Research Report

State of Exploitation 2026

How attackers moved in 2025 and where defenders lost time

In 2025, exploitation continued to move faster than defender decision cycles, widening the exploitation timing gap. Attackers targeted a widening range of enterprise technologies, often acting before traditional disclosure, scoring, and consensus processes caught up. This report examines how the patterns of exploitation actually unfolded over the past year, where visibility lagged, and which signals proved most useful before exploitation scaled. The result is a clearer view of attacker timelines and the gaps defenders are still forced to navigate.

Our report calls out key findings:

884 vulnerabilities had first-time exploitation evidence in 2025, highlighting the scale and persistence of active exploitation

28.96% of KEVs were exploited on or before CVE publication, underscoring the continued reality of zero-day and rapid n-day exploitation

Network edge devices were the most targeted technology, followed by CMS platforms and open source software

Stay ahead of attackers with the latest exploit intelligence from VulnCheck.

Download the full State of Exploitation 2026 report to explore the data, trends, and analysis shaping today’s threat landscape.