Exploitation overtakes social engineering in Rapid7 report

Rapid7 has published its Q1 2026 Threat Landscape Report, which found that vulnerability exploitation overtook social engineering as the leading initial access vector in the incidents it examined.

Exploitation accounted for 38% of incident response cases in Rapid7's managed detection and response data, compared with 24% for social engineering and 14% for compromised accounts. The findings draw on research from Rapid7 Labs, managed detection and response telemetry, incident response investigations, ransomware leak-site monitoring and dark web telemetry.

The shift suggests a change in how attackers gain access to systems. Rather than relying mainly on user interaction, threat actors are increasingly targeting exposed infrastructure through software weaknesses, often soon after those weaknesses become public.

Half of the vulnerabilities actively exploited in the wild during the quarter were zero-click and network-facing, meaning they required neither authentication nor user interaction. That gave attackers a path into internet-exposed systems without phishing emails or other social engineering techniques.

The report also found that exploited high- and critical-severity vulnerabilities rose 105% from a year earlier. Among those vulnerabilities, the median time from public disclosure to inclusion in the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalogue fell from 8.5 days to 5.0 days, highlighting the shorter response window for defenders.

Rapid7 linked that compression partly to attackers' use of artificial intelligence to identify and weaponise flaws more quickly. Public attention also appeared to play a role: vulnerabilities that were later exploited averaged 1.8 million mentions across blogs, forums and social media before exploitation activity was observed.

Attack patterns

The data also showed a shift in the types of weaknesses attackers used most often. SQL injection became the most exploited vulnerability type during the quarter, overtaking operating system command injection. The trend suggests continued focus on common web application flaws that are widely distributed across organisations.

Beyond software flaws, the report tracked the tools and methods most frequently seen in malicious activity. Abused Remote Monitoring and Management tools accounted for 22.9% of observed activity, followed by ClickFix at 18.8% and Windows Native Scripts at 10.4%.

Ransomware activity remained active, though spread across a wider set of operators rather than dominated by a single group. Qilin led leak-site activity with 357 posts, followed by The Gentlemen with 206 and Akira with 174.

That fragmentation adds to the pressure on security teams, which must monitor a broad range of adversaries and entry methods while dealing with shorter periods between vulnerability disclosure and exploitation. Rapid7 presents this as part of a wider trend in which defenders have less time to assess exposure and deploy patches before systems are targeted.

Raj Samani, Senior Vice President and Chief Scientist at Rapid7, said the findings challenge long-held assumptions about the central role of users in security failures. "We've spent years building a security culture around humans being the weakest link, but our Q1 findings show AI is quietly rewriting that equation," Samani said.

On the move towards direct exploitation of exposed systems, Samani added: "Attackers are increasingly bypassing user interaction altogether, prioritising direct access to exposed infrastructure and dramatically narrowing the window defenders have to respond."

Christiaan Beek, Vice President of Cyber Intelligence at Rapid7, said the pace of attacks was making broad-based investigation more difficult for security operations teams. "Q1 shows how quickly exposed systems can become operational targets," Beek said.

He added: "Security teams can't apply the same level of investigation and response across every signal when attackers are consistently prioritising what they can reach and exploit. That gap is where risk accumulates."