Cyber security firm Rapid7 has warned that criminals are increasingly bypassing human targets and exploiting internet-facing systems directly, with vulnerability exploitation now the leading initial access vector in cyber attacks.
Rapid7’s Q1 2026 Threat Landscape Report found vulnerability exploitation accounted for 38 per cent of incident response cases, overtaking social engineering, which rated at 24 per cent, and compromised accounts at 14 per cent.
The company said the shift illuminates the growing role of artificial intelligence in attack techniques, accelerating how threat actors identify, weaponise, and exploit vulnerabilities before organisations can respond.
According to the report, half of the vulnerabilities actively exploited in the wild during the quarter were zero-click, network-facing flaws requiring no authentication or user interaction, allowing attackers to compromise exposed systems without relying on social engineering techniques such as phishing.
Rapid7 said the findings reinforce broader industry trends showing exploitation timelines continuing to collapse. Among high and critical severity vulnerabilities, the median time between public disclosure and inclusion in the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog dropped from 8.5 days to just five.
“We’ve spent years building a security culture around humans being the weakest link, but our Q1 findings show AI is quietly rewriting that equation,” Raj Samani, senior vice president and chief scientist at Rapid7, said in a statement.
“Attackers are increasingly bypassing user interaction altogether, prioritising direct access to exposed infrastructure and dramatically narrowing the window defenders have to respond.”
Drawing on tracked CVEs, managed detection and response data, ransomware leak-site intelligence, and dark web telemetry, the report also identified changing attacker behaviour and evolving cyber criminal infrastructure.
SQL injection overtook OS command injection as the most exploited vulnerability type during the quarter, highlighting continued attacker focus on common web application weaknesses.
The report also found that publicly discussed vulnerabilities rapidly became operational targets, with exploited flaws averaging 1.8 million mentions across blogs, forums, and social media before exploitation activity intensified.
Ransomware activity continued to be fragmented, however, with Qilin recording 357 leak-site posts during the quarter, followed by The Gentlemen with 206 and Akira with 174. It should be noted that not all leak posts equate to an actual leak of data, particularly, at the moment, in the case of Qilin – at least according to Cyber Daily’s observations.
Christiaan Beek (pictured), vice president of cyber intelligence at Rapid7, said shrinking exploitation windows were placing increasing pressure on security operations teams.
“Q1 shows how quickly exposed systems can become operational targets,” Beek said.
“Security teams can’t apply the same level of investigation and response across every signal when attackers are consistently prioritising what they can reach and exploit. That gap is where risk accumulates.”
You can read the full report here.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.