Rapid7 has released its 2026 Global Threat Landscape Report, revealing a dramatic acceleration in cyber attack patterns that leaves organizations with shrinking windows to respond to emerging threats. The research demonstrates that the predictive lead time defenders once relied upon between vulnerability disclosure and active exploitation has largely disappeared.
Key Findings: The Numbers Tell the Story
The report correlates vulnerability publication data, confirmed exploitation trends, frontline MDR incident response telemetry, and threat intelligence from dark web, cybercrime, and nation-state sources to provide a unified view of how exposure evolves into compromise.
Exploitation Acceleration
- 105% increase in exploited high and critical severity vulnerabilities year-over-year (71 in 2024 → 146 in 2025)
- Median time from vulnerability publication to CISA KEV inclusion dropped from 8.5 days to 5.0 days
- Mean time dropped from 61.0 days to 28.5 days
- High-probability vulnerabilities (CVSS 7-10) are being operationalized almost immediately after disclosure
Identity Remains the Primary Attack Vector
Valid accounts with missing or lax multi-factor authentication (MFA) accounted for 43.9% of all incident response investigations by Rapid7 in 2025, making it the single most common initial access vector.
Ransomware: An Industrialized Monetization Engine
- Ransomware was involved in 42% of Rapid7 MDR incident response investigations
- Total ransomware leak posts increased 46.4% year over year
- 8,835 leak posts documented in 2025
AI as a Force Multiplier for Attackers
Generative AI has evolved into a legitimate force multiplier, enabling adversaries to accelerate phishing content creation, scripting, and iterative problem solving.
APT Groups Refine Evasion Techniques
Advanced persistent threat (APT) campaigns are adopting increasingly sophisticated evasion techniques:
- Earth Kurma pioneered a “Living Off the App” strategy that covertly uses Cisco Webex for command-and-control
- Volt Typhoon continues utilizing Living Off the Land techniques to maintain long-term persistence
Why It Matters
“Exploitation timelines are increasingly measured in days rather than weeks,” said Raj Samani, chief scientist at Rapid7. “AI is being integrated rapidly into attacker playbooks, accelerating how quickly exposure is operationalized. Many of the incidents we investigate still originate from known, unaddressed exposure. In those cases, attackers don’t need sophistication—they need opportunity.”
The collapse of the disclosure-to-exploitation window fundamentally changes the calculus for security operations. Organizations can no longer rely on having weeks to assess, prioritize, and remediate vulnerabilities. The report underscores that delayed remediation and misaligned prioritization are increasingly central to breach outcomes.
Recommendations for Security Operations
Based on the report findings, organizations should:
- Accelerate vulnerability remediation – prioritize based on active exploitation intelligence, not just CVSS scores
- Strengthen identity security – with 43.9% of intrusions involving valid accounts, enforcing MFA everywhere is non-negotiable
- Integrate exposure management with detection – attack surface exposure must be triaged in context of active attacker behavior
- Prepare for AI-accelerated attacks – assume adversaries are using AI to scale operations faster than ever before
- Monitor for Living Off the Land techniques – APT groups increasingly abuse legitimate tools and services for C2
“The challenge moving forward is less about identifying every vulnerability and more about understanding exposure, prioritizing realistically, and responding within increasingly compressed timelines,” said Christiaan Beek, vice president of cyber intelligence at Rapid7. “Organizations that reduce the preventable conditions attackers monetize before exploitation occurs can regain a measure of control.”
Source: GlobeNewswire
