Skip to main content

Rapid7 reveals surge in exploited vulnerabilities and shrinking attack timelines in 2026 report

March 18, 2026

Rapid7 has released its 2026 Global Threat Landscape Report, revealing a sharp increase in high and critical-severity vulnerabilities being exploited within days of their disclosure. The findings indicate a marked reduction in the time available to organizations for risk assessment and remediation before potential compromise.

The report highlights operational challenges as the number of exploited vulnerabilities in the highest risk categories rose from 71 in 2024 to 146 in 2025. This trend suggests an accelerated cycle in which attackers convert disclosed vulnerabilities into active threats more rapidly than previously observed.

The analysis integrates vulnerability disclosure data, incident response telemetry from Managed Detection and Response (MDR) activities, and intelligence from cybercrime and nation-state sources. Among the technical observations, the median time for vulnerabilities to appear in the CISA Known Exploited Vulnerabilities (KEV) catalog shortened from 8.5 days to 5.0 days. Identity-based access, particularly accounts lacking effective multi-factor authentication, remained the leading initial access method, accounting for nearly 44% of incident investigations.

The 2026 report also details the increased use of Artificial Intelligence (AI) by adversaries to expedite phishing and scripting tasks, as well as the continued evolution of Advanced Persistent Threat (APT) groups employing stealthier techniques. Ransomware activity was involved in 42% of MDR incident responses, with leak posts rising 46.4% year over year to 8,835 in 2025.

Rapid7's chief scientist Raj Samani said, “Exploitation timelines are increasingly measured in days rather than weeks. AI is being integrated rapidly into attacker playbooks, accelerating how quickly exposure is operationalized. Many of the incidents we investigate still originate from known, unaddressed exposure. In those cases, attackers don’t need sophistication, they need opportunity. As remediation windows shrink, reducing that opportunity becomes essential to limiting compromise.” Vice president of cyber intelligence Christiaan Beek said, “The challenge moving forward is less about identifying every vulnerability and more about understanding exposure, prioritizing realistically, and responding within increasingly compressed timelines. Predictive lead time is a thing of the past. Now, it’s about your ability to move smarter, not just faster. Organizations that reduce the preventable conditions attackers monetize before exploitation occurs, can regain a measure of control.”

The report concludes that preemptive Security Operations (SecOps) need to align remediation efforts with the speed of exploitation to sustain cyber resilience. It emphasizes that managing exposure and integrating it into detection and response workflows will be necessary to limit compromise as adversaries adopt AI-driven methods.

Related Perspectives

Canadian AI and business leaders meet with Minister Evan Solomon at Web Summit Vancouver

May 15, 2026

DIGITAL hosted an AI roundtable at Web Summit Vancouver with Canada’s Minister Evan Solomon and leaders from government and the AI ecosystem. The discussion focused on barriers to real-world AI adoption and commercialization, including procurement, scaling, talent, and infrastructure, alongside reported commercialization metrics and sector coverage.