The proportion of critical vulnerability exposures has more than doubled over the past year, but fewer than one in 12 proved urgent enough to require immediate action.
This is one of the findings from Check Point Software Technologies’ new Under Pressure: The 2026 Exposure Gap Report, which reveals a widening global exposure gap and a shorter window for defenders to act before exposure becomes impact.
“Automation and AI-assisted attack tools are reshaping both the scale and pace of exposure. Threat actors can now test exposed systems, credentials, phishing infrastructure, and known weaknesses across more organisations and at greater speed than manual triage can match,” says Hendrik de Bruin, head: security consulting – Africa, for Check Point Software Technologies.
Key findings from the 2026 Exposure Gap Report include:
- Vulnerabilities surged: 42,6% of all critical exposures were vulnerabilities, more than double the 18,7% recorded a year earlier, making them the single largest category of critical exposure in 2026.
- The prioritisation gap: Only 7,8% of vulnerability alerts warranted Critical or High attention after exploitability validation, meaning more than 90% did not require the same immediate remediation focus.
- Risk concentration: 76% of all critical exposures came from just two categories, vulnerabilities and internal information disclosure, concentrating risk around exploitable weaknesses and exposed information assets.
- Phishing on the rise: Phishing websites grew to 10.5% of critical exposures, up sharply from 1% a year earlier, one of the fastest-growing exposure types of the year.
- Action at scale: Organisations acted on 85.9% of recommended fixes across the industries analysed, showing that exposures are being closed at scale when prioritisation and response workflows are in place.
“Attackers are now testing more exposures, across more organisations, at a greater speed than security professionals can manually keep pace with. The organisations that stay ahead are the ones that can quickly separate the small set of genuinely exploitable risks from the noise, then remediate them safely without disrupting operations. That is what exposure management delivers, and it is fast becoming a core measure of operational readiness,” says Yochai Corem, vice-president and GM: exposure management at Check Point Software Technologies.
The report also shows that fast, safe remediation is achievable. Many organisations resolved critical exposures within one hour, with Utilities at 30%. The fastest sector had a median remediation time of 12.6 hours, showing that even sensitive, high-stakes environments can close exposures quickly.
Exposure profiles varied sharply by sector. Vulnerabilities dominated in Utilities and Government, accounting for 78,2% and 56,4% of critical exposures, respectively, while internal information disclosure led in healthcare at 63.6% and Financial Services at 42.7%. Healthcare proved the most challenging environment, recording the slowest median remediation time at 158.8 hours despite a strong fix-implementation rate, reflecting the constraints of legacy systems, clinical uptime requirements, and change control. These differences underline why exposure management priorities must be tailored by industry.