The $2,700 Network Access Market: How Criminals Turned Cybersecurity Into a Commodity
Rapid7's Chief Scientist reveals how organized crime transformed from $400 ransoms to $450,000 demands in just a decade
Network access to your organization is being sold on dark web forums for an average of just $2,700, less than most companies spend on coffee each month. Yet this seemingly trivial sum represents the key to potentially catastrophic breaches that can cost organizations millions and fundamentally reshape the global threat landscape.
Raj Samani, Chief Scientist at Rapid7, has been tracking this evolution from his unique vantage point bridging cybersecurity research and law enforcement collaboration. His team's latest Access Brokers Report, based on analysis of three major dark web forums, reveals a sobering reality: cybercrime has become a commodity business with devastating efficiency.
"You remember 2015, we had the ransomware group Tesla, which was a consumer-driven attack, and the average ransom demand was two Bitcoin, which was about $400," Samani explained during our interview at Black Hat 2025. "Now we've got this economy in which companies are being targeted at a rate and pace that is unprecedented. The average demand has increased from $400 to $450,000."
The Democratization of Digital Crime
This transformation reflects what Samani calls the democratization of cybercrime. Initial Access Brokers (IABs) have created a marketplace where technical barriers to entry have virtually disappeared. Anyone with a few hundred dollars can purchase ready-made access to corporate networks, complete with privileged accounts and multiple entry vectors.
Rapid7's research, covering six months of activity across Exploit, XSS, and BreachForums, reveals that 71.4% of access broker sales offer more than just basic network entry—they include elevated privileges or multiple access routes. Nearly 10% provide complete bundles with multiple initial access vectors and administrative privileges.
"To be a cyber criminal, you don't need any technical skills anymore," Samani noted, echoing concerns he first raised in a 2013 paper. "This is why we've been tracking this for over a decade now."
The implications extend far beyond individual organizations. When a morning text message to Samani revealed suspicious IP addresses in a client's network, Rapid7's intelligence platform immediately identified the threat as Scattered Spider—the same group that had targeted major retailers including Marks and Spencer and Co-Op.
Intelligence-Driven Defense in a Noisy World
For Samani, the core challenge isn't detecting threats, it's prioritizing responses in an environment saturated with alerts and marketing noise. His team at Rapid7 Labs has focused on what he calls "threat-informed remediation," using curated intelligence to cut through the chaos of modern security operations.
"Every single campaign we've seen, by and large, has been detected. It's just not been responded to," Samani explained. "The challenge we're facing is the inability to separate the marketing hype from the reality of security operations."
Rapid7's approach involves verifying every threat indicator and assigning meta-scores to help organizations understand which alerts truly matter. Instead of drowning security teams in volume—what Samani calls "the fool's errand," the platform eliminates noise and highlights actionable threats.
"Of 40,000 CVEs disclosed last year, which one are you going to be worried about?" he asked. "What we should be concerned about is the stuff that's going to hurt me."
The Economics of Access
The research reveals troubling economic realities. While victim organizations average $2.2 billion in annual revenue, access to their networks sells for under $3,000, a risk-to-cost ratio that should alarm any executive. Most sales cluster around the $500-$1,000 range, making network access cheaper than many enterprise software licenses.
The most popular attack vectors mirror what Rapid7 observes in actual incident response: VPN access (23.5%), Domain User accounts (19.9%), and RDP services (16.7%). These represent fundamental failures in security architecture, systems designed to protect networks becoming the very mechanisms attackers exploit.
"VPN access was meant to ensure that only authorized users can access an organization's network," Samani noted. "Instead, this access management technology is being undermined."
The Global Context Challenge
Unlike traditional crimes, cybercrime operates without geographic constraints, creating enforcement challenges that Samani describes as unprecedented. "You can conduct a crime and never have to step into the territory within which you're carrying out that crime. You don't even have to leave your bedroom."
This reality, combined with the economic incentives in certain regions, creates a perfect storm for criminal activity. When Samani interviewed a ransomware operator from West Africa, the response was telling: "I've got to pay my mortgage. I got to feed my family. What do you expect me to do?"
The technical barriers that once limited cybercrime have been systematically eliminated by the access broker economy. What remains is a business model that scales criminal activity to unprecedented levels.
Real-Time Security Imperatives
Samani's research points toward several critical takeaways for organizations. Traditional vulnerability management approaches, scanning monthly or quarterly, are inadequate against adversaries who can purchase access and deploy attacks within hours.
"Security has to be real-time," he emphasized. "That's why we built our own scanners. When we're doing attack surface management scanning, we can control everything. We can manage the scan cadence however often we want."
The integration of actionable intelligence into security platforms represents a shift from reactive to predictive defense. Rather than responding to attacks after they occur, organizations can anticipate threats based on marketplace intelligence and attacker behavior patterns.
The Path Forward
For developers, engineers, and security professionals, Samani's message is clear: understanding your attack surface and prioritizing remediation based on real threat intelligence, not arbitrary CVSS scores, is essential. The access broker economy thrives on organizations that fail to implement basic security fundamentals like multifactor authentication and proper network segmentation.
"Organizations need to understand their attack surface," Samani concluded. "They need to understand the vulnerabilities associated with their attack surface, and they need to prioritize the remediation of said vulnerabilities in a manner that is real-time."
As cybercrime continues to industrialize through marketplace economics, the defenders must match that industrialization with intelligence-driven automation and real-time response capabilities. The alternative—becoming another $2,700 listing on a dark web forum—is simply too costly to contemplate.