Threat Intel - Rapid7 2026 Global Threat Landscape Report

What Happened

Today, Rapid7 Labs released the 2026 Global Threat Landscape Report, revealing alarming trends in cyber threats. The report indicates that the time from vulnerability disclosure to exploitation has drastically shortened. In 2025, confirmed exploitation of high-impact vulnerabilities surged by 105%, with the median time for vulnerabilities to be added to CISA’s Known Exploited Vulnerabilities list dropping from 8.5 days to 5.0 days. This rapid operationalization of vulnerabilities poses significant challenges for organizations trying to defend against these threats.

The report highlights a shift in how cybercrime operates. No longer chaotic, it resembles structured market dynamics. Attackers are now leveraging established platforms, akin to SaaS ecosystems, to sell access and exploit weaknesses. This evolution indicates that organizations must adapt quickly to the changing landscape of cyber threats.

Who's Behind It

The report identifies a new breed of cybercriminals who operate like businesses. Initial Access Brokers validate network footholds, while ransomware operators focus on encryption and extortion. This specialization enables a more efficient and scalable cybercrime ecosystem. In 2025, ransomware was involved in 42% of Rapid7 MDR investigations, with active groups increasing from 102 to 140. This growth reflects a systemic change in the ransomware landscape, increasing the risk for businesses.

Moreover, attackers are increasingly using authentication-based attacks, exploiting valid accounts without multi-factor authentication (MFA). This trend underscores the importance of robust authentication measures in preventing breaches.

Tactics & Techniques

The report reveals that attackers are utilizing reliable vectors at alarming speeds. Rather than chasing every new vulnerability, they focus on dependable weaknesses such as authentication bypass and memory corruption. This trend emphasizes the importance of exploitability and context over sheer volume of vulnerabilities.

AI is playing a dual role in this landscape. It serves as an accelerant for attack methods, allowing cybercriminals to execute sophisticated attacks more efficiently. AI-driven phishing campaigns have become more tailored and believable, enhancing the threat posed to organizations. As AI systems become targets themselves, they inherit vulnerabilities that can be exploited, creating new pathways for risk.

Defensive Measures

For security leaders, the report presents a stark reality: familiar weaknesses persist, but the speed of attacks has increased dramatically. Organizations can no longer rely on merely being slightly faster than attackers. Instead, they must focus on reducing exposure before it can be exploited. Key strategies include:

• Continuous exposure visibility with contextual prioritization
• Strong MFA enforcement and hardened identity controls
• Protected edge infrastructure that is monitored
• Governance around AI systems and integrations

Organizations that maintain continuous insight into their exposure and act swiftly to mitigate risks will be best positioned to defend against this accelerated cycle of threats. The question is no longer whether exposure exists, but whether it can be reduced before attackers capitalize on it.