13 August 2025

Based on six months of threat intelligence gathered from dark web forums — including Exploit, XSS, and BreachForums — the report reveals how initial access to compromised networks is often sold at low prices — sometimes for less than $1,000 — and provides strategies for defenders to disrupt these early-stage breaches.

Analyzing hundreds of posts from Initial Access Brokers (IABs), Rapid7’s threat researchers found that what is often marketed as "initial access" can actually represent deep infiltration.

“These brokers aren’t just selling a single entry point — they’re exploring and exploiting networks they’ve infiltrated, often successfully,” said Raj Samani, SVP and chief scientist at Rapid7. “When threat actors log in using access bought from brokers, they often already have admin privileges and multiple access vectors. The key is responding quickly before escalation occurs.”

Over 71% of access broker sales include some level of privilege, with nearly 10% offering bundles that combine multiple access vectors and privileges. The average sale price is around $2,700, with nearly 40% priced between $500 and $1,000. The most common access types offered are VPN, Domain User, and RDP, reflecting the weak points frequently encountered in Rapid7’s incident response investigations.

This report arrives amidst ongoing challenges for security teams — alert fatigue, resource constraints, and sophisticated attacker tactics. It underscores the importance of integrating exposure management with threat detection, rather than handling them separately.

The report emphasizes that, despite law enforcement efforts, access brokers remain a persistent threat, and organizations must act swiftly and decisively. Rapid7’s research reinforces that operationalizing threat intelligence, contextual asset data, and automation isn’t optional — it’s essential for effective security in today’s threat landscape.