Exploit-as-a-Service (EaaS) has transformed from occasional exploit sales into a mature underground economy. In 2025, exploit brokers sell ready-made access, subscription bundles, and continuous exploit updates. These services mimic legitimate SaaS models, reducing friction for attackers and making access a commoditized product. Threat actors can now purchase exploitation pipelines rather than build them themselves.
Trend Overview
Initial access markets are becoming more productized. Rapid7’s new report shows over 70 percent of broker listings include not just network access but user privileges too. Rapid7 2025 Access Brokers Report describes how these bundles include privilege escalation and modulated persistence modules. This is selling intrusion as a packaged deliverable, not just raw access.
Parallel market analysis from ThreatMon’s 2024–2025 Initial Access Report confirms listings now commonly include post-exploit tooling and support. ThreatMon 2024–2025 Initial Access Report finds that many access offers now come with lateral movement scripts or shells bundled, and pricing continues to compress—many listings now fall below $1,000.
Lower pricing is a deliberate shift. According to Infosecurity Magazine, brokers are undercutting their own previous pricing to push volume. Infosecurity Magazine on low-cost IAB markets reports that VPN and user account access dominate many low-cost packages. The aim: saturate the market and make access cheap to obtain but harder to trace.
Campaign Analysis & Case Studies
Case study: Bundled access with privilege modules
Rapid7’s analysis reveals that more than 70 percent of broker listings now combine base access with privilege escalation capacity. Rapid7 blog: “Compromise for Sale” describes listings featuring all-in-one packages. Buyers pay a single fee and receive everything needed to deepen compromise. This change reduces attacker overhead and standardizes entry-level exploitation.
Case study: Infrastructure takedown of broker-linked networks
In late 2024, the U.S. Department of Justice joined an international takedown targeting RedLine and META infostealer infrastructure. DOJ press release on RedLine/META disruption details seizure of hundreds of servers and arrests. That operation indirectly disrupted exploit brokers relying on stolen credential pipelines, showing how targeting downstream infrastructure can ripple upward.
Case study: Exploit sales mirrored across markets
Bitsight’s “State of the Underground 2025” report highlighted how exploit offerings replicate across multiple forums and messaging channels. Bitsight State of the Underground 2025 notes identical exploit names, screenshots, and pricing across mirror sites. This mirroring suggests that sellers syndicate the same exploit payload across multiple sales channels to maximize reach and exposure.
Detection Vectors & TTPs
Many EaaS operations follow repeatable steps. Attackers purchase access, deploy exploit checkers, escalate permissions, and exfiltrate data. The deployment of ephemeral shells and memory-only modules is now common. Unit42’s research shows leaked machine key usage by initial access brokers, which provides fingerprintable behavior. Unit42 on leaked keys and IAB exploits describes identifiable signatures and staging paths used by brokered deployments.
Defenders can map these behaviors to MITRE ATT&CK techniques: – T1078 (Valid Accounts) for credential use – T1068 (Exploitation for Privilege Escalation) for bundled privilege modules – T1021 (Remote Services) for lateral movement
By correlating exploit checker activity, repeated shell deployments, and unusual privilege escalation events from unknown accounts, defenders can surface brokered compromise before data theft begins.
Industry Response & Law Enforcement
Law enforcement is shifting toward infrastructure takedowns and hidden infiltration. The RedLine/META takedown is an example, but agencies now increasingly monitor broker forums and phishing-as-a-service affiliates tied to exploit broker chains. Their aim: disrupt not just threat groups but the support ecosystems around them.
Security vendors and researchers are responding too. FortiGuard Labs’ 2025 threat report calls out automation and cybercrime-as-a-service expansion, including exploit and credential markets. FortiGuard 2025 report underscores the growth of commoditized exploitation as a systematic service. While agencies push takedowns, defenders must integrate broker-oriented intelligence into defensive posture.
CISO Playbook
- Prioritize patching of externally exposed services—especially VPNs, remote desktop interfaces, firewall admin panels, and legacy appliances.
- Correlate internal telemetry with threat intel to detect repeated exploit checker patterns and privilege elevation signatures.
- Enforce phishing-resistant MFA and reduce credential reuse across accounts, especially for administrative access.
- Share threat intelligence on broker handles, infrastructure, and marketplace metadata with trusted peers and intelligence alliances.
- Simulate EaaS-style attacks in red team exercises to verify detection coverage and operational readiness.
Exploit-as-a-Service has evolved into a structured market where access, privilege and maintenance are sold in one package. The challenge for defenders is not just patching and detection but shifting perspective: these are supply chains, not opportunistic breaches. To prevail, security programs must operate with intelligence-driven disruption, not just reactive response.
This article is for research and defensive awareness. It does not endorse or facilitate illegal activity.