Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Attackers are executing their playbooks faster and at scale in ways never seen before. Highly exploitable vulnerabilities are up 105% and the KEV inclusion dropped from 8.5 to just 5 days after disclosure. Speed is no longer an advantage.
Signals you can't ignore
Exploitation spike
Confirmed exploitation of newly disclosed critical vulnerabilities (CVSS 7–10) more than doubled year-over-year.
Identity compromise
Valid accounts with missing or lax MFA drove nearly half of all incident response investigations.
Ransomware dominance
Ransomware remains the top operational outcome, driven by industrialization and AI-accelerated playbooks.
Exploitation spike
Confirmed exploitation of newly disclosed critical vulnerabilities (CVSS 7–10) more than doubled year-over-year.
Identity compromise
Valid accounts with missing or lax MFA drove nearly half of all incident response investigations.
Ransomware dominance
Ransomware remains the top operational outcome, driven by industrialization and AI-accelerated playbooks.
What’s driving the shift in 2026
The predictive window has collapsed
Critical vulnerabilities are being weaponized faster than ever and reactive remediation models are failing.
Identity as initial access
Valid credentials have become the most reliable entry point in enterprise compromise.
The ransomware access economy
Ransomware operators don’t need zero-days to breach your defenses and initial access brokers have industrialized the ecosystem.
AI as an acceleration layer
Generative AI compresses phishing development, reconnaissance, and social engineering cycles.
Strategic pre-positioning
Why nation-state actors are embedding persistence inside cloud and critical infrastructure environments.
What you’ll walk away with
- The detailed analysis of the attacker behavior to inform a practical framework for prioritizing exposure management in an accelerating landscape.
- Insight into how AI is being used at speed and scale
- Detailed analysis of specific APT group campaigns such as Earth Kurma and Volt Typhoon
- Defensive recommendations aligned to attacker behavior
- A model for transitioning from a reactionary stance to preemptive security
Who is this report for?
CISOs
Rethink your relationship to risk
See how attacker velocity is reshaping risk, and align security investment to reduce exposure before it becomes disruption.
Exposure teams
Less time requires better strategy
Understand how exploitation timelines have compressed, and adjust prioritization to focus on the weaknesses attackers weaponize first.
The SOC & incident responders
Better know the adversary
Gain insight into dominant initial access vectors, ransomware trends, and AI-driven tactics to sharpen detection and response.
CISOs
Rethink your relationship to risk
See how attacker velocity is reshaping risk, and align security investment to reduce exposure before it becomes disruption.
Exposure teams
Less time requires better strategy
Understand how exploitation timelines have compressed, and adjust prioritization to focus on the weaknesses attackers weaponize first.
The SOC & incident responders
Better know the adversary
Gain insight into dominant initial access vectors, ransomware trends, and AI-driven tactics to sharpen detection and response.