ctipilot.ch

Rapid7 Q1 2026 Threat Landscape Report

report · report:rapid7-q1-2026-threat-landscape-report-vulnerability-exploitation-top-iav

Rapid7 Q1 2026 Threat Landscape Report — vulnerability exploitation overtakes social engineering as top initial-access vector (38% vs 24%); KEV median time 8.5→5.0 days

Coverage timeline
2
first 2026-05-18 → last 2026-05-23
Entries
2
2 distinct days
Sources cited
2
2 hosts
Sections touched
2
research, weekly-annual-reports
Co-occurring entities
2
see Related entities below

Story timeline

  1. 2026-05-23Rapid7 Q1 2026 Threat Landscape Report: vulnerability exploitation now top initial-access vector at 38 %; KEV median time to listing collapses to 5 days
    researchRapid7 Q1 2026 Threat Landscape Report: vulnerability exploitation now top initial-access vector at 38 %; KEV median time to listing collapses to 5 days
  2. 2026-05-18Rapid7 Q1 2026 Threat Landscape Report — corroborates the structural shift; KEV-to-listing window collapsing
    weekly-annual-reportsRapid7 Q1 2026 Threat Landscape Report — corroborates the structural shift; KEV-to-listing window collapsing

Where this entity is cited

  • weekly-annual-reports1
  • research1

Source distribution

  • globenewswire.com1 (50%)
  • rapid7.com1 (50%)

Related entities

Entries about Rapid7 Q1 2026 Threat Landscape Report (2)

2026-05-23 · view entry permalink →

Rapid7 Q1 2026 Threat Landscape Report: vulnerability exploitation now top initial-access vector at 38 %; KEV median time to listing collapses to 5 days

notable annual-report discovered 2026-05-23 05:00 UTC

Rapid7 Labs published its Q1 2026 Threat Landscape Report on 2026-05-21 covering January–March 2026 IR data; the GlobeNewswire release accompanied the post the same day. The findings that change what a Swiss/EU public-sector SOC should prioritise:

  • Vulnerability exploitation accounted for 38 % of confirmed initial-access vectors, overtaking social engineering (24 %) in Rapid7's Q1 2026 dataset. The implication: edge / perimeter patch SLAs and exposure management now drive blast-radius more than awareness training does.
  • More than 50 % of actively exploited vulnerabilities in Q1 2026 were zero-click, network-facing flaws requiring no authentication or user interaction. The defensive prioritisation gradient sharpens: pre-auth network-facing CVEs > authenticated CVEs > anything user-interaction-dependent.
  • Median time from public disclosure to CISA KEV listing fell from 8.5 days to 5.0 days. Operators of EU/CH public-sector estates running on monthly patch windows lose ground every cycle; the report frames this as faster AI-assisted N-day weaponisation. PD-13 still applies — the KEV addition is the exploitation-confirmation signal, not a US-only compliance deadline — but the window between "vendor publishes" and "expect attempts" has narrowed materially.
  • Exploited vulnerabilities averaged 1.8 million mentions across forums, blogs and social media before operational targeting, making chatter spikes a leading indicator of imminent exploitation waves.
  • SQL injection became the most-exploited vulnerability class in Q1 2026, validating the Drupal CVE-2026-9082 story above as part of a broader shift.
  • RMM tool abuse accounted for 22.9 % of observed threat activity, ClickFix-style social engineering 18.8 % — both worth re-checking on EDR detection coverage in EU/CH environments where ClickFix browser drive-by is less culturally familiar than in U.S. consumer markets.

The report also covers a geopolitical layer (Iranian, Russian and Chinese campaigns synchronised with Middle East military escalation; tools mentioned include BPFDoor and ModeloRAT) and ransomware fragmentation (Qilin leads at 357 leak-site posts, The Gentlemen 206, Akira 174; pure-extortion without encryption continues to grow). Per PD-9 this is the dedicated treatment of the report; specific findings will be cited as context in future briefs rather than re-summarised.

vulnerabilities ransomware nation-state ai-abuse global

2026-05-18 · view entry permalink →

Rapid7 Q1 2026 Threat Landscape Report — corroborates the structural shift; KEV-to-listing window collapsing

notable annual-report discovered 2026-05-18 05:00 UTC

Rapid7's Q1 2026 report (published 2026-05-21, covering Jan–Mar 2026 IR data, covered 2026-05-23) independently finds vulnerability exploitation as the top initial-access vector at ~38%. Read alongside the Verizon DBIR, the two datasets agree on direction even where the absolute percentages differ (different windows, different telemetry) — the synthesis a daily reader could not see is that this is a corroborated structural change, not a single-vendor artefact. For CH/EU defenders this argues for prioritising edge-device and public-facing-application patch SLAs over generic awareness programmes.

vulnerabilities ransomware nation-state ai-abuse global