Today, attackers don’t need to break into your network — they can just buy their way in.
In Infiltrate and Escalate: The 2025 Access Brokers Report, intelligence analysts from the Rapid7 Labs team share their insights into how Initial Access Brokers (IABs) are fueling a booming underground economy by selling stolen access to corporate networks. These experts analyzed six months of activity across 3 of the most well-known forums — Exploit, XSS, and BreachForums — and the results are clear: the cost of entry for cybercriminals in both time and money is incredibly low.
But there is also hope. As you’ll see in the report, more than 70% of listings on broker forums included not only initial access but also user privileges. At first glance, this might seem like a net negative, and it can be. However, this finding also indicates that IABs are lingering in their victims’ networks, looking for privileges to up their sale price. And if they have a dwell time, you can detect and respond before there is a second attacker in your network most likely doing significantly greater damage.
Our top three findings:
Access often includes user privileges
Over 70% of listings combined initial access with user privileges, giving attackers more power to move through networks and escalate attacks. But as mentioned earlier, it makes them more vulnerable to discovery.
It's surprisingly affordable
Nearly 40% of listings were priced between $500 and $1,000, making it easy for attackers of all skill levels to get in. That said, even unskilled attackers are difficult to spot if they have valid user access credentials, making it even more important to detect and respond to the compromise as early as possible in the process.
Most access follows the same patterns
Almost 60% of listings were tied to three weak initial access points. This is really critical information, because there are tried-and-true ways to shore up defenses against these vulnerable areas (ahem, MFA) when you know they are particularly valuable to attackers.
VPN (23.5%) – Often sold with working credentials and no multi-factor authentication (MFA).
Domain User (19.9%) – Regular usernames and passwords, usually unprotected.
RDP (16.7%) – Remote access services exposed on the internet.
What this means for you
If your defenses are weak, you’re not just vulnerable — you may be for sale.
Access brokers look for companies that haven’t enforced basic protections like MFA or network segmentation. Once they get in, they resell that access to a whole host of threat actors. At that point, the breach has already happened and stopping the attack becomes a lot harder.
Initial access is now a product for sale. If you’re not actively managing your exposure, someone else might already be selling it.
Read the full report to see how this criminal marketplace works and how to protect your network from becoming the next listing.