The initial access broker market has continued its evolution as a structured intermediary economy between credential theft, vulnerability exploitation, and the downstream ransomware operations. By May 2026, the market dynamics are mature enough that pricing and targeting patterns provide useful threat intelligence for defenders trying to understand where the next wave of attacks is likely to land.

We’ve been tracking the visible IAB activity across the major Russian-language and English-language marketplaces, plus the more recent shift toward private brokerage in encrypted channels.

Pricing has stratified meaningfully

The IAB market in 2026 looks much more like a structured commercial market than the loosely organised seller community of three years ago. Access offerings are categorised by victim revenue band, sector, geography, and access type. Pricing has stabilised around predictable bands.

For mid-market victims (annual revenue US$10-100M), VPN or RDP access listings typically price between US$1,500 and US$8,000 depending on sector. Healthcare and legal sector access commands premiums - the willingness of these victims to pay ransoms supports higher initial access prices. Manufacturing access has been holding steady at the lower end of the range.

Larger enterprise access (annual revenue above US$1B) is pricing in the US$15,000 to US$80,000 range for verified domain administrator level access. The price discrimination by sector is sharper here - financial services access where the broker can demonstrate access to backup systems can command six-figure prices, while consumer goods enterprise access trades in the lower bands.

The pricing transparency itself is a defensive intelligence asset. When access to a particular sector starts pricing higher than its historical band, it’s usually a signal that ransomware crews are seeing better payment results in that sector and bidding up the input cost. This is a leading indicator that defenders in the affected sectors should treat seriously.

Targeting patterns have shifted toward managed service providers

A trend that strengthened through 2025 and continues into 2026 is the disproportionate targeting of managed service providers and IT outsourcing firms. The economics from the attacker side are obvious - one MSP compromise produces access to dozens or hundreds of downstream victim networks, multiplying the value of a single intrusion.

The IAB listings for MSP access have continued to grow as a share of total inventory. The pricing premium for verified MSP access reflects the downstream value - the brokers know what the access is worth to ransomware operators.

For defenders, this trend has implications well beyond the MSP sector itself. Any organisation that depends on third-party IT service delivery is part of the extended attack surface. The supply-chain compromise risk has been real for years; the maturation of the IAB market has commoditised the targeting of intermediaries in ways that make the risk significantly more pressing.

The CISA advisories on MSP targeting have continued to flag this risk, and the operational guidance for both MSPs and their customers has tightened. Whether the implementation of that guidance has kept pace with the threat is another question.

Authentication compromise dominates the supply side

The supply side of the IAB market - how the brokers obtain the access they’re selling - continues to be dominated by authentication compromise rather than vulnerability exploitation. Phishing-derived credentials, info-stealer malware harvests, and credential stuffing remain the principal sources.

The info-stealer ecosystem has been particularly significant. The continued operation of stealer-as-a-service offerings, the integration of stealer logs into broker workflows, and the maturation of the marketplaces where stealer logs are traded have created a reliable pipeline of credential material that flows into the IAB economy.

The defensive implications are well-understood but unevenly implemented. Phishing-resistant authentication - hardware security keys, properly configured passkeys, certificate-based authentication - meaningfully disrupts the credential-to-access supply chain that the IAB market depends on. Organisations that have rolled this out across their high-risk user populations have seen measurable reductions in their exposure to this threat path.

The challenge is that “high-risk user populations” in the modern environment is a much larger group than the old executive-and-admin definition. Any user with access to material data, financial systems, or downstream customer environments is a meaningful target. The implementation cost of phishing-resistant authentication at scale is real, but it’s reliably less than the cost of a successful compromise.

Vulnerability exploitation supply

The vulnerability-derived access supply has shifted in interesting ways. The mass-exploitation of widely deployed enterprise software vulnerabilities - the Citrix, Fortinet, Ivanti, and similar incidents - continues to feed significant access volumes into the IAB market when these events occur. The time from public disclosure to mass exploitation has continued to compress, with exploitation now reliably underway within hours of credible technical detail being published.

The patching velocity required to outrun this curve is well beyond what most enterprise environments achieve. Compensating controls - network segmentation, endpoint detection, behavioural monitoring - matter more for these scenarios than aggressive patching alone, because aggressive patching has a known practical ceiling.

AI in attacker workflows

The AI-augmented attacker workflow story has become more concrete in 2026 than it was a year ago. The IAB ecosystem is using LLM-based tools for several practical functions - phishing message generation that gets through filters, automated reconnaissance and target profiling, and increasingly the partial automation of the access verification and packaging steps that brokers used to do manually.

This has lowered the cost per access in the broker workflow and increased the volume of inventory that the more sophisticated brokers can offer. The defensive AI work happening on the other side of the equation - both at major security vendors and at specialist consultancies including Australian firms like Team400 and others working in the AI defence and governance space - is partially offsetting this, but the asymmetry remains real.

For defenders, the practical implication is that detection workflows that depend on the artisanal quality limitations of attacker activity (clumsy phishing, obvious reconnaissance, predictable beaconing) are becoming progressively less reliable. Behavioural analytics, anomaly detection on legitimate authentication patterns, and decoy-and-detection strategies that don’t depend on the attacker making mistakes are becoming more important.

What to watch through Q2 and Q3

A few things are worth watching over the next several months. The MSP and supply-chain targeting trend is unlikely to slow and may accelerate. The pricing data on healthcare and financial services access is a useful leading indicator for ransomware activity in those sectors. The continuing maturation of info-stealer operations and the credential market they feed deserves sustained attention from teams responsible for authentication infrastructure.

The Russian-language IAB markets have remained the dominant trading venues, but the shift toward private brokerage relationships outside the public marketplaces has continued. This makes intelligence collection harder and means that public marketplace pricing increasingly understates the volume of the underlying activity.

The IAB market is mature, professionalised, and growing. Defensive posture has to be calibrated for that reality rather than for the more chaotic threat picture of five years ago.