New research reveals exploitation now occurs within days of disclosure, reinforcing the need for preemptive security operations
Rapid7 has released The 2026 Global Threat Landscape Report: Decoding the Accelerated Cyber Attack Cycle. The report finds that the window between vulnerability disclosure and confirmed exploitation continues to collapse, leaving organisations with dramatically less time to assess risk, prioritise remediation, and contain threats before impact. The predictive lead time defenders once relied on between disclosure and exploitation has largely disappeared.
The report found that exploited high and critical severity vulnerabilities more than doubled year over year, increasing 105% from 71 in 2024 to 146 in 2025, while the window between vulnerability publication and confirmed exploitation continues to shrink, with attackers increasingly operationalising vulnerabilities within days of disclosure.
“Exploitation timelines are increasingly measured in days rather than weeks,” said Raj Samani, chief scientist at Rapid7.
“AI is being integrated rapidly into attacker playbooks, accelerating how quickly exposure is operationalised. Many of the incidents we investigate still originate from known, unaddressed exposure. In those cases, attackers don’t need sophistication, they need opportunity. As remediation windows shrink, reducing that opportunity becomes essential to limiting compromise.”
Key findings from the 2026 report
This report correlates vulnerability publication data, confirmed exploitation trends, frontline MDR incident response telemetry, and dark web, cybercrime, and nation-state intelligence to provide a unified view of how exposure evolves into compromise.
Key findings include:
- Exploitation is accelerating faster than defenders can remediate: The number of “high-risk but not yet exploited” vulnerabilities (CVSS 7-10) fell dramatically, while the number of exploited vulnerabilities increased sharply from 71 in 2024 to 146 in 2025. This indicates that high-probability vulnerabilities (CVSS 7-10) are being operationalised almost immediately.
- Weaponisation timelines continue to shrink: The median time from a vulnerability’s publication to its inclusion in the CISA KEV catalogue dropped from 8.5 days to 5.0 days, and the mean time dropped from 61.0 days to 28.5 days, a trend measured specifically among high- and critical-severity vulnerabilities.
- Identity exposure remains the dominant intrusion path: Valid accounts with missing or lax multi-factor authentication (MFA) accounted for 43.9% of all incident response investigations by Rapid7 in 2025, making it the single most common initial access vector.
- Ransomware is an industrialised monetisation engine: Ransomware was involved in 42% of Rapid7 MDR incident response investigations last year. Additionally, total ransomware leak posts increased 46.4% year over year, rising to 8,835 in 2025.
- AI is accelerating attacker operations: Generative AI has evolved into a legitimate force multiplier, enabling adversaries to accelerate phishing content creation, scripting, and iterative problem solving.
- Advanced persistent threat (APT) campaigns adopt refined evasion techniques: Rapid7 has observed APT groups significantly evolving their techniques for staying off defenders’ radar. For example, Earth Kurma pioneered a “Living Off the App” strategy that covertly uses Cisco Webex for command-and-control, while Volt Typhoon now utilises Living Off the Land techniques to maintain long-term persistence.
What this means for security operations
The report underscores that delayed remediation and misaligned prioritisation are increasingly central to breach outcomes. As exploitation timelines compress, organisations must address exposure earlier and integrate more closely with detection and response. Attack surface exposure must now be triaged in the context of active attacker behaviour, aligning remediation timelines with exploitation velocity to sustain durable cyber resilience.
“The challenge moving forward is less about identifying every vulnerability and more about understanding exposure, prioritising realistically, and responding within increasingly compressed timelines,” said Christiaan Beek, vice president of cyber intelligence at Rapid7.
“Predictive lead time is a thing of the past. Now, it’s about your ability to move smarter, not just faster. Organisations that reduce the preventable conditions attackers monetise before exploitation occurs, can regain a measure of control.”
The 2026 report reinforces that operating pre-emptively is no longer optional. As adversaries embed AI into reconnaissance and exploitation workflows, defensive operations must evolve with the same discipline. Organisations that manage exposure, and integrate it into detection and response, will be better equipped to limit compromise and sustain durable cyber resilience.
To read a full copy of the report, visit here
