AI and automation helped threat actors to rapidly accelerate attacks in 2025, collapsing the “predictive window” between vulnerability disclosure and exploitation, according to Rapid7.
The security vendor’s new 2026 Global Threat Landscape Report is based on Rapid7 MDR incident response investigations and other internal data.
It claimed that “what once unfolded over weeks now materializes in days, and in some cases, minutes.”
To that end, the median time between publication of a vulnerability and its inclusion on CISA’s Known Exploited Vulnerabilities (KEV) catalog dropped from 8.5 days to five days, while mean time dropped from 61 days to 28.5 days.
Read more on vulnerability exploitation: Time to Exploit Plummets as N-Day Flaws Dominate
Rapid7 claimed that there’s not been a transformation in threat actor “intent or sophistication,” but instead an acceleration of existing methods.
“AI is being used to scale reconnaissance, automate decision making and industrialize social engineering, compressing the time between exposure and exploitation,” it noted.
“Our findings show that the majority of successful intrusions still originate from known, preventable conditions: exposed services, weak identity controls and unpatched edge infrastructure. What has changed is how quickly those conditions are discovered and weaponized.”
Vulnerability Exploitation Has Surged
As well as the speed of exploitation, total volumes also increased last year as AI and automation helped threat actors identify CVEs and streamline attacks.
Confirmed exploitation of newly disclosed CVSS 7 to 10 vulnerabilities increased 105% year on year (YoY), from 71 in 2024 to 146 in 2025.
Most were either deserialization, authentication bypass or memory corruption vulnerabilities, the report claimed. In ransomware, these tended to appear in file transfer systems, edge appliances, and collaboration platforms.
Overall, vulnerability exploitation accounted for 25% of initial access in incident response incidents last year, with exposed services on 7%. However, the most common vector was “valid account / no MFA” (44%), highlighting the persistent challenge of identity-related threats.
Rapid7 argued that CISOs must respond with a greater focus on preventative measures that help to reduce the size of the attack surface.
“Pre-emptive security means reducing the conditions attackers rely on before exploitation occurs, detecting and responding with full environmental context, and prioritizing action based on material risk, not alert volume,” the report explained.
“Organizations that fail to adopt this approach face a widening asymmetry: as attacker velocity increases, reactive decision models become increasingly misaligned with how risk now materializes.”
