Rapid7 releases Q1 2026 threat landscape report on exploitation

Rapid7, Inc. released its Q1 2026 Threat Landscape Report, which examines trends in vulnerability exploitation, ransomware activity, and cybercriminal infrastructure. The report matters for how quickly exposed systems can become targets, based on the time it takes vulnerabilities to move from public discussion to known exploited status.

The report reported that vulnerability exploitation surpassed social engineering as the leading initial access vector, accounting for 38% of incident response cases. It also said exploitation timelines continued to shrink, including a drop in median time from public disclosure to inclusion in CISA’s Known Exploited Vulnerabilities catalog.

Rapid7 said half of vulnerabilities actively exploited in the wild during Q1 were zero-click, network-facing issues requiring no authentication or user interaction. It also reported that SQL injection became the most exploited vulnerability type in Q1, overtaking OS command injection, and that ransomware leak-site activity remained fragmented across groups.

The company said the report drew on select tracked CVEs, MDR incident response data, ransomware leak-site intelligence, and dark web telemetry. It also reported that abused Remote Monitoring and Management tools accounted for 22.9% of observed activity, followed by ClickFix (18.8%) and Windows Native Scripts (10.4%).

“We've spent years building a security culture around humans being the weakest link, but our Q1 findings show AI is quietly rewriting that equation,” said Raj Samani, SVP and Chief Scientist at Rapid7. “Attackers are increasingly bypassing user interaction altogether, prioritizing direct access to exposed infrastructure and dramatically narrowing the window defenders have to respond.” “Q1 shows how quickly exposed systems can become operational targets,” said Christiaan Beek, Vice President of Cyber Intelligence at Rapid7.