Rapid7 Q1 2026 Threat Landscape Report — corroborates the structural shift; KEV-to-listing window collapsing

Rapid7's Q1 2026 report (published 2026-05-21, covering Jan–Mar 2026 IR data, covered 2026-05-23) independently finds vulnerability exploitation as the top initial-access vector at ~38%. Read alongside the Verizon DBIR, the two datasets agree on direction even where the absolute percentages differ (different windows, different telemetry) — the synthesis a daily reader could not see is that this is a corroborated structural change, not a single-vendor artefact. For CH/EU defenders this argues for prioritising edge-device and public-facing-application patch SLAs over generic awareness programmes.