Key Takeaways
- Exploited vulnerabilities rose 43% in Q1 2026, with more than 15,200 new flaws disclosed, nearly 3,900 rated high‑risk.
- Critical zero‑day advisories increased 15%, driven largely by VPN, firewall, and edge‑infrastructure weaknesses.
- Compromised credentials remain the dominant ransomware entry point, accounting for 74% of incidents.
- AI‑assisted automation is accelerating familiar attack techniques, enabling threat actors to scale supply‑chain compromises rapidly.
- Notable Q1 events include an autonomous AI agent that poisoned the Trivy scanner and an Iranian‑linked hacktivist group that weaponized Microsoft Intune to wipe 200,000+ systems.
Overview of Q1 Threat Landscape
Beazley Security’s Quarterly Threat Report for Q1 2026 paints a picture of accelerating cyber risk. After a modest start to the year, threat activity surged in March, underscoring how attackers are leveraging automation and trusted platforms to amplify impact. The report blends global threat intelligence, incident‑response data, and MDR telemetry to reveal that while overall ransomware volumes held steady, the efficiency and reach of attacks have grown dramatically thanks to AI‑enabled tooling.
Vulnerability Disclosure Surge
More than 15,200 new vulnerabilities were disclosed in the first three months of 2026, a figure that represents a substantial increase over prior periods. Of these, nearly 3,900 were classified as high risk, highlighting a growing pool of exploitable weaknesses. The addition of flaws to CISA’s Known Exploited Vulnerabilities (KEV) catalog jumped 43% compared with Q4 2025, indicating that defenders are seeing these flaws weaponized in the wild at an accelerating pace.
Rise in Critical Zero‑Day Advisories
Beazley Security Labs recorded a 15% increase in critical zero‑day advisories issued to clients during Q1. Many of these advisories pertained to edge infrastructure—particularly VPN appliances and firewall devices—that have become attractive targets due to their pervasive deployment and often‑limited patch cycles. The uptick signals that threat actors are increasingly focusing on previously unknown flaws that can be exploited before vendors release mitigations.
March‑Driven Spike in Activity
Although the quarter began with a seasonal lull, March witnessed two high‑impact incidents that shifted the threat landscape. First, an autonomous AI agent scanned thousands of public code repositories, identified misconfigured access controls, and exploited them without human intervention. Second, an Iranian‑linked hacktivist group leveraged Microsoft Intune to conduct a politically motivated wipe of more than 200,000 systems belonging to medical‑device manufacturer Stryker. These events illustrate how attackers are combining automation with trusted enterprise platforms to achieve massive, disruptive outcomes.
AI‑Assisted Supply‑Chain Attack on Trivy
One of the quarter’s most significant incidents involved threat‑actor group TeamPCP, which deployed an automated AI agent dubbed hackerbot‑claw. The agent scoured GitHub CI/CD workflows, located misconfigurations, and injected credential‑stealing malware into the widely used open‑source vulnerability scanner Trivy. Because Trivy is integrated into countless development pipelines, the compromise cascaded downstream, affecting projects such as the AI‑gateway LiteLLM and numerous other organizations that rely on the tool for security scanning. This episode underscores a shift toward targeting non‑human identities and automation infrastructure to maximize reach.
Developer‑Focused Supply‑Chain Trends
The Trivy compromise exemplifies a broader trend: attackers are prioritizing developer supply chains and exploiting automation pipelines rather than relying solely on stolen user credentials. By poisoning trusted tools, threat actors gain persistent, broad‑based access to thousands of downstream environments with a single successful intrusion. Defenders must therefore extend their focus beyond endpoint protection to include rigorous code‑repository hygiene, CI/CD pipeline security, and continuous monitoring of third‑party dependencies.
Ransomware Tactics Persist
Ransomware incident volumes remained relatively stable quarter‑over‑quarter, with a modest rebound in March after a seasonal dip. Compromised credentials continued to dominate as the primary initial access vector, representing 74% of ransomware intrusions observed by Beazley Security investigators. Concurrently, responders noted a rise in extortion‑only operations, where threat actors exfiltrate sensitive data without deploying encryption, using the stolen information as leverage for negotiation while avoiding the noise associated with ransomware deployment.
Leadership Insights on AI‑Enabled Efficiency
Alton Kizziah, CEO of Beazley Security, remarked that Q1 began quietly but concluded with some of the most consequential cyber events in recent years. He emphasized that the standout factor was not merely volume but the efficiency with which attackers scaled familiar techniques using AI‑assisted tooling. Josh Carolan, director of security research, echoed this view, noting that adversaries are not inventing new playbooks; instead, they are refining existing tradecraft, employing AI‑driven automation and trusted platforms to move faster, expand operations, and magnify impact.
About the Report and Beazley Security
The Quarterly Threat Report synthesizes global threat intelligence, incident‑response data, and MDR telemetry to identify trends shaping the cyber risk landscape. The Q1 2026 edition highlights the growing role of AI in both offensive and defensive security, evolving supply‑chain risks, and the enduring importance of foundational controls such as patch management, credential hygiene, and network segmentation. Beazley Security, a wholly owned subsidiary of Beazley plc, provides managed detection and response, incident response, exposure management, and advisory services to organizations of all sizes, helping clients build resilience from pre‑breach preparation through remediation. The firm’s research arm, Beazley Security Labs, publishes ongoing advisories at labs.beazley.security.
For the full Q1 2026 Quarterly Threat Report, visit:
https://beazley.security/insights/insights/quarterly-threat-report-first-quarter-2026.