Rapid7 Report: Critical-Severity Vulnerabilities Rise 105%

With AI tools in their bank, cyber attackers are moving faster than ever and businesses are struggling to keep pace. 

That is the central warning from Rapid7 in its latest research, The 2026 Global Threat Landscape Report: Decoding the Accelerated Cyber Attack Cycle.

The report reveals a stark shift in how quickly cyber threats evolve.

What was once a window of weeks for defenders to respond has now narrowed to just days, leaving organisations with far less time to react.

At the same time, the volume of exploited vulnerabilities is surging.

High and critical severity flaws that were actively used by attackers more than doubled in a single year, rising by 105%. 

Attackers speed up while defenders fall behind

The findings point to a worrying trend.

Attackers are no longer waiting for opportunities to mature.

Instead, they are rapidly weaponising newly disclosed vulnerabilities into usable attack methods almost immediately.

“Exploitation timelines are increasingly measured in days rather than weeks,” says Raj Samani, Chief Scientist at Rapid7. 

“AI is being integrated rapidly into attacker playbooks, accelerating how quickly exposure is operationalised. 

“Many of the incidents we investigate still originate from known, unaddressed exposure. In those cases, attackers don’t need sophistication, they need opportunity. 

“As remediation windows shrink, reducing that opportunity becomes essential to limiting compromise.”

In simple terms, attackers are wasting little time.

The median time for vulnerabilities to appear in the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalogue has dropped from eight-and-a-half days to just five days – with the mean time dropping more than half from 61 days to 28.5 days. 

Artificial intelligence is playing a key role in this acceleration.

From crafting convincing phishing messages to generating scripts and troubleshooting attacks in real time, AI tools are helping adversaries scale their operations with greater efficiency and speed.

Identity and ransomware dominates 

While software vulnerabilities remain a major concern, the report shows that identity-based attacks continue to be the most common entry point. 

Compromised or poorly protected accounts accounted for 43.9% of all incident investigations in 2025, making them the leading cause of breaches. 

Weak or missing multi-factor authentication remains a persistent issue.

Ransomware also continues to thrive, evolving into a highly organised business model.

It was involved in 42% of incident response cases analysed by Rapid7, while the number of ransomware leak posts surged by 46.4% year on year. 2025 saw 8,835 leak posts.

At the more advanced end of the spectrum, state-linked and highly skilled threat groups are refining how they operate. 

Techniques designed to evade detection are becoming more subtle and creative.

Some groups are now blending into everyday tools and systems, making malicious activity harder to spot.

“For example, Earth Kurma pioneered a ‘Living Off the App’ strategy that covertly uses Cisco Webex for command-and-control, while Volt Typhoon now utilises Living Off the Land techniques to maintain long-term persistence,” Rapid7 notes.

A new reality for cyber defence

The report makes it clear that traditional approaches to cybersecurity are no longer enough. Simply identifying vulnerabilities is not the main challenge anymore. 

The real test lies in prioritising the right risks and responding quickly enough to stop them being exploited.

“The challenge moving forward is less about identifying every vulnerability and more about understanding exposure, prioritising realistically and responding within increasingly compressed timelines,” says Christiaan Beek, Vice President of Cyber Intelligence at Rapid7. 

“Predictive lead time is a thing of the past. Now, it’s about your ability to move smarter, not just faster. Organisations that reduce the preventable conditions attackers monetise before exploitation occurs, can regain a measure of control.”

In this new environment, organisations are being pushed to rethink how they manage risk.

Security teams must align their response efforts with the speed at which attackers operate, focusing on reducing exposure before it can be exploited.

The message from the report is unambiguous. Cyber resilience now depends on acting earlier, prioritising smarter and integrating defence strategies more closely with real-world threat behaviour. 

As attackers continue to accelerate, only those organisations that adapt at the same pace will be able to stay ahead.