View the global threat landscape report here
Rapid 7 has published its 2026 global threat landscape report, decoding the accelerated cyber attack cycle, finding the window between vulnerability disclosure and confirmed exploitation continues to collapse, leaving organisations with dramatically less time to assess risk, prioritise remediation, and contain threats before impact.
The report found that exploited high and critical severity vulnerabilities more than doubled year over year, increasing 105% from 71 in 2024 to 146 in 2025, while the window between vulnerability publication and confirmed exploitation continues to shrink, with attackers increasingly operationalising vulnerabilities within days of disclosure.
“Exploitation timelines are increasingly measured in days rather than weeks,” said Raj Samani, chief scientist at Rapid7. “AI is being integrated rapidly into attacker playbooks, accelerating how quickly exposure is operationalised. Many of the incidents we investigate still originate from known, unaddressed exposure. In those cases, attackers don’t need sophistication, they need opportunity. As remediation windows shrink, reducing that opportunity becomes essential to limiting compromise.”
Key findings from the 2026 report
This report correlates vulnerability publication data, confirmed exploitation trends, frontline MDR incident response telemetry, and dark web, cybercrime, and nation-state intelligence to provide a unified view of how exposure evolves into compromise.
Key findings include:
- Exploitation is accelerating faster than defenders can remediate: The number of “high-risk but not yet exploited” vulnerabilities (CVSS 7-10) fell dramatically, while the number of exploited vulnerabilities increased sharply from 71 in 2024 to 146 in 2025. This indicates that high-probability vulnerabilities (CVSS 7-10) are being operationalised almost immediately.
- Weaponisation timelines continue to shrink: The median time from a vulnerability’s publication to its inclusion in the CISA KEV catalog dropped from 8.5 days to 5.0 days, and the mean time dropped from 61.0 days to 28.5 days, a trend measured specifically among high- and critical-severity vulnerabilities.
- Identity exposure remains the dominant intrusion path: Valid accounts with missing or lax multi-factor authentication (MFA) accounted for 43.9% of all incident response investigations by Rapid7 in 2025, making it the single most common initial access vector.
- Ransomware is an industrialised monetisation engine: Ransomware was involved in 42% of Rapid7 MDR incident response investigations last year. Additionally, total ransomware leak posts increased 46.4% year over year, rising to 8,835 in 2025.
- AI is accelerating attacker operations: Generative AI has evolved into a legitimate force multiplier, enabling adversaries to accelerate phishing content creation, scripting, and iterative problem solving.
- Advanced persistent threat campaigns adopt refined evasion techniques: Rapid7 has observed APT groups significantly evolving their techniques for staying off defenders’ radar. For example, Earth Kurma pioneered a “Living off the App” strategy that covertly uses Cisco Webex for command-and-control, while Volt Typhoon now utilises Living off the Land techniques to maintain long-term persistence.
What this means for security operations
The report underscores that delayed remediation and misaligned prioritisation are increasingly central to breach outcomes. As exploitation timelines compress, organisations must address exposure earlier and integrate more closely with detection and response. Attack surface exposure must now be triaged in the context of active attacker behaviour, aligning remediation timelines with exploitation velocity to sustain durable cyber resilience.
“The challenge moving forward is less about identifying every vulnerability and more about understanding exposure, prioritising realistically, and responding within increasingly compressed timelines,” said Christiaan Beek, vice president of cyber intelligence at Rapid7.
To read a full copy of the report, click here.
