Hackers are getting faster at exploiting vulnerabilities once they’ve been disclosed, according to a new report released today (19 March) by cyber security firm Rapid7.
The figures revealed in the company’s 2026 Global Threat Landscape Report: Decoding the Accelerated Cyber Attack Cycle are stark – while the number of “high-risk but not yet exploited” vulnerabilities has dropped sharply, the number of actually exploited vulnerabilities has increased sharply, from just 71 in 2024 to 146 in 2025.
Perhaps more worrying, exploitation timelines are decreasing. The median time between a vulnerability being disclosed and its addition to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog has dropped from 8.5 days to just five days, while the mean time has more than halved, from 61 days to 28.5.
This is particularly prevalent among high- and critical-severity vulnerabilities.
“Exploitation timelines are increasingly measured in days rather than weeks,” Raj Samani, chief scientist at Rapid7, said alongside the report’s release.
“AI is being integrated rapidly into attacker playbooks, accelerating how quickly exposure is operationalised. Many of the incidents we investigate still originate from known, unaddressed exposure. In those cases, attackers don’t need sophistication; they need opportunity. As remediation windows shrink, reducing that opportunity becomes essential to limiting compromise.”
Exposed identities continue to be the main intrusion vector, particularly accounts that either lack or have poorly configured multifactor authentication. Such accounts made up 43.9 per cent of all incidents Rapid7 responded to in 2025. Ransomware also dominated the company’s time, with it featuring in 42 per cent of all incident investigations.
In line with that figure, Rapid7 found ransomware leak posts increased 46.4 per cent year on year: in 2025, the company tracked 8,835 leak posts, prompting Rapid7 to refer to the attack vector as an “industrialised monetisation engine”.
Nation-state actors also refined their tactics over the period.
“For example, Earth Kurma pioneered a ‘living-off-the-app’ strategy that covertly uses Cisco Webex for command-and-control, while Volt Typhoon now utilises living-off-the-land techniques to maintain long-term persistence,” Rapid7 said.
The challenge ahead, according to Christiaan Beek, vice president of cyber intelligence at Rapid7, is not so much identifying every vulnerability, but rather making sense of exposure, prioritising patching, and managing incident response in an era of “increasingly compressed timelines”.
“Predictive lead time is a thing of the past,” Beek said.
“Now, it’s about your ability to move smarter, not just faster. Organisations that reduce the preventable conditions attackers monetise before exploitation occurs can regain a measure of control.”
You can read the full 2026 Global Threat Landscape Report here.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.