The Collapse of Predictive Security in the Age of Machine-Speed Attacks
A Rapid7 analysis reveals that the vulnerability exploitation window has collapsed to just days, making traditional predictive security obsolete. The report advocates shifting to preemptive security—reducing attacker conditions, implementing strong hygiene (MFA, credential rotation, encryption), and prioritizing material business risk over alert volume—as industrialized cybercrime and AI-assisted attacks accelerate threat timelines.
Summary
A Rapid7 analysis reveals that the vulnerability exploitation window has collapsed to just days, making traditional predictive security obsolete. The report advocates shifting to preemptive security—reducing attacker conditions, implementing strong hygiene (MFA, credential rotation, encryption), and prioritizing material business risk over alert volume—as industrialized cybercrime and AI-assisted attacks accelerate threat timelines.
Full text
The new reality in 2026 is the predictive window has collapsed. By the time a defender can predict and disrupt an attack, it is already too late. Criminal exploitation of high risk vulnerabilities is increasing in both volume and speed. The cause is partly AI, but mostly due to the industrialization of cybercrime. Internet access brokers (IABs) are more efficient, while criminals are increasingly adopting smash and grab tactics (more accurately, perhaps, ‘silent entry and grab’}: enter, exfiltrate, and depart. The effect is that predictive security is failing. There isn’t time to predict and prevent an attack because exploitation is too fast. “Risk is realized almost immediately after a vulnerability is operationalized,” states a new Rapid7 analysis report. “It’s just a few days from vulnerability disclosure to exploitation in the wild,” explains Christiaan Beek, VP of cyber intelligence at Rapid7. There’s no time for the vendor to issue a patch and the defender to install it. “The actors are already exploiting it – the predictive window has collapsed.” The Rapid7 report calls for a switch from predictive security to preemptive security. “Preemptive security means reducing the conditions attackers rely on before exploitation occurs, detecting and responding with full environmental context, and prioritizing action based on material risk, not alert volume.” Internet access brokers are a primary cause for this necessary shift in defense, and the success of infostealers are key to the IABs’ efficiency. “Infostealers provide a gold mine of information that attackers can use,” comments Beek. The logs work both ways, of course: defenders are able to gain the same logs, understand their credentials are on the dark web, and immediately respond and change or rotate them. That’s an intelligence based preemptive action rather than predictive response. Advertisement. Scroll to continue reading. Elsewhere in defense, preemption includes the basic security hygiene that we still fail to do – obvious actions like properly implemented MFA, credential rotation, control and regulation of OAuth tokens, encryption, automatic auditing of additions to the environment (such as SaaS apps) and more. Hygiene is not, however, fail-safe. AI-assisted social engineering spear-phishing is becoming more sophisticated and more successful. Credentials stolen in this manner may never appear in the logs absorbed by the IABs – especially if the actor is a nation-state APT acting by itself, for itself. APT activity always increases whenever geopolitical tensions rise. They have been high for several years, are continuing to grow and spread, and show no immediate sign of contraction. This situation amply illustrates the need for security to move from predictive to preemptive. Security should no longer react to signals that an attack may happen (predictive) but assume that attacks will happen and prevent them or limit their potential blast radius (preemptive). So far, AI-assisted spear-phishing is almost self-contained. There is no sign yet of criminals using their own agentic systems to provide autonomous attacks following a successful phish. “I haven’t seen that,” says Beek. “For now, criminals are content with buying access from the dark web logs.” The use of AI in the actual attack has not yet materialized – but that time is surely coming. “I believe within the next few years virtually all cyberattacks will be AI-based – swarming, tailored, and relentless,” commented Kevin Mandia recently. “They will be untethered to human limitations and capable of executing on a scale we have never witnessed before.” But that’s for the future. For now, defenders must defend against the current situation. Failure to do so is illustrated by the continuing rise of ransomware over the last year. “Ransomware has matured into a speed-optimized access economy,” says Rapid7. “Total ransomware leak posts increased from 6,034 in 2024 to 8,835 in 2025 (a 46.4% YoY rise).” 2024 was bad; 2025 was worse. The total number of ransomware groups continues to grow, and the combination with data blackmail expands. It now typifies the ‘silent entry and grab’ modus of criminal operation. “It’s no longer purely native ransomware,” says Beek. “Criminals grab the data, don’t even install the ransomware, but then try to sell the data on several forums or public sites.” One thing could assist defenders switching to preemptive defense. The attackers haven’t suddenly started using new attack methodologies – they are simply doing what they have always done more efficiently and much faster. Pre-emptive security requires assuming that those attacks will happen – so rather than wait for them, we need to get ahead and prevent their success. “To effectively manage cyber risk in 2026, organizations must adopt a fundamental mindshift toward preemptive security,” says Rapid7. “This means moving beyond a reactive, volume-based vulnerability management approach and embracing an exposure management model focused on informed prioritization and anticipation… Success will be defined by the capacity to connect technical exposure to business impact and apply AI-augmented workflows to match the adversary’s machine speed.” But it also requires reaffirmation of basic security hygiene. “We’re still seeing the same weaknesses happening,” comments Beek. “So, it’s all that basic hygiene and stuff we still seem not to do – and the numbers and the attacks reflect that.” There’s no sudden leap in attacker sophistication or intent. The change is in the speed with which attackers weaponize and exploit vulnerabilities. So, understanding what the attacker wants from your company, and understanding the business severity of their different actions, allows defenders to preempt disaster by preparing the battleground before the inevitable battle begins. Preemption requires understanding the attacker and understanding your own infrastructure and business. It’s not a new concept. “If you know the enemy and know yourself,” [and prepare and preempt accordingly], “you need not fear the result of a hundred battles.” Related: Inside the Dark Web’s Access Economy: How Hackers Sell the Keys to Enterprise Networks Related: Silent Push Raises $10 Million for Preemptive Threat Intelligence Platform Related: How Agentic AI will be Weaponized for Social Engineering Attacks Related: The Blast Radius Problem: Stolen Credentials Are Weaponizing Agentic AI Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend AI, APIs and DDoS Collide in New Era of Coordinated CyberattacksCISO Conversations: Aimee Cardwell‘BlackSanta’ Malware Activates EDR and AV Killer Before Detonating PayloadKevin Mandia’s Armadin Launches With $190 Million in FundingNation-State iOS Exploit Kit ‘Coruna’ Found Powering Global AttacksHacker Conversations: Inti De Ceukelaire, Raging Against the Machine CreativelyHow Pirated Software Turns Helpful Employees Into Malware Delivery AgentsQuantum Decryption of RSA Is Much Closer Than Expected Latest News Autonomous Offensive Security Firm XBOW Raises $120M at $1B+ ValuationCloud Security Startup Native Exits Stealth With $42 Million in Funding‘DarkSword’ iOS Exploit Kit Used by State-Sponsored Hackers, Spyware VendorsVirtual Summit Today: Supply Chain & Third-Party Risk SummitEU Sanctions Chinese, Iranian Firms Supporting Hacking OperationsShadow AI Risk: How SaaS Apps Are Quietly Enabling Massive BreachesManifold Raises $8 Million for AI Detection and ResponseIranian Hackers Likely Used Malware-Stolen Credentials in Stryker Breach Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefin