For more than a decade, security awareness training has had a single villain: the phishing email. Boring, repetitive, but effective. In April 2026 that narrative is being quietly retired. According to Cisco Talos, nearly 40 percent of all intrusions in the fourth quarter of 2025 originated not from a clicked link or a credential reuse incident, but from the direct exploitation of unpatched vulnerabilities. For the first time in years, exploits have overtaken phishing as the dominant initial access vector — and the data from the first quarter of 2026 suggests the gap is widening.
April Made the Trend Concrete
The week of April 14 made the trend uncomfortably concrete. CISA added six new entries to its Known Exploited Vulnerabilities catalog, including a critical SQL injection flaw in Fortinet FortiClient EMS (CVE-2026-21643) that allows unauthenticated remote code execution, and a high-severity Acrobat Reader vulnerability (CVE-2026-34621, CVSS 8.6) that is already being used in the wild. The Fortinet bug is particularly nasty because the affected product sits at the network edge of countless mid-sized enterprises that do not have a 24/7 patching cadence. A vulnerability of this class used to give defenders weeks to patch. In 2026 the window between disclosure and mass exploitation is measured in hours.
Why the Shift Away from Phishing?
Why the shift away from phishing? Two reasons converge. First, defenders have actually gotten better at the email problem — secure email gateways, passkeys, FIDO2 rollouts, and aggressive DMARC enforcement have raised the cost of credential phishing meaningfully. Second, attackers have gotten faster at exploit weaponization. The same agentic AI capabilities that are reshaping software development are reshaping offensive security. Anthropic's decision in early April to restrict access to its Mythos Preview model — after the model autonomously discovered and exploited zero-day vulnerabilities in every major operating system and browser during evaluation — is not a curiosity. It is a glimpse of what is sitting on the other side of the table. If a frontier lab can produce an internal model capable of that, you should assume well-funded threat actors are already building lower-quality versions of the same thing.
A Brutal Month for Victims
April was also a brutal month for victims. The Anubis ransomware crew claimed two terabytes of patient data from Signature Healthcare in Massachusetts, where ambulances were still being diverted days after the initial intrusion. Booking.com disclosed a breach affecting customer personal information. Basic-Fit confirmed that approximately 200,000 Dutch members had their data exposed. And the CPUID incident — where the official download URLs for CPU-Z and HWMonitor were swapped with malware links for roughly 24 hours between April 9 and 10 — is a textbook example of how supply-chain trust gets weaponized. People who installed a system utility from a site they have used for fifteen years got an information stealer instead.
My Take: The Threat Model Is Outdated
My read on this moment is that the threat model most organizations operationalize is now structurally outdated. We still build security programs around the assumption that the user is the weakest link. In 2026 the weakest link is your patch cadence. If your average time-to-patch on internet-facing systems is more than seven days, you are operating against a 2018 threat model in a 2026 reality. The teams that will look smart at the end of this year are the ones investing in three unsexy areas: continuous external attack surface management, automated patch pipelines for edge devices, and incident response runbooks that assume initial access has already happened.
There is also an uncomfortable AI-shaped subplot. The same agents helping defenders triage alerts can — with a different prompt and a different operator — turn the asymmetry against them. We are entering an era where both offense and defense are being accelerated by the same technology, and the side with better orchestration wins. That is not a comfortable place to be, but it is the actual place we are in. Pretending otherwise is the most dangerous move a security leader can make this year.
If your organization needs one resolution for Q2 2026, make it this: shrink the time between "a CVE is published" and "we are no longer vulnerable." Everything else is a footnote.