Rapid7 has released its Q1 2026 Threat Landscape Report, warning that AI-driven cyber attacks are dramatically accelerating vulnerability exploitation and shrinking the window organisations have to defend exposed systems.
According to the report, vulnerability exploitation accounted for 38 per cent of managed detection and response incident response cases during the first quarter of 2026, overtaking social engineering at 24 per cent and compromised accounts at 14 per cent as the leading initial access vector.
The findings illustrate a shift in attacker behaviour, with threat actors increasingly bypassing human targets altogether in favour of directly exploiting internet-facing infrastructure.
Rapid7 said that half of the vulnerabilities actively exploited in the wild during Q1 were zero-click, network-facing flaws that required no authentication or user interaction, enabling attackers to gain direct access to exposed networks.
“We’ve spent years building a security culture around humans being the weakest link, but our Q1 findings show AI is quietly rewriting that equation,” Raj Samani (pictured), senior vice president and chief scientist at Rapid7, said in a 22 May statement.
“Attackers are increasingly bypassing user interaction altogether, prioritising direct access to exposed infrastructure and dramatically narrowing the window defenders have to respond.”
The report also found that the median time between public disclosure of high- and critical-severity vulnerabilities and inclusion in the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalogue had fallen from 8.5 days to just five days.
Rapid7 also noted that publicly discussed vulnerabilities were increasingly becoming operational attack targets, with exploited vulnerabilities generating an average of 1.8 million mentions across blogs, forums, and social media before active exploitation activity emerged.
The report highlighted another shift in attacker tactics, with SQL injection overtaking OS command injection as the most exploited vulnerability category during the quarter, reflecting ongoing targeting of widely deployed web applications.
Ransomware activity remained fragmented across multiple operators, with Qilin leading leak-site activity with 357 darknet leak posts, followed by The Gentlemen with 206 and Akira with 174.
The company also observed widespread abuse of remote monitoring and management (RMM) tools, which accounted for 22.9 per cent of observed malicious activity, ahead of ClickFix techniques at 18.8 per cent and Windows native scripts at 10.4 per cent.
Christiaan Beek, vice president of cyber intelligence at Rapid7, said the report demonstrated the speed of modern attackers.
“Q1 shows how quickly exposed systems can become operational targets,” Beek said.
“Security teams can’t apply the same level of investigation and response across every signal when attackers are consistently prioritising what they can reach and exploit. That gap is where risk accumulates.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.