Initial Access Brokers Are Scaling Attacks Faster Than Most Security Programs Are Adapting

The latest research shows the IAB market has expanded sharply over the past two years, enabling advanced adversaries to outsource the hardest early-stage work and scale campaigns across many more targets. The strategic risk is no longer limited to ransomware. Researchers links the surge in IAB activity with nation-states using cyber operations as instruments of national power, blurring the line between criminal and geopolitical campaigns. This overlap complicates attribution and raises the odds that the same foothold can be repurposed for espionage, coercion, or disruption. 

Recent research tracked listings across major underground forums and highlights a market that is both broadening and professionalizing. The U.S. remained the most targeted country in 2024 (31%), with Brazil and France rising in prominence. Access for sale across the top 10 countries increased by 90%, indicating sharper geographic focus rather than scattershot targeting.

Industry targeting also tracks with revenue opportunity and operational leverage. Business services led in 2024 (17%), retail stayed consistently high, and manufacturing climbed into the top tier.

Two shifts matter operationally:

Smaller organizations are now a primary demand stream. Listings increasingly concentrated in the $5M–$50M revenue range, representing about 60.5% of observed initial access listings, reflecting a deliberate hunt for softer defenses.

The access mix is evolving. RDP remained dominant, but VPN access surged in 2024, narrowing the gap and reinforcing the reality that identity and remote access hygiene are now the default battleground.

Pricing remains low relative to downstream impact. Most corporate access listings fell roughly in the $500–$3,000 band, with occasional high-value access exceeding $10,000. This cost asymmetry is why IABs keep winning the first move.

Why this is now a critical infrastructure problem

The most alarming takeaway from the Cybersecurity Dive coverage is the migration of IAB-enabled campaigns into sectors with public safety and national resilience stakes. Check Point documented sharp increases in IAB activity from 2023 to 2024 across government, healthcare, education, and transportation. Healthcare was hit especially hard, showing nearly 600% more IAB attacks in 2024 than in 2023.

This is the blueprint for scaled disruption:

Broker obtains foothold through exposed RDP, compromised VPN, weak identity controls, or supply chain spillover.

Access is sold.

A separate operator executes ransomware, extortion, data theft, or geopolitically aligned disruption.

Source

InfoSight perspective: the IAB economy is a diagnostic signal

Treat IAB activity as a market indicator of your most exploitable control failures. The listings tell defenders where operational reality diverges from policy.

Three implications should reshape program priorities:

1. Identity is the new perimeter, and IABs are pricing your identity failures in real time.
If VPN access is surging and credential abuse remains the fastest path to resale value, then MFA coverage gaps, weak conditional access, legacy auth, and poor privileged access governance are not minor issues. They are the product catalog. 

2. External attack surface management is no longer optional.
IABs monetize exposed services, stale remote access paths, and unmonitored internet-facing assets. Security teams that only measure internal controls are working on an incomplete risk model. The adversary is shopping the external footprint first. 

3. OT and hybrid environments amplify the blast radius of “cheap” access.
Check Point explicitly called out the need to harden operational technology as IAB activity expands into strategically significant sectors. The cost of initial entry is low; the potential for cascading operational impact is not. 

What defensible organizations must do now

Build a program that breaks the IAB business model before access becomes resale-grade.

Identity and access hardening

Enforce phishing-resistant MFA for admins and remote access.

Implement conditional access with device health and risk-based controls.

Reduce standing privileges with JIT/JEA patterns.

Audit and remove legacy authentication paths. 

Remote access triage

Eliminate exposed RDP at the edge.

Inventory all VPN concentrators, verify patch posture, and validate logging integrity.

Rotate credentials and certificates tied to remote infrastructure. 

Attack surface and vulnerability pressure

Continuous discovery of internet-facing assets and shadow IT.

Prioritized remediation tied to exploited-in-the-wild signals, not just CVSS.

Validate that remediation closes the actual exposure path. 

Resilience for high-consequence sectors

Segment IT/OT networks with strict identity-aware conduits.

Increase monitoring for lateral movement indicators associated with broker-style pre-positioning.

Run tabletop and technical recovery exercises aligned to ransomware and disruptive-state scenarios. 

IABs have industrialized the front door of cybercrime and accelerated the convergence of criminal scale with geopolitical intent. The data shows growing focus on healthcare, manufacturing, and other high-impact sectors, with remote access and identity exposures driving the resale pipeline.