The new reality in 2026 is the predictive window has collapsed. By the time a defender can predict and disrupt an attack, it is already too late.
Criminal exploitation of high risk vulnerabilities is increasing in both volume and speed. The cause is partly AI, but mostly due to the industrialization of cybercrime. Internet access brokers (IABs) are more efficient, while criminals are increasingly adopting smash and grab tactics (more accurately, perhaps, ‘silent entry and grab’}: enter, exfiltrate, and depart.
The effect is that predictive security is failing. There isn’t time to predict and prevent an attack because exploitation is too fast. “Risk is realized almost immediately after a vulnerability is operationalized,” states a new Rapid7 analysis report.
“It’s just a few days from vulnerability disclosure to exploitation in the wild,” explains Christiaan Beek, VP of cyber intelligence at Rapid7. There’s no time for the vendor to issue a patch and the defender to install it. “The actors are already exploiting it – the predictive window has collapsed.”
The Rapid7 report calls for a switch from predictive security to preemptive security. “Preemptive security means reducing the conditions attackers rely on before exploitation occurs, detecting and responding with full environmental context, and prioritizing action based on material risk, not alert volume.”
Internet access brokers are a primary cause for this necessary shift in defense, and the success of infostealers are key to the IABs’ efficiency. “Infostealers provide a gold mine of information that attackers can use,” comments Beek. The logs work both ways, of course: defenders are able to gain the same logs, understand their credentials are on the dark web, and immediately respond and change or rotate them. That’s an intelligence based preemptive action rather than predictive response.
Elsewhere in defense, preemption includes the basic security hygiene that we still fail to do – obvious actions like properly implemented MFA, credential rotation, control and regulation of OAuth tokens, encryption, automatic auditing of additions to the environment (such as SaaS apps) and more. Hygiene is not, however, fail-safe. AI-assisted social engineering spear-phishing is becoming more sophisticated and more successful. Credentials stolen in this manner may never appear in the logs absorbed by the IABs – especially if the actor is a nation-state APT acting by itself, for itself.
APT activity always increases whenever geopolitical tensions rise. They have been high for several years, are continuing to grow and spread, and show no immediate sign of contraction. This situation amply illustrates the need for security to move from predictive to preemptive. Security should no longer react to signals that an attack may happen (predictive) but assume that attacks will happen and prevent them or limit their potential blast radius (preemptive).
So far, AI-assisted spear-phishing is almost self-contained. There is no sign yet of criminals using their own agentic systems to provide autonomous attacks following a successful phish. “I haven’t seen that,” says Beek. “For now, criminals are content with buying access from the dark web logs.” The use of AI in the actual attack has not yet materialized – but that time is surely coming.
“I believe within the next few years virtually all cyberattacks will be AI-based – swarming, tailored, and relentless,” commented Kevin Mandia recently. “They will be untethered to human limitations and capable of executing on a scale we have never witnessed before.”
But that’s for the future. For now, defenders must defend against the current situation. Failure to do so is illustrated by the continuing rise of ransomware over the last year. “Ransomware has matured into a speed-optimized access economy,” says Rapid7. “Total ransomware leak posts increased from 6,034 in 2024 to 8,835 in 2025 (a 46.4% YoY rise).” 2024 was bad; 2025 was worse.
The total number of ransomware groups continues to grow, and the combination with data blackmail expands. It now typifies the ‘silent entry and grab’ modus of criminal operation. “It’s no longer purely native ransomware,” says Beek. “Criminals grab the data, don’t even install the ransomware, but then try to sell the data on several forums or public sites.”
One thing could assist defenders switching to preemptive defense. The attackers haven’t suddenly started using new attack methodologies – they are simply doing what they have always done more efficiently and much faster. Pre-emptive security requires assuming that those attacks will happen – so rather than wait for them, we need to get ahead and prevent their success.
“To effectively manage cyber risk in 2026, organizations must adopt a fundamental mindshift toward preemptive security,” says Rapid7. “This means moving beyond a reactive, volume-based vulnerability management approach and embracing an exposure management model focused on informed prioritization and anticipation… Success will be defined by the capacity to connect technical exposure to business impact and apply AI-augmented workflows to match the adversary’s machine speed.”
But it also requires reaffirmation of basic security hygiene. “We’re still seeing the same weaknesses happening,” comments Beek. “So, it’s all that basic hygiene and stuff we still seem not to do – and the numbers and the attacks reflect that.” There’s no sudden leap in attacker sophistication or intent. The change is in the speed with which attackers weaponize and exploit vulnerabilities. So, understanding what the attacker wants from your company, and understanding the business severity of their different actions, allows defenders to preempt disaster by preparing the battleground before the inevitable battle begins.
Preemption requires understanding the attacker and understanding your own infrastructure and business. It’s not a new concept. “If you know the enemy and know yourself,” [and prepare and preempt accordingly], “you need not fear the result of a hundred battles.”
Related: Inside the Dark Web’s Access Economy: How Hackers Sell the Keys to Enterprise Networks
Related: Silent Push Raises $10 Million for Preemptive Threat Intelligence Platform
Related: How Agentic AI will be Weaponized for Social Engineering Attacks
Related: The Blast Radius Problem: Stolen Credentials Are Weaponizing Agentic AI
