Rapid7 Report: Attack Timelines Collapse, Exploitation Surges 105%
Event summary
- Rapid7's 2026 Global Threat Landscape Report found exploited high and critical severity vulnerabilities increased 105%, from 71 in 2024 to 146 in 2025.
- The time between vulnerability disclosure and exploitation has shrunk dramatically, with attackers now operationalizing vulnerabilities within days.
- Identity exposure (missing or lax MFA) remains the dominant intrusion path, accounting for 43.9% of incident response investigations.
- Ransomware was involved in 42% of Rapid7 MDR investigations, with ransomware leak posts increasing 46.4% year-over-year to 8,835 in 2025.
- Generative AI is accelerating attacker operations, particularly in phishing content creation and scripting.
The big picture
The report highlights a fundamental shift in the cybersecurity landscape, moving away from a model of predictive defense to one of reactive response. The collapse of exploitation timelines and the rise of AI-powered attacks are forcing organizations to prioritize exposure management and real-time detection over traditional vulnerability scanning. This trend underscores the growing need for managed security services and AI-driven threat intelligence to keep pace with increasingly sophisticated adversaries.
What we're watching
- Remediation Velocity
- The ability of organizations to patch vulnerabilities will increasingly dictate their exposure, as attackers rapidly exploit disclosed weaknesses, potentially outpacing traditional remediation cycles.
- AI Integration
- The continued integration of generative AI into attacker toolchains will likely further compress attack timelines and lower the barrier to entry for less sophisticated threat actors.
- Identity Security
- The dominance of identity-based attacks suggests that investments in MFA and privileged access management will remain critical, and failure to address these weaknesses will continue to be a primary attack vector.
Related topics