Rapid7 Q1 2026 Threat Landscape Report: Key Findings

Vulnerability exploitation has overtaken social engineering as the primary method attackers use to breach organizations — and AI is accelerating the timeline defenders have left to respond.

For years, security awareness programs focused on the human element as the weakest link in the chain. Rapid7's Q1 2026 Threat Landscape Report challenges that assumption with hard data: exploitation of unpatched vulnerabilities now accounts for 38% of all incident response cases tracked by Rapid7's MDR operations, surpassing social engineering at 24% and compromised accounts at 14%. AI-powered tooling is enabling attackers to identify, weaponize, and exploit vulnerabilities at a speed that fundamentally compresses the window defenders have to react.

What was announced

Rapid7 released its Q1 2026 Threat Landscape Report on May 21, 2026, drawing on MDR incident response data, tracked CVE intelligence, ransomware leak-site monitoring, and dark web telemetry. The report documents a decisive shift in attacker behavior and highlights specific patterns in vulnerability exploitation, ransomware fragmentation, and abuse of legitimate tooling.

"We've spent years building a security culture around humans being the weakest link, but our Q1 findings show AI is quietly rewriting that equation."

The report confirms that exploitation timelines are shrinking dramatically. Building on findings from Rapid7's 2026 Annual Global Threat Landscape Report, the median time from public vulnerability disclosure to inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog dropped from 8.5 days to just 5.0 days — for high- and critical-severity vulnerabilities.

Why this matters for CEE

Organizations across Central and Eastern Europe face the same attacker infrastructure and exploitation patterns documented in this report. Many enterprises in the region operate hybrid environments with legacy on-premises systems alongside cloud workloads — precisely the configuration that maximizes exposure to network-facing, zero-click vulnerabilities. As attackers prioritize infrastructure they can reach directly, without relying on phishing or user error, the assumption that user training alone provides meaningful protection is no longer operationally sound.

For CISOs and IT directors managing limited SOC capacity in the CEE region, the shift toward automated, AI-assisted exploitation means that manual, reactive patching workflows are insufficient. Prioritization based on real-world exploitation intelligence — not just CVSS scores — becomes a baseline operational requirement. The report's finding that exploited vulnerabilities averaged 1.8 million mentions across blogs, forums, and social media before exploitation began also signals the value of open-source threat intelligence as an early warning mechanism.

"Security teams can't apply the same level of investigation and response across every signal when attackers are consistently prioritizing what they can reach and exploit. That gap is where risk accumulates."

Technical details

• Top initial access vector: Vulnerability exploitation at 38% of MDR incident response cases, overtaking social engineering (24%) and compromised accounts (14%).
• Zero-click vulnerabilities: 50% of actively exploited CVEs in Q1 required no authentication or user interaction — network-facing issues enabling direct system access.
• Exploitation timeline compression: Median time from public disclosure to KEV catalog inclusion fell from 8.5 to 5.0 days for high- and critical-severity CVEs.
• Public discussion as a signal: Exploited vulnerabilities averaged 1.8 million mentions across blogs, forums, and social media prior to active exploitation.
• SQL injection as leading exploit type: SQL injection overtook OS command injection in Q1, reflecting attacker focus on broadly distributed web application weaknesses.
• Ransomware fragmentation: Qilin led leak-site activity with 357 posts, followed by The Gentlemen (206) and Akira (174) — indicating no dominant operator consolidation.
• Abused tooling: Remote Monitoring and Management (RMM) tools accounted for 22.9% of observed threat activity, followed by ClickFix (18.8%) and Windows Native Scripts (10.4%).
• Data sources: MDR incident response telemetry, tracked CVE intelligence, ransomware leak-site data, and dark web monitoring.

Softprom and Rapid7

Softprom is the official distributor of Rapid7 in the CEE region. We provide access to Rapid7's full portfolio of AI-powered managed cybersecurity solutions, including the Rapid7 Command Platform, MDR services, vulnerability management, and threat intelligence capabilities. Our team supports partners and end customers with pre-sales consultation, licensing, and technical onboarding.

This content was prepared as part of the Softprom DistriFlow project — an automated system for monitoring and adapting vendor news. Original source: original article.