Rapid7 says vulnerability exploitation has overtaken social engineering as the leading initial access vector in incident response cases, as attackers move faster to weaponise newly disclosed flaws.
In its Q1 2026 Threat Landscape Report, Rapid7 said exploitation accounted for 38% of managed detection and response (MDR) incident response cases, compared with 24% for social engineering and 14% for compromised accounts.
The report also said half of the vulnerabilities actively exploited in the wild during the quarter were “zero-click”, network-facing issues that require no authentication or user interaction. Rapid7 linked the shift to shorter timeframes between disclosure and real-world exploitation, arguing the window for defenders to patch exposed systems is narrowing.
“We’ve spent years building a security culture around humans being the weakest link, but our Q1 findings show AI is quietly rewriting that equation,” said Raj Samani, SVP and chief scientist at Rapid7. “Attackers are increasingly bypassing user interaction altogether, prioritising direct access to exposed infrastructure and dramatically narrowing the window defenders have to respond.”
Rapid7 said the report draws on tracked CVEs, MDR incident response data, ransomware leak-site intelligence, and dark web telemetry. It said exploited vulnerabilities averaged 1.8 million mentions across blogs, forums, and social media, which the company said can indicate how quickly widely discussed flaws become operational targets.
Among vulnerability categories, Rapid7 said SQL injection was the most exploited type in Q1, overtaking OS command injection. The company said this reflects attackers’ focus on broadly distributed web application weaknesses.
On ransomware, the report said leak-site activity remained fragmented across groups, with Qilin recording 357 posts, followed by The Gentlemen (206) and Akira (174). It also said abused remote monitoring and management tools were the most prevalent threat category observed, accounting for 22.9% of activity, followed by ClickFix (18.8%) and Windows Native Scripts (10.4%).
Rapid7’s Christiaan Beek, vice president of cyber intelligence, said defenders face growing pressure to prioritise signals as attackers focus on reachable and exploitable systems. “Security teams can’t apply the same level of investigation and response across every signal when attackers are consistently prioritising what they can reach and exploit. That gap is where risk accumulates,” he said.
The Q1 report follows Rapid7’s 2026 annual global threat landscape findings, which said the median time from public disclosure to inclusion in CISA’s Known Exploited Vulnerabilities catalogue for high- and critical-severity vulnerabilities fell from 8.5 days to 5.0 days.
Rapid7 said the quarterly report analyses adversary behaviour based on the company’s managed detection and response operations, vulnerability intelligence platforms, and threat research telemetry, including trends linked to geopolitical cyber activity, ransomware evolution and cybercriminal infrastructure.
You can read the full report here.
