Beazley Security, the cyber security services arm of specialist insurance company Beazley, has released its Quarterly Threat Report Q1 2026, details a significant increase in exploited vulnerabilities as cybercriminals increasingly use AI-driven methods to accelerate attacks and target software supply chains.
The report found that exploited vulnerabilities increased by 43% in the first quarter of this year. Beazley Security said more than 15,200 new vulnerabilities were disclosed between January and March, of which nearly 3,900 were classified as high risk.
The company also noted that the number of vulnerabilities added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploitable Vulnerabilities (KEV) catalog increased by 43% compared to the previous quarter, indicating that attackers are exploiting newly discovered vulnerabilities faster.
Beazley Security Labs also recorded a 15% increase in the number of critical zero-day advisories issued to customers during the quarter, with many of the vulnerabilities impacting edge infrastructure such as VPNs and firewalls.
According to Beazley Security, threat activity increased in March after a quiet start to the year. The company pointed to two significant incidents that reflect changes in attack methods and the increasing use of automation in network operations.
Beazley Security said that in one incident, automated AI agents scanned thousands of public code repositories, discovered weaknesses in access controls and exploited them without direct human involvement. The campaign reportedly enabled attackers to compromise Trivy, an open source vulnerability scanner widely used in the software development community.
The company also highlighted links to an attack by an Iranian-affiliated hacking group on medical device maker Stryker. Beazley Security says attackers used Microsoft Intune to remotely wipe more than 200,000 systems around the world as part of a politically motivated campaign.
Beazley Security warns that developer supply chains are becoming an increasingly attractive target for attackers. Threat group TeamPCP allegedly used an automated artificial intelligence tool called hackerbot-claw to find and exploit weaknesses in GitHub’s CI/CD workflow, the company said. According to the report, attackers inserted credential-stealing malware into the Trivy security scanner, creating downstream risks for organizations and platforms that rely on the tool, including open source AI gateway LiteLLM.
The report indicates that attackers are increasingly prioritizing automated systems and non-human identities as pathways into wider networks and development environments.
Beazley Security said ransomware activity overall remained relatively stable, although the number of ransomware incidents increased again in March following a seasonal slowdown earlier in the quarter. The company’s investigators found that credential compromise remains the primary method of gaining initial access, accounting for 74% of ransomware intrusions observed during the reporting period.
The company also reported an increase in ransomware-focused attacks, in which threat actors steal sensitive information without deploying file encryption, instead relying on the threat of releasing stolen data to force organizations to pay.
Alton Kizziah, CEO of Beazley Security, commented: “The first quarter started quietly and ended with some of the most significant cyber incidents we have seen in years. It wasn’t just the volume of activity that was notable, but also the efficiency. Researchers at Beazley Security Labs noticed how AI-assisted tools enable attackers to scale familiar techniques more quickly, resulting in wider downstream impact.”
Josh Carolan, director of security research at Beazley Security, added: “Adversaries are not reinventing their tactics. They are improving intelligence techniques, leveraging AI-driven automation and trusted platforms to move faster, scale operations and increase impact.”
