Beazley Security, the cyber security services arm of specialist insurer Beazley, has released its Quarterly Threat Report for Q1 2026, detailing a significant rise in exploited vulnerabilities as cyber criminals increasingly use AI-powered methods to accelerate attacks and target software supply chains.
The report found that exploited vulnerabilities increased by 43% during the first quarter of the year. Beazley Security said more than 15,200 new vulnerabilities were disclosed between January and March, including almost 3,900 categorised as high risk.
The company also noted a 43% rise in the number of vulnerabilities added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalogue compared with the previous quarter, suggesting attackers are moving more quickly to exploit newly discovered flaws.
Beazley Security Labs additionally recorded a 15% increase in critical zero-day advisories issued to clients during the quarter, with many of the vulnerabilities affecting edge infrastructure such as VPNs and firewalls.
According to Beazley Security, threat activity intensified in March after a quieter start to the year. The company pointed to two major incidents that reflected changing attack methods and the growing use of automation in cyber operations.
In one incident, Beazley Security said an autonomous AI agent scanned thousands of public code repositories, identified weaknesses in access controls and exploited them without direct human involvement. The activity reportedly enabled attackers to compromise Trivy, a widely used open-source vulnerability scanner relied upon across the software development sector.
The company also highlighted an attack linked to an Iranian-affiliated hacktivist group targeting medical device manufacturer Stryker. Beazley Security said the attackers used Microsoft Intune to remotely wipe more than 200,000 systems worldwide as part of a politically motivated campaign.
Beazley Security warned that developer supply chains are becoming an increasingly attractive target for attackers. The company said threat actor group TeamPCP allegedly used an automated AI tool known as hackerbot-claw to uncover and exploit weaknesses in GitHub CI/CD workflows. According to the report, the attackers inserted credential-stealing malware into the Trivy security scanner, creating downstream risks for organisations and platforms dependent on the tool, including the open-source AI gateway LiteLLM.
The report suggested that attackers are increasingly prioritising automation systems and non-human identities as a route into wider networks and development environments.
Beazley Security said ransomware activity remained relatively consistent overall, although incident levels increased again in March following a seasonal slowdown earlier in the quarter. The company’s investigators found that compromised credentials continued to be the leading method used to gain initial access, accounting for 74% of ransomware intrusions observed during the reporting period.
The company also reported a rise in extortion-focused attacks in which threat actors steal sensitive information without deploying file encryption, instead relying on the threat of releasing stolen data to pressure organisations into paying.
Alton Kizziah, CEO of Beazley Security, commented: “The first quarter began quietly and ended with some of the most consequential cyber events we’ve seen in years. What stood out wasn’t just the volume of activity, but the efficiency. Beazley Security Labs researchers have noted how AI-assisted tooling is enabling attackers to scale familiar techniques faster, with broader downstream impact.”
Josh Carolan, Director of Security Research at Beazley Security, added: “Attackers aren’t reinventing their playbooks. They’re refining tradecraft, using AI-driven automation and trusted platforms to move faster, scale operations, and increase impact.”
