Exploitation moved ahead of social engineering#
Rapid7’s Q1 2026 Threat Landscape Report points to a clear shift in initial access: vulnerability exploitation overtook social engineering as the top initial access vector, accounting for 38% of the total in the report’s findings.
That matters because it changes the defensive problem. Phishing training and identity controls still matter, but they do not stop an unauthenticated exploit hitting an exposed service. Rapid7 also says more than half of exploited vulnerabilities in the quarter were zero-click, network-facing issues. In plain terms: no login, no user click, no convincing email. Just reachable infrastructure and a working exploit path.
The report frames this as a short-term sign that attackers are finding AI-enabled vulnerability exploitation easier to scale than manipulation of human behavior. That claim should be read carefully. It does not mean AI is the only driver, or that social engineering is fading out. It does suggest the economics are changing. If a vulnerability is public, reachable, and easy to operationalize, attackers can move before many organizations finish triage.
Rapid7 also notes that exploitation activity was often preceded by spikes in public discussion across forums, blogs, and social platforms. That is a useful signal. Public attention can compress the time between disclosure, proof-of-concept chatter, scanning, and exploitation. A vulnerability becoming visible is not the same as a vulnerability becoming dangerous, but the gap between those states is getting thinner.
Zero-click exposure changes patch priority#
Zero-click, network-facing vulnerabilities deserve a different urgency model from ordinary software bugs. They sit closer to the edge of the organization and require less from the attacker. Authentication bypasses, exposed controllers, perimeter appliances, VPN systems, and management interfaces all carry the same basic risk pattern: if they are reachable and exploitable, the user never enters the story.
This is where many vulnerability programs still lag. They rank flaws by severity, then distribute patch tickets into a normal queue. That works poorly when a vulnerability is already being discussed publicly, affects exposed infrastructure, and needs no user interaction. The relevant question is not only “what is the CVSS score?” It is also “can this be reached from the internet, and are attackers already moving?”
Rapid7’s finding does not prove every organization needs to patch everything instantly. That is impossible. It does support a narrower rule: internet-facing, unauthenticated paths need a faster lane. If a system is exposed, business-critical, hard to patch, and commonly targeted, compensating controls should not wait for a quarterly maintenance window.
Security teams should also be cautious about false comfort from asset inventories. The most important exposed system is often the one nobody owns cleanly: a forgotten admin panel, an old VPN endpoint, a controller deployed for convenience, a test system that became permanent. Zero-click exploitation punishes stale assumptions about what is actually online.
Geopolitics made persistence part of the risk#
Rapid7’s report also ties Q1 activity to geopolitical tension, especially in the Middle East, where cyber operations appeared increasingly synchronized with military escalation. The source describes Iranian state-aligned activity targeting government infrastructure, financial services, and industrial systems. It also notes Russian and Chinese campaigns focused on intelligence collection, telecommunications infrastructure, and persistent access operations.
The practical lesson is not that every company is a direct target of a state actor. Most are not. The lesson is that spillover and access brokerage make regional conflict relevant beyond the immediate battlefield. Telecommunications, finance, government suppliers, logistics, cloud service providers, and industrial operators can become useful targets because of what they connect to.
Persistence is the harder part to defend against. Disruption is visible. Long-term access is designed not to be. If a campaign’s goal is intelligence collection or future leverage, the first alert may look minor: an unusual login, a new scheduled task, a strange tunnel, a quiet change in an edge device. Treating those signals as routine noise is how long dwell time becomes normal.
For organizations in or connected to higher-risk regions, this argues for tighter monitoring of perimeter systems, remote access, identity infrastructure, and telecom dependencies. The point is not panic. It is scoping. Geopolitical risk should influence which assets receive the most logging, the fastest patching, and the least tolerance for unexplained change.
Ransomware keeps moving toward data theft#
Rapid7 highlights a continued move toward “pure extortion”: stealing data and pressuring victims without necessarily deploying ransomware payloads. This is not new, but the report suggests it remains a strong direction of travel.
The trade-off is obvious. Encryption creates noise. It can break systems, trigger incident response, and increase operational risk for the attacker. Data theft can be faster, quieter, and still coercive if the victim fears regulatory exposure, customer loss, or publication of sensitive files. When paired with zero-click initial access, the model becomes even more efficient: compromise the exposed system, move to valuable data, exfiltrate, then threaten.
This weakens one common mental model of ransomware readiness. Backups are still necessary, but they do not solve extortion based on confidentiality. A company can restore every server and still face a damaging leak. The defensive center of gravity shifts toward reducing access paths, segmenting sensitive data, monitoring abnormal transfer patterns, and knowing where critical information actually lives.
It also changes tabletop exercises. “Can we restore?” is not enough. Teams need answers to harder questions: what data was accessed, what legal obligations are triggered, how quickly can affected customers or partners be identified, and what evidence supports the public statement? In pure extortion cases, uncertainty itself becomes pressure.
Law enforcement pressure is real, but not final#
The report notes law enforcement actions in Q1 that disrupted criminal infrastructure, including the seizure of RAMP and LeakBase. Rapid7 says these operations created pressure for cybercriminal groups, pushing some activity toward smaller, decentralized communities and increasing internal distrust.
That is a win, but not a clean ending. Takedowns can fracture trust, burn infrastructure, and impose costs. They rarely erase the market. Criminal operators adapt by moving to smaller forums, private channels, invitation-only groups, or temporary infrastructure. This can make them less efficient, but also harder to observe from the outside.
The useful reading is balanced but not neutral. Law enforcement disruption matters. It can slow actors, expose identities, and force mistakes. But defenders should not interpret a marketplace seizure as a reduction in near-term risk. Displaced actors still need money, still have stolen credentials, and still search for exposed systems.
What security teams should check now#
Rapid7’s Q1 findings point to a few practical checks that are more useful than broad warnings.
- Identify internet-facing systems that allow remote management, authentication, routing, VPN access, file transfer, or centralized control.
- Separate “critical severity” from “actively exploitable and reachable.” The second category needs the faster process.
- Watch public vulnerability attention as an operational signal, not just background noise.
- Treat zero-click, unauthenticated edge flaws as incident-adjacent until patched or mitigated.
- Revisit ransomware planning for data theft, not only encryption and recovery.
- Monitor for persistence on perimeter devices and identity systems, especially in organizations with regional or sector exposure to geopolitical campaigns.
The central point in Rapid7’s report is not that attackers became smarter in some abstract way. It is more concrete: they are taking shorter paths. Public vulnerability knowledge turns into exploitation quickly. Exposed systems reduce the need for social engineering. Data theft reduces the need for noisy ransomware deployment. State-aligned campaigns can sit quietly where disruption would be too obvious.
Reactive defense is weakest against that combination. The better posture is narrower and faster: know what is exposed, know which flaws are reachable, know where sensitive data sits, and move before public attention becomes active exploitation.