Rapid7 Q1 2026 Report: Zero-Click Exploits Surpass Social Engineering as Top Attack Vector
Rapid7's Q1 2026 Threat Landscape Report reveals vulnerability exploitation overtook social engineering as the top initial access vector, with over 50% of exploited flaws being zero-click and network-facing.
The first quarter of 2026 marked a significant shift in the cyber threat landscape, as vulnerability exploitation surpassed social engineering to become the leading initial access vector, accounting for 38% of all attacks, according to Rapid7's latest quarterly report. More than half of the exploited vulnerabilities were zero-click and network-facing, requiring no authentication or user interaction, giving attackers rapid pathways into exposed systems and edge infrastructure.
The report highlights that attackers are increasingly leveraging AI-enabled vulnerability exploitation, making it easier to exploit technical weaknesses than to manipulate human behavior. Exploitation activity was frequently preceded by large spikes in public discussion across forums, blogs, and social media, demonstrating how quickly threat actors operationalize publicly available information once vulnerabilities gain visibility.
Geopolitical tensions continued to shape cyber operations, particularly in the Middle East, where Iranian state-aligned groups targeted government infrastructure, financial services, and industrial systems. Russian and Chinese campaigns focused on intelligence collection, telecommunications infrastructure, and persistent access operations designed to remain undetected over long periods. The result is a threat landscape where organizations must prepare for both immediate disruption and long-term persistence inside enterprise environments.
Law enforcement operations disrupted several major ransomware and credential marketplaces during Q1, including the seizure of RAMP and LeakBase. These takedowns have created operational pressure for cybercriminal groups, pushing threat actors toward smaller, decentralized communities and increasing internal distrust.
The report also highlights a growing shift toward 'pure extortion' tactics, where ransomware operations focus on rapid data theft rather than traditional encryption-based attacks. Threat actors increasingly leverage zero-click vulnerabilities to gain initial access, exfiltrate sensitive data, and pressure victims without deploying ransomware payloads that create additional operational risk and visibility.
Taken together, the findings from Q1 2026 show that organizations can no longer rely on periodic assessments and reactive workflows alone. Security teams need continuous visibility into their attack surface, better prioritization around exploitable risk, and the ability to move at a pace that matches modern attackers before small exposures become large-scale incidents.