and ongoing management required is exactly what a well-equipped MSP provides. The question worth asking, as the regulatory pressure increases and the patch wave approaches, is whether your current patch management capability can actually demonstrate compliance at scale.

CyberSmart Patch gives MSPs deeper coverage across hard-to-patch third-party applications, with automatic updates, full scheduling control, and clear visibility over vulnerabilities that standard RMM tooling often overlooks.

CyberSmart Vulnerability Manager (CSVM) provides continuous scanning, prioritised remediation insights, and audit-ready reporting across all client environments, so the evidence of compliance is always there when it is needed.