TLDR: Industry and compliance framework are the default way people sort organizations into risk tiers, but they’re a weak predictor of whether a real vulnerability actually gets remediated. The stronger signal is behavioral: does the organization update its threat model when new evidence shows up, or does it defend the model it already has. Mandiant’s 2026 data on attacker hand-off speed and Verizon’s 2026 DBIR data on patch remediation both point the same direction at scale. Operators who learn to read for this signal save themselves a lot of wasted effort.
There’s a habit in this industry of sorting organizations by how “serious” their sector is. Banking and healthcare get assumed to be mature, because regulators are watching. Retail and manufacturing get assumed to be behind, because the assumption is nobody’s forcing them to be otherwise.
It’s a useful shorthand. It’s also wrong often enough that relying on it costs people real time and real risk.
Compliance pressure correlates loosely with maturity, but the correlation is much weaker than the shorthand implies. We’ve assessed organizations in heavily regulated industries that treat every finding as a checkbox to close, and organizations with no regulatory pressure at all that take a single unverified report seriously enough to change how they operate. Vertical tells you what rules an organization has to follow. It does not tell you what they do when a rule didn’t catch something.
A Different Signal
The trait that actually distinguishes these organizations has nothing to do with sector. It’s whether new evidence changes the threat model, or whether the threat model gets defended against the evidence.
This shows up early, usually in the first conversation. Two organizations can receive the exact same assessment finding and respond in completely different ways. One asks how the finding would actually be exploited, what an attacker would do next, and what it would take to close the gap before the next test. The other asks whether the finding maps to a control they’re already required to have, and if it does, treats the existence of the control as the answer regardless of whether the control actually works.
The first organization is building a model of their own risk and updating it as they learn. The second is maintaining a position. Neither posture correlates cleanly with industry, company size, or how recent their last audit was. It correlates with how leadership has decided to relate to bad news.
There’s a second tell that compounds the first: what happens to last year’s findings. An organization that fixes what gets found, even slowly, is demonstrating that assessment results convert into action. An organization whose remediation backlog only grows is demonstrating the opposite, no matter how the program looks on paper.
A third tell sits in who owns the finding once it’s delivered. In organizations that act on evidence, a finding usually gets a name attached to it within days: someone is accountable for closing it, and that person can tell you where it stands without checking a tracker first. In organizations that defend their existing model, findings tend to land in a shared queue with no clear owner, where they wait for the next audit cycle to get revisited, if they get revisited at all. The difference isn’t process maturity in the abstract. It’s whether the organization treats a finding as something a person now owns, or as something a system will eventually process.
None of these three tells require a deep engagement to surface. A scoping call, a remediation review, or even a candid conversation with a prospective client’s security lead will usually reveal which posture an organization holds within the first hour.
The Data Backs This Up
This isn’t just operator intuition. Mandiant’s M-Trends 2026 report, built on more than 500,000 hours of frontline incident response conducted in 2025, found that the median time between initial access and hand-off to a secondary threat group has collapsed to 22 seconds, down from over eight hours in 2022. That number describes an industrialized attack ecosystem where one group gains access and immediately passes it to another to monetize. It also describes something about organizational readiness: the gap between detection and meaningful response has to close at a comparable pace, or the speed advantage belongs entirely to the attacker. An organization that treats a routine alert as low priority because it hasn’t been correlated to anything serious yet is operating on a timeline that no longer matches the threat.
Verizon’s 2026 DBIR adds the remediation side of the same picture. Drawing on a dataset of more than 22,000 confirmed breaches across 145 countries, the report found that vulnerability exploitation overtook credential abuse as the leading breach vector for the first time in the report’s 19-year history, accounting for roughly 31 percent of initial access. More relevant to the maturity question is what happens after a vulnerability is identified: Verizon found that organizations fully remediated only 26 percent of vulnerabilities listed in CISA’s Known Exploited Vulnerabilities catalog last year, down from 38 percent the year before, and that median time to full patching rose from 32 days to 43 days. These are vulnerabilities already confirmed to be under active exploitation. Knowing about them is not the bottleneck. Acting on that knowledge is.
The report’s data on third-party exposure makes the same point from a different angle: despite third-party involvement in breaches jumping 60 percent year over year, only 23 percent of third-party organizations fully remediated MFA gaps in their cloud accounts, and weak passwords or permission misconfigurations took close to eight months to fix for half of all findings. None of that gap is explained by industry. It’s explained by what organizations choose to prioritize once a known risk has been identified.
There’s also a structural reason the gap persists, and it has nothing to do with regulation. The DBIR’s analysis found that organizations had a median of 16 known-exploited vulnerabilities to patch in 2025, almost 50 percent more than the prior year. An organization that treats every finding as equally urgent, regardless of exploitability or business impact, will fall further behind every cycle, because the volume of findings is growing faster than most security teams’ capacity to triage them. The organizations that hold up under that volume aren’t the ones with the most resources. They’re the ones that have a working process for deciding what to act on first, and an owner accountable for each decision once it’s made. That process is a leadership choice, not a budget line.
What This Means Depending On Your Seat
If you’re evaluating a vendor, an assessment partner, or an acquisition target, this is a more useful filter than industry classification. Ask what happened to the findings from their last assessment. Ask whether leadership engaged with the finding or with the control mapping. The answer will tell you more about how the organization will behave under pressure than their compliance certifications will.
A practical version of this: in diligence or vendor review, ask for the finding-to-remediation timeline from the last two assessment cycles, not just the most recent report. A single clean report can mean genuine maturity, or it can mean a scope that was narrowed enough to avoid uncomfortable findings. A pattern across two or three cycles, where findings get logged, owned, and closed on a predictable cadence, is much harder to fake and much more predictive of how the organization will respond the next time something serious turns up.
If you’re trying to get your own organization to act on findings faster, this is the conversation worth having before the next assessment lands, not after. The question isn’t whether you have the right controls on paper. It’s whether the people reviewing a finding are asking what an attacker would actually do with it, or asking which box it satisfies. Naming an owner for every finding at the moment it’s delivered, rather than after the next planning cycle, is a small process change that tends to surface this gap quickly: if no one volunteers to own a finding, that’s information about the organization’s actual posture, regardless of what the policy documents say.
Risk tiering by vertical is a convenience. It’s not a measurement.
References
- Mandiant, M-Trends 2026: https://cloud.google.com/security/resources/m-trends-executive-edition
- Verizon, 2026 Data Breach Investigations Report: https://www.verizon.com/business/resources/reports/dbir/

