Business
Rapid7 Q1 2026 Threat Landscape Report Finds Vulnerability Exploitation Overtakes Social Engineering as the Top Initial Access Vector
New research highlights how AI-driven exploitation, zero-click vulnerabilities, and fragmented ransomware operations are reshaping cyber riskBOSTON, May 21, 2026 (GLOBE NEWSWIRE) -- Rapid7, Inc. (NASDAQ: RPD), a global leader in AI-powered managed cybersecurity operations, released its Q1 2026 Threat Landscape Report, examining trends in vulnerability exploitation, ransomware activity, and cybercriminal infrastructure. The report found that vulnerability exploitation surpassed social engineering
About this update from Rapid7, Inc.
New research highlights how AI-driven exploitation, zero-click vulnerabilities, and fragmented ransomware operations are reshaping cyber risk BOSTON, May 21, 2026 (GLOBE NEWSWIRE) -- Rapid7, Inc. (NASDAQ: RPD), a global leader in AI-powered managed cybersecurity operations, released its Q1 2026 Threat Landscape Report, examining trends in vulnerability exploitation, ransomware activity, and cybercriminal infrastructure. The report found that vulnerability exploitation surpassed social engineering as the leading initial access vector, accounting for 38% of incident response cases. The shift reflects the growing role of AI in accelerating how quickly attackers can identify, weaponize, and exploit unpatched systems at scale, compressing the window defenders have to respond. Reinforcing this trend, half of vulnerabilities actively exploited in the wild during Q1 were zero-click, network-facing issues requiring no authentication or user interaction, giving attackers direct access to exposed systems without relying on human action. The finding reinforces trends identified in Rapid7’s 2026 Annual Global Threat Landscape Report, which found that exploitation timelines continue to shrink: among high- and critical-severity vulnerabilities, the median time from public disclosure to inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog fell from 8.5 days to 5.0 days. "We've spent years building a security culture around humans being the weakest link, but our Q1 findings show AI is quietly rewriting that equation," said Raj Samani, SVP and Chief Scientist at Rapid7. "Attackers are increasingly bypassing user interaction altogether, prioritizing direct access to exposed infrastructure and dramatically narrowing the window defenders have to respond." Drawing on select tracked CVEs, MDR incident response data, ransomware leak-site intelligence, and dark web telemetry, the report highlights evolving exploitation patterns, ransomware activity, and changes in attacker infrastructure. Key findings include: What this means for security operations As exploitation timelines continue to shrink, security teams face increasing pressure to identify, prioritize, and remediate exposed systems before attackers can operationalize vulnerabilities at scale. “Q1 shows how quickly exposed systems can become operational targets,” said Christiaan Beek, Vic...