How did vulnerability exploitation compare to social engineering for Rapid7 (RPD) in Q1 2026 data?

Vulnerability exploitation accounted for 38% of Rapid7’s Q1 2026 incident response cases, exceeding social engineering’s 24%. According to Rapid7, this change reflects attackers increasingly targeting exposed infrastructure and leveraging automation, rather than relying primarily on user manipulation to gain initial access.

Rapid7 Q1 2026 Threat Landscape Report Finds Vulnerability Exploitation Overtakes Social Engineering as the Top Initial Access Vector

Rhea-AI Impact

(Neutral)

Rhea-AI Sentiment

(Very Negative)

Rhea-AI Summary

Rapid7 (NASDAQ:RPD) released its Q1 2026 Threat Landscape Report, showing that vulnerability exploitation overtook social engineering as the top initial access vector, driving 38% of incident response cases. Social engineering accounted for 24% and compromised accounts 14%.

Half of actively exploited CVEs were zero-click, network-facing, requiring no authentication or user interaction. High and critical vulnerabilities saw the median time from public disclosure to CISA KEV inclusion fall from 8.5 to 5.0 days, highlighting shrinking remediation windows.

The report also notes SQL injection as the most exploited vulnerability type, fragmented ransomware activity led by Qilin, and abused Remote Monitoring and Management tools representing 22.9% of observed threat activity.

AI-generated analysis. Not financial advice.

News Market Reaction – RPD

-3.15%

14 alerts

-3.15% News Effect

+6.3% Peak Tracked

-2.3% Trough Tracked

-$16M Valuation Impact

$497.89M Market Cap

0.3x Rel. Volume

On the day this news was published, RPD declined 3.15%, reflecting a moderate negative market reaction. Argus tracked a peak move of +6.3% during that session. Argus tracked a trough of -2.3% from its starting point during tracking. Our momentum scanner triggered 14 alerts that day, indicating notable trading interest and price volatility. This price movement removed approximately $16M from the company's valuation, bringing the market cap to $497.89M at that time.

Data tracked by StockTitan Argus on the day of publication.

Key Figures

Exploitation share: 38% Social engineering share: 24% Compromised accounts share: 14% +5 more

8 metrics

Exploitation share 38% Share of incident response cases from vulnerability exploitation in Q1 2026

Social engineering share 24% Share of incident response cases from social engineering in Q1 2026

Compromised accounts share 14% Share of incident response cases from compromised accounts in Q1 2026

Median KEV timeline 2025 8.5 days Median time from disclosure to CISA KEV for high/critical vulns (prior period)

Median KEV timeline Q1 2026 5.0 days Median time from disclosure to CISA KEV for high/critical vulns in Q1 2026

Public mentions per vuln 1.8 million Average public mentions of exploited vulnerabilities across online sources

Qilin ransomware posts 357 Number of leak-site posts attributed to Qilin in Q1 2026

RMM threat share 22.9% Share of observed activity from abused Remote Monitoring and Management tools

Market Reality Check

Price: $7.51 Vol: Volume 2,387,236 is 1.15x...

normal vol

$7.51 Last Close

Volume Volume 2,387,236 is 1.15x the 20-day average of 2,069,667, indicating elevated interest. normal

Technical Shares at $7.31 are trading below the 200-day MA of $13.15 and 71.72% under the 52-week high.

Peers on Argus

RPD moved +5.03% while key peers like ATEN and RDWR showed modest moves (ATEN +1...

1 Down

RPD moved +5.03% while key peers like ATEN and RDWR showed modest moves (ATEN +1.56%, RDWR +1.24% in sector data, RDWR also appeared in a momentum scan at about -4.18%). Overall action points to a company-specific move rather than a broad sector shift.

Historical Context

5 past events · Latest: May 13 (Positive)

Pattern 5 events

Date	Event	Sentiment	Move	Catalyst
May 13	Cyber GRC launch	Positive	-5.9%	Launch of Cyber GRC Early Access Program with 360 Advanced.
May 12	Cyber GRC launch	Positive	+3.1%	Early access Cyber GRC program built on Command Platform.
May 11	Investor conferences	Neutral	-7.7%	Participation in J.P. Morgan and William Blair investor conferences.
May 05	Q1 2026 earnings	Neutral	-1.6%	Reported Q1 2026 financials and Kenzo Security acquisition.
Apr 09	Earnings date set	Neutral	+0.4%	Announcement of schedule for Q1 2026 earnings release.

Pattern Detected

Recent news shows mixed reactions: product launches occasionally aligned with gains, but one positive launch coincided with a selloff, while conferences and earnings drew mild-to-negative moves.

Recent Company History

Over the past months, Rapid7 has mixed operational and financial catalysts. On May 5, Q1 2026 earnings with $210M revenue and $832M ARR led to a modest share decline. Subsequent investor conference participation on May 11 also saw a negative reaction. In contrast, Cyber GRC early access launches on May 12 and May 13 received opposite price responses. Against this backdrop, the new AI-focused threat landscape report reinforces Rapid7’s positioning in managed cybersecurity operations rather than altering fundamentals.

Market Pulse Summary

This announcement highlighted Rapid7’s research strength, emphasizing that vulnerability exploitatio...

Analysis

This announcement highlighted Rapid7’s research strength, emphasizing that vulnerability exploitation accounted for 38% of incident cases and that high-severity flaws reached CISA’s KEV catalog in a median of 5.0 days. The findings reinforced themes from its broader 2026 threat report, supporting its AI-powered managed security narrative. Investors may track how such insights translate into product adoption, incident response demand, and future financial results, alongside existing guidance and debt obligations disclosed in recent filings.

Key Terms

zero-click, cves, sql injection, os command injection, +4 more

8 terms

zero-click technical

"half of vulnerabilities actively exploited in the wild during Q1 were zero-click, network-facing issues"

An interaction or event that happens without a person having to click, tap or take any visible action. For investors this matters because it can mean information reaches audiences (or search engines answers users) without driving page views, changing how press releases and web traffic are measured, and it can also describe security flaws that allow attackers to compromise systems without user action — both affecting a company’s reputation, traffic metrics and risk profile.

cves technical

"Drawing on select tracked CVEs, MDR incident response data, ransomware leak-site intelligence"

CVEs (Common Vulnerabilities and Exposures) are unique ID numbers assigned to publicly known security flaws in software or hardware, like a catalog entry that describes a specific weak spot. For investors, CVEs matter because they signal potential risks to a company’s systems and customer data—similar to a product recall number that warns of problems requiring fixes, which can lead to costs, downtime, regulatory scrutiny, or reputational damage.

sql injection technical

"SQL injection became the most exploited vulnerability type"

A SQL injection is a type of cyberattack where an intruder tricks a website or app into running hidden database commands by entering specially crafted text into input fields. Think of it like slipping a fake key into a building’s entry panel that opens doors it shouldn’t; attackers can read, change or delete sensitive records. For investors, it matters because successful attacks can cause data loss, business interruption, regulatory fines and reputational harm that may reduce a company’s value.

os command injection technical

"SQL injection overtook OS command injection in Q1"

OS command injection is a software security flaw that lets an attacker trick a program into running arbitrary operating-system commands on a server or device, often by sending specially crafted input. For investors it matters because successful attacks can lead to stolen data, service outages, regulatory fines and lost customer trust — similar to someone getting keys to a building and being able to turn off lights, open safes or walk out with valuables.

ransomware technical

"trends in vulnerability exploitation, ransomware activity, and cybercriminal infrastructure"

Ransomware is malicious software that locks or encrypts a company’s computer files and systems, then demands payment for their release — like a thief changing the locks on a business and asking for a ransom. It matters to investors because attacks can halt operations, trigger large cleanup costs, damage customer trust, lead to regulatory fines or legal claims, and reduce future revenue, all of which can hurt a company’s financial value.

remote monitoring and management (rmm) tools technical

"Abused Remote Monitoring and Management (RMM) tools were the most prevalent threat category"

Remote monitoring and management (RMM) tools are software platforms that let IT teams watch over, update and fix computers, servers and network devices from afar, much like a mechanic diagnosing and tuning cars without visiting the garage. For investors, RMM matters because it can reduce downtime, lower support costs, and enable scalable, recurring service revenue—factors that affect a company’s efficiency, margins and predictability of cash flow.

dark web technical

"ransomware leak-site intelligence, and dark web telemetry, the report highlights"

The dark web is a hidden part of the internet that standard search engines and browsers don’t show, accessible only with special software and settings that mask users’ identities. For investors, it matters because stolen customer data, leaked corporate documents or illegal marketplaces found there can lead to regulatory fines, cleanup costs, loss of customer trust and sudden drops in a company’s stock value—like a hidden back alley that can damage a storefront’s reputation and finances.

incident response technical

"accounting for 38% of incident response cases"

Incident response is the organized process a company uses to detect, investigate, contain and recover from a security breach, data loss, operational outage or other urgent problem. For investors, it shows how quickly a firm can limit financial and reputational damage, restore normal operations and meet legal or disclosure duties — like an emergency crew that protects a building’s value and occupants when a fire breaks out.

AI-generated analysis. Not financial advice.

See more from StockTitan in Google Search and AI answers. Adds StockTitan as a preferred source · opens Google

Add on Google

05/21/2026 - 09:00 AM

New research highlights how AI-driven exploitation, zero-click vulnerabilities, and fragmented ransomware operations are reshaping cyber risk

BOSTON, May 21, 2026 (GLOBE NEWSWIRE) -- Rapid7, Inc. (NASDAQ: RPD), a global leader in AI-powered managed cybersecurity operations, released its Q1 2026 Threat Landscape Report, examining trends in vulnerability exploitation, ransomware activity, and cybercriminal infrastructure. The report found that vulnerability exploitation surpassed social engineering as the leading initial access vector, accounting for 38% of incident response cases. The shift reflects the growing role of AI in accelerating how quickly attackers can identify, weaponize, and exploit unpatched systems at scale, compressing the window defenders have to respond.

Reinforcing this trend, half of vulnerabilities actively exploited in the wild during Q1 were zero-click, network-facing issues requiring no authentication or user interaction, giving attackers direct access to exposed systems without relying on human action. The finding reinforces trends identified in Rapid7’s 2026 Annual Global Threat Landscape Report, which found that exploitation timelines continue to shrink: among high- and critical-severity vulnerabilities, the median time from public disclosure to inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog fell from 8.5 days to 5.0 days.

"We've spent years building a security culture around humans being the weakest link, but our Q1 findings show AI is quietly rewriting that equation," said Raj Samani, SVP and Chief Scientist at Rapid7. "Attackers are increasingly bypassing user interaction altogether, prioritizing direct access to exposed infrastructure and dramatically narrowing the window defenders have to respond."

Drawing on select tracked CVEs, MDR incident response data, ransomware leak-site intelligence, and dark web telemetry, the report highlights evolving exploitation patterns, ransomware activity, and changes in attacker infrastructure.

Key findings include:

Vulnerability exploitation was the leading initial access vector in MDR data: Exploitation accounted for 38% of incident response cases, followed by social engineering (24%) and compromised accounts (14%).
Zero-click, network-facing vulnerabilities dominated exploited CVEs: Half of vulnerabilities actively exploited in the wild during Q1 required no authentication or user interaction, enabling direct access to exposed systems.
Public discussion preceded exploitation activity: Exploited vulnerabilities averaged 1.8 million mentions across blogs, forums, and social media, indicating that widely discussed vulnerabilities can quickly become operational targets.
SQL injection became the most exploited vulnerability type: SQL injection overtook OS command injection in Q1, reflecting attacker focus on common, broadly distributed web application weaknesses.
Ransomware activity remained fragmented across groups: Qilin led leak-site activity with 357 posts, followed by The Gentlemen (206) and Akira (174), indicating ransomware activity remained fragmented across operators.
Abused Remote Monitoring and Management (RMM) tools were the most prevalent threat category: RMM tools accounted for 22.9% of observed activity, followed by ClickFix (18.8%) and Windows Native Scripts (10.4%).

What this means for security operations

As exploitation timelines continue to shrink, security teams face increasing pressure to identify, prioritize, and remediate exposed systems before attackers can operationalize vulnerabilities at scale.

“Q1 shows how quickly exposed systems can become operational targets,” said Christiaan Beek, Vice President of Cyber Intelligence at Rapid7. “Security teams can’t apply the same level of investigation and response across every signal when attackers are consistently prioritizing what they can reach and exploit. That gap is where risk accumulates.”

To read a full copy of the report, visit https://www.rapid7.com/research/report/threat-landscape-report-2026-q1/ .

About the Rapid7 Q1 2026 Threat Landscape Report

The Rapid7 Threat Landscape Report is a quarterly analysis of global adversary behavior drawn from the company’s managed detection and response operations, vulnerability intelligence platforms, and threat research telemetry. The Q1 2026 edition examines the impact of vulnerability exploitation, geopolitical cyber activity, ransomware evolution, and cybercriminal infrastructure.

About Rapid7

Rapid7, Inc. (NASDAQ: RPD) is a global leader in AI-powered managed cybersecurity operations, trusted to advance organizations’ cyber resilience. Open and extensible, the Rapid7 Command Platform integrates security data, enriching it with AI, threat intelligence, and 25 years of expertise and innovation to reduce risk and disrupt attackers. As a recognized leader in preemptive managed detection and response (MDR), Rapid7 unifies exposure and detection to transform the cybersecurity operations of more than 11,500 customers worldwide. For more information, visit our website, check out our blog, or follow us on LinkedIn or X.

Rapid7 Media Relations
Alice Randall
Director, Global Communications
press@rapid7.com
(857) 216-7804

Rapid7 Investor Contact
Matt Wells
Vice President, Investor Relations
investors@rapid7.com
(617) 865-4277

FAQ

What did Rapid7 (RPD) reveal in its Q1 2026 Threat Landscape Report?

Rapid7 reported that vulnerability exploitation surpassed social engineering as the leading initial access vector in Q1 2026. According to Rapid7, exploitation drove 38% of incident response cases, compared with 24% for social engineering and 14% for compromised accounts, signaling shifting attacker priorities.

What are zero-click vulnerabilities in Rapid7 (RPD) Q1 2026 cybersecurity findings?

Zero-click vulnerabilities are network-facing issues requiring no user interaction or authentication for exploitation. According to Rapid7, half of vulnerabilities actively exploited in Q1 2026 were zero-click, giving attackers direct access to exposed systems and reducing defenders’ time to detect and respond effectively.

How fast are exploited vulnerabilities moving into CISA KEV according to Rapid7 (RPD)?

Rapid7 observed shrinking timelines from public disclosure to CISA KEV catalog inclusion for high and critical vulnerabilities. According to Rapid7, the median interval fell from 8.5 days to 5.0 days, increasing pressure on security teams to prioritize and remediate exposed systems more quickly.

What did Rapid7 (RPD) report about ransomware activity in Q1 2026?

Rapid7 found that ransomware activity remained fragmented across multiple groups rather than concentrated. According to Rapid7, Qilin led leak-site postings with 357 entries, followed by The Gentlemen with 206 and Akira with 174, highlighting a diverse ecosystem of active ransomware operators.

Which threat categories were most prevalent in Rapid7 (RPD) Q1 2026 telemetry?

Abused Remote Monitoring and Management tools were the most prevalent threat category in Q1 2026 telemetry. According to Rapid7, RMM tools represented 22.9% of observed activity, followed by ClickFix at 18.8% and Windows Native Scripts at 10.4%, underscoring common attacker tooling.