Rapid7 2026 Global Threat Landscape Report Shows Exploited High and Critical-Severity Vulnerabilities Surged 105% as Attack Timelines Collapsed

Rhea-AI Summary

Rapid7 (NASDAQ: RPD) released The 2026 Global Threat Landscape Report showing exploited high and critical-severity vulnerabilities rose 105% year-over-year (71 in 2024 to 146 in 2025) while attack timelines collapsed to days.

The report combines vulnerability publication data, MDR telemetry, and cyber intelligence, highlighting identity exposure at 43.9%, ransomware involvement at 42%, and faster CISA KEV inclusion times (median 8.5→5.0 days; mean 61.0→28.5 days).

Positive

• Exhaustive telemetry: report unifies vulnerability, MDR, and dark‑web data
• Quantified trend: exploited high/critical vulnerabilities tracked precisely (71→146)

Negative

• Exploitation surge: exploited high/critical-severity vulnerabilities +105% YoY
• Faster weaponization: median KEV inclusion fell from 8.5 to 5.0 days
• Identity risk: valid accounts without strong MFA accounted for 43.9% of incidents
• Ransomware prevalence: involved in 42% of Rapid7 MDR investigations; leak posts rose 46.4% to 8,835

News Market Reaction – RPD

+0.16%

1 alert

+0.16% News Effect

On the day this news was published, RPD gained 0.16%, reflecting a mild positive market reaction.

Data tracked by StockTitan Argus on the day of publication.

Key Figures

Increase in exploited vulns: 105% Exploited vulns 2024: 71 Exploited vulns 2025: 146 +5 more

8 metrics

Increase in exploited vulns 105% Year-over-year growth in exploited high and critical vulnerabilities

Exploited vulns 2024 71 High and critical-severity vulnerabilities exploited in 2024

Exploited vulns 2025 146 High and critical-severity vulnerabilities exploited in 2025

CVSS high-risk range 7–10 Score range for high-risk but not yet exploited vulnerabilities

Median KEV time 2024 8.5 days Median from publication to CISA KEV inclusion, prior period

Median KEV time 2025 5.0 days Median from publication to CISA KEV inclusion for 2025

Identity exposure share 43.9% Incident response cases from valid accounts with weak or missing MFA

Ransomware leak posts 2025 8,835 Total ransomware leak posts in 2025, up 46.4% year over year

Market Reality Check

Price: $6.19 Vol: Volume 2,231,904 vs 20-da...

normal vol

$6.19 Last Close

Volume Volume 2,231,904 vs 20-day average 1,903,077 (relative volume 1.17). normal

Technical Price $6.18 is trading below the $17.00 200-day moving average and near the 52-week low of $5.92.

Peers on Argus

RPD was down 1.9% while key peers like ATEN (+2.46%) and RDWR (+1.76%) were up, ...

RPD was down 1.9% while key peers like ATEN (+2.46%) and RDWR (+1.76%) were up, suggesting stock-specific dynamics rather than a sector-wide move.

Historical Context

5 past events · Latest: 2026-03-03 (Positive)

Pattern 5 events

Date	Event	Sentiment	Move	Catalyst
2026-03-03	Investor conference	Positive	+1.5%	Announcement of participation in Stifel 2026 NYC Technology conference.
2026-02-24	Investor conference	Positive	+2.5%	Raymond James investor conference presentation and webcast details.
2026-02-11	Partner awards	Positive	-29.0%	Announcement of 2026 Partner of the Year Awards across multiple regions.
2026-02-10	Earnings results	Neutral	-29.0%	Release of Q4 and full-year 2025 financial results and 2026 guidance.
2026-01-14	Strategic partnership	Positive	-1.0%	Partnership with ARMO to add cloud and application runtime security.

Pattern Detected

Recent newsflow shows mixed reactions, with conferences modestly positive but awards, earnings and partnership news followed by sharp or negative moves.

Recent Company History

Over the last few months, Rapid7 has combined investor outreach, operational updates, and ecosystem expansion. Conference participation on Feb 24 and Mar 3 saw small positive reactions, while the Feb 10 earnings release and Feb 11 partner awards coincided with sharp declines of about -29%. The Jan 14 ARMO partnership, aimed at strengthening cloud runtime security, was followed by a modest negative move. Against this backdrop, the 2026 threat report extends Rapid7’s role as a research voice on evolving cyber risk.

Market Pulse Summary

This announcement underscores Rapid7’s role in tracking how exposure turns into compromise, citing a...

Analysis

This announcement underscores Rapid7’s role in tracking how exposure turns into compromise, citing a 105% jump in exploited high and critical vulnerabilities and shrinking median weaponization windows to 5.0 days. The findings highlight identity weaknesses, ransomware prevalence, and AI‑enabled attacker efficiency. In the context of recent earnings, conferences, and product partnerships, this report reinforces the company’s analytical capabilities. Observers may watch how such research influences customer adoption, incident response offerings, and future operational updates.

Key Terms

multi-factor authentication, mfa, cvss, cisa kev catalog, +4 more

8 terms

multi-factor authentication technical

"Valid accounts with missing or lax multi-factor authentication (MFA) accounted for 43.9%..."

A security method that requires users to prove their identity in two or more different ways before accessing accounts or systems, such as combining a password with a one-time code sent to a phone or a fingerprint. For investors, it reduces the risk of unauthorized access to sensitive accounts, lowers chances of fraud or data breaches, and helps protect a company’s financials and reputation—similar to needing both a key and a fingerprint to open a safe.

mfa technical

"Valid accounts with missing or lax multi-factor authentication (MFA) accounted for 43.9%..."

Multi-factor authentication (MFA) is a security method that requires users to provide two or more different proofs of identity—something they know (like a password), something they have (like a phone or hardware token), or something they are (like a fingerprint)—before gaining access to an account or system. For investors, MFA acts like a second and third lock on an online brokerage or corporate portal, greatly reducing the risk of unauthorized trades, stolen personal data, account takeovers, and resulting financial loss or reputational damage.

cvss technical

"The number of “high-risk but not yet exploited” vulnerabilities (CVSS 7-10) fell dramatically..."

Common Vulnerability Scoring System (CVSS) is a standardized way to rate the severity of software security flaws on a numeric scale, summarizing how easily a vulnerability can be exploited and how much damage it could cause. For investors, CVSS scores act like a storm severity chart for a company’s digital systems — higher scores signal greater operational, financial and reputational risk, possibly leading to remediation costs, downtime, or regulatory scrutiny that can affect a firm’s value.

cisa kev catalog regulatory

"time from a vulnerability's publication to its inclusion in the CISA KEV catalog dropped..."

A CISA KEV Catalog is a public list maintained by the U.S. Cybersecurity and Infrastructure Security Agency of software and system flaws that are known to be actively exploited by attackers. It acts like a recall list for digital products: organizations are urged or required to fix those flaws quickly, and failure to do so raises the chance of costly breaches, operational disruption, fines, and reputational damage—risks investors monitor when assessing a company’s security posture and potential near-term liabilities.

ransomware technical

"Ransomware was involved in 42% of Rapid7 MDR incident response investigations last year."

Ransomware is malicious software that locks or encrypts a company’s computer files and systems, then demands payment for their release — like a thief changing the locks on a business and asking for a ransom. It matters to investors because attacks can halt operations, trigger large cleanup costs, damage customer trust, lead to regulatory fines or legal claims, and reduce future revenue, all of which can hurt a company’s financial value.

generative ai technical

"Generative AI has evolved into a legitimate force multiplier, enabling adversaries..."

Generative AI is a type of computer technology that can create new content, like text, images, or music, on its own. It’s important because it can produce realistic and useful material quickly, which could change how we create art, write stories, or even develop new products. Think of it as a smart robot that can invent and produce things almost like a human.

advanced persistent threat technical

"Advanced persistent threat (APT) campaigns adopt refined evasion techniques:"

A long-term, targeted cyberattack where skilled intruders quietly break into and remain inside a company’s computer systems to steal data, spy on operations, or sabotage systems. Like a burglar who sneaks into a house and hides while taking valuables over time, an advanced persistent threat can quietly damage a business’s finances, reputation, and regulatory standing, making it a material risk for investors assessing security, earnings stability, and legal exposure.

command-and-control technical

"Earth Kurma pioneered a “Living Off the App” strategy that covertly uses Cisco Webex for command-and-control..."

"Command-and-control" describes a system where authority is centralized, and decisions are made by a single leader or a small group that directs how activities are carried out. In financial or organizational contexts, it means strict oversight and top-down management, leaving little room for individual discretion. For investors, it highlights how power and decision-making influence the stability, efficiency, and flexibility of an organization or market.

AI-generated analysis. Not financial advice.

New research reveals exploitation now occurs within days of disclosure, reinforcing the need for preemptive security operations

BOSTON, March 18, 2026 (GLOBE NEWSWIRE) -- Rapid7 (NASDAQ: RPD), a global leader in AI-powered managed cybersecurity operations, today released The 2026 Global Threat Landscape Report: Decoding the Accelerated Cyber Attack Cycle. The report finds that the window between vulnerability disclosure and confirmed exploitation continues to collapse, leaving organizations with dramatically less time to assess risk, prioritize remediation, and contain threats before impact. The predictive lead time defenders once relied on between disclosure and exploitation has largely disappeared.

The report found that exploited high and critical severity vulnerabilities more than doubled year over year, increasing 105% from 71 in 2024 to 146 in 2025, while the window between vulnerability publication and confirmed exploitation continues to shrink, with attackers increasingly operationalizing vulnerabilities within days of disclosure.

“Exploitation timelines are increasingly measured in days rather than weeks,” said Raj Samani, chief scientist at Rapid7. “AI is being integrated rapidly into attacker playbooks, accelerating how quickly exposure is operationalized. Many of the incidents we investigate still originate from known, unaddressed exposure. In those cases, attackers don’t need sophistication, they need opportunity. As remediation windows shrink, reducing that opportunity becomes essential to limiting compromise.”

Key findings from the 2026 report

This report correlates vulnerability publication data, confirmed exploitation trends, frontline MDR incident response telemetry, and dark web, cybercrime, and nation-state intelligence to provide a unified view of how exposure evolves into compromise.

Key findings include:

• Exploitation is accelerating faster than defenders can remediate: The number of “high-risk but not yet exploited” vulnerabilities (CVSS 7-10) fell dramatically, while the number of exploited vulnerabilities increased sharply from 71 in 2024 to 146 in 2025. This indicates that high-probability vulnerabilities (CVSS 7-10) are being operationalized almost immediately.
• Weaponization timelines continue to shrink: The median time from a vulnerability's publication to its inclusion in the CISA KEV catalog dropped from 8.5 days to 5.0 days, and the mean time dropped from 61.0 days to 28.5 days, a trend measured specifically among high- and critical-severity vulnerabilities.
• Identity exposure remains the dominant intrusion path: Valid accounts with missing or lax multi-factor authentication (MFA) accounted for 43.9% of all incident response investigations by Rapid7 in 2025, making it the single most common initial access vector.
• Ransomware is an industrialized monetization engine: Ransomware was involved in 42% of Rapid7 MDR incident response investigations last year. Additionally, total ransomware leak posts increased 46.4% year over year, rising to 8,835 in 2025.
• AI is accelerating attacker operations: Generative AI has evolved into a legitimate force multiplier, enabling adversaries to accelerate phishing content creation, scripting, and iterative problem solving.
• Advanced persistent threat (APT) campaigns adopt refined evasion techniques: Rapid7 has observed APT groups significantly evolving their techniques for staying off defenders’ radar. For example, Earth Kurma pioneered a “Living Off the App” strategy that covertly uses Cisco Webex for command-and-control, while Volt Typhoon now utilizes Living Off the Land techniques to maintain long-term persistence.

What this means for security operations

The report underscores that delayed remediation and misaligned prioritization are increasingly central to breach outcomes. As exploitation timelines compress, organizations must address exposure earlier and integrate more closely with detection and response. Attack surface exposure must now be triaged in the context of active attacker behavior, aligning remediation timelines with exploitation velocity to sustain durable cyber resilience.

"The challenge moving forward is less about identifying every vulnerability and more about understanding exposure, prioritizing realistically, and responding within increasingly compressed timelines," said Christiaan Beek, vice president of cyber intelligence at Rapid7. "Predictive lead time is a thing of the past. Now, it’s about your ability to move smarter, not just faster. Organizations that reduce the preventable conditions attackers monetize before exploitation occurs, can regain a measure of control."

The 2026 report reinforces that operating preemptively is no longer optional. As adversaries embed AI into reconnaissance and exploitation workflows, defensive operations must evolve with the same discipline. Organizations that manage exposure, and integrate it into detection and response, will be better equipped to limit compromise and sustain durable cyber resilience.

To read a full copy of the report, visit https://www.rapid7.com/research/report/global-threat-landscape-report-2026/.

About the Rapid7 2026 Global Threat Landscape Report

The Rapid7 2026 Global Threat Landscape Report, Decoding the Accelerated Cyber Attack Cycle, is an in-depth global adversary behavior analysis from Rapid7 Labs. Drawing on telemetry from the company’s managed detection and response (MDR) investigations, vulnerability intelligence, and frontline incident response, the report examines the collapse of the window between disclosure and exploitation, the industrialization of ransomware, and the role of AI as an acceleration layer in modern attack campaigns. This report provides a data-driven view of how exploitation speed, identity exposure, and strategic pre-positioning are reshaping enterprise cyber risk.

About Rapid7

Rapid7, Inc. (NASDAQ: RPD) is a global leader in AI-powered managed cybersecurity operations, trusted to advance organizations’ cyber resilience. Open and extensible, the Rapid7 Command Platform integrates security data, enriching it with AI, threat intelligence, and 25 years of expertise and innovation to reduce risk and disrupt attackers. As a recognized leader in preemptive managed detection and response (MDR), Rapid7 unifies exposure and detection to transform the cybersecurity operations of more than 11,500 customers worldwide. For more information, visit our website, check out our blog, or follow us on LinkedIn or X.

Rapid7 Media Relations
Stacey Holleran
Sr. Manager, Global Communications
press@rapid7.com
(857) 216-7804

Rapid7 Investor Contact
Matt Wells
Vice President, Investor Relations
investors@rapid7.com
(617) 865-4277

FAQ

What did Rapid7 (RPD) report about exploited high and critical vulnerabilities in 2025?

Exploited high/critical vulnerabilities increased 105% year-over-year from 71 to 146. According to the company, this rise shows attackers operationalized more high-probability vulnerabilities almost immediately after disclosure.

How quickly are vulnerabilities being weaponized according to Rapid7's 2026 report?

Weaponization timelines compressed to days, with KEV median inclusion dropping from 8.5 to 5.0 days. According to the company, mean time also fell from 61.0 to 28.5 days for high/critical flaws.

What role did identity exposure play in Rapid7's 2025 incident investigations (RPD)?

Valid accounts with lax MFA were the top initial access vector, accounting for 43.9% of investigations. According to the company, missing or weak MFA remains the dominant intrusion path.

How prevalent was ransomware in Rapid7 MDR investigations in 2025 (RPD)?

Ransomware featured in 42% of Rapid7 MDR incident investigations in 2025. According to the company, ransomware leak posts rose 46.4% year-over-year to 8,835.

Does Rapid7's 2026 report link AI to accelerating attacker operations (RPD)?

Yes—generative AI is described as a force multiplier that accelerates phishing and scripting. According to the company, AI shortens attacker development cycles and operationalizes exposure faster.