Rapid7 reports a sharp rise in the number of high and critical-severity software vulnerabilities that are ultimately exploited, along with a faster shift from public disclosure to real-world attacks.
Its 2026 Global Threat Landscape Report counted 146 exploited high and critical-severity vulnerabilities in 2025, up from 71 in 2024-an increase of 105% year on year.
The report also points to a shrinking gap between disclosure and exploitation. Rapid7 argues the former warning window has largely disappeared, leaving defenders days rather than weeks to assess and remediate.
Shorter windows
The report draws on vulnerability publication data, confirmed exploitation trends, telemetry from managed detection and response (MDR) investigations, and intelligence on cybercrime and state-linked activity. Together, it presents a view of how software exposure turns into compromise.
One measure tracked how quickly vulnerabilities appear in the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalogue after publication. Among high and critical-severity vulnerabilities, the median time fell from 8.5 days to 5.0 days, while the mean dropped from 61.0 days to 28.5 days.
Rapid7 also reported a shift between vulnerabilities with high risk scores and those that are actually exploited: the number of “high-risk but not yet exploited” vulnerabilities fell sharply as exploited vulnerabilities increased. It attributed the pattern to attackers operationalising newly disclosed issues more quickly.
“Exploitation timelines are increasingly measured in days rather than weeks,” said Raj Samani, Rapid7’s chief scientist.
Identity exposure
The report identified identity exposure as the most common initial access route in Rapid7’s incident response investigations. Valid accounts with missing or weak multi-factor authentication accounted for 43.9% of investigations in 2025.
The emphasis on identity reflects a broader shift in many environments, where attackers rely on credentials rather than malware. Compromised accounts can let adversaries blend in with legitimate activity and move through systems without triggering some traditional security controls.
Rapid7 linked the identity findings to the shrinking exploitation timeline, arguing that organisations need tighter alignment between exposure management and detection-and-response processes, with a focus on risks most likely to be used quickly.
“AI is being integrated rapidly into attacker playbooks, accelerating how quickly exposure is operationalised. Many of the incidents we investigate still originate from known, unaddressed exposure. In those cases, attackers don’t need sophistication, they need opportunity. As remediation windows shrink, reducing that opportunity becomes essential to limiting compromise,” said Samani.
Ransomware activity
Ransomware remained a major factor in Rapid7’s observations, both in incident work and public extortion activity. Ransomware featured in 42% of its MDR incident response investigations last year.
Rapid7 also tracked leak sites used by ransomware groups and reported growth in postings. It counted 8,835 ransomware leak posts in 2025, up 46.4% year on year. The firm framed this as evidence of a mature extortion economy, with established processes for victim outreach and public pressure.
AI and evasion
Rapid7 also observed attackers incorporating generative AI into routine workflows, including phishing content creation, scripting, and iterative problem-solving-areas where AI can reduce time and effort.
The report described changes in tactics used by advanced persistent threat groups, including more refined evasion techniques.
One example was a technique Rapid7 calls “Living Off the App”. It said a group it tracks as Earth Kurma used Cisco Webex for command-and-control activity. The report also referenced Volt Typhoon, which Rapid7 says has used living-off-the-land techniques for long-term persistence.
Operational priorities
Rapid7 linked these trends to security operations decisions that struggle to keep pace with the volume of disclosures and the speed of attacker adoption. It argued that delayed remediation and poor prioritisation increasingly shape breach outcomes, and called for triage approaches that account for active attacker behaviour rather than severity scoring alone.
“The challenge moving forward is less about identifying every vulnerability and more about understanding exposure, prioritising realistically, and responding within increasingly compressed timelines,” said Christiaan Beek, Rapid7’s vice president of cyber intelligence.
Looking ahead, Rapid7 expects organisations to face further pressure from faster exploitation and broader use of AI-driven tools, as attackers expand reconnaissance and exploitation workflows.
“Predictive lead time is a thing of the past. Now, it’s about your ability to move smarter, not just faster. Organisations that reduce the preventable conditions attackers monetise before exploitation occurs can regain a measure of control,” said Beek.
