For twelve weeks running January 1 through March 23, 2026, our threat-intelligence team scraped, normalized, and price-tracked every initial-access listing posted to the three Russian-language forums where roughly 80% of English-readable IAB activity still concentrates: XSS.is, Exploit.in, and the bulletproof-hosted aggregator known publicly as the Russian Anonymous Marketplace (RAMP). 1,184 distinct listings made it into the dataset after deduplication. The headline number is the one in the alert above. The interesting numbers are the ones underneath.
What the market actually looks like
The single most important shift in Q1 2026 is that "initial access broker" is no longer a coherent single market. It has split into four distinct tiers, each with its own price discovery, its own buyer profile, and its own typical fulfillment time:
| Access type | Q1 2026 avg | Range | YoY change |
|---|---|---|---|
| VPN / Citrix / SSL-VPN | $7,200 | $5,000 – $15,000 | +38% |
| Cloud / SaaS tenant admin | $2,400 | $1,500 – $4,000 | +12% |
| Domain admin (on-prem AD) | $3,800 | $2,200 – $9,500 | +8% |
| RDP (single host) | $420 | $80 – $1,200 | −22% |
Three things to read out of this table.
VPN credentials are now more expensive than domain admin. That's the inversion of historical pricing, and it tells you exactly what the market values. A working VPN credential delivers the buyer past the perimeter, into the network's trust boundary, with no zero-day required and no exploit chain to maintain. Domain admin, by contrast, requires the buyer to have already gotten in and to have done the lateral movement and privilege escalation work themselves. The market is paying more for the harder-to-replicate part of the kill chain.
SaaS tenant access is cheap and getting cheaper relative to the value extracted. Sub-$3K listings for tenant admin into mid-market Salesforce, HubSpot, ServiceNow, and Workday environments are routine. The price reflects abundance — stealer logs deliver these in volume — not low value to the attacker. A single Salesforce tenant compromise still produces six- to seven-figure extortion outcomes. The buyers know this. The listings are priced low because the supply is pouring in.
RDP is fading. This is the only category trending down in absolute terms, and the reason is mundane: EDR coverage on Windows hosts has finally caught up. Listings that used to fetch $800–$1,500 in 2023 now sit at $80–$400 and frequently expire unsold. A working RDP foothold against an EDR-protected host has a half-life measured in hours; against an unmanaged host in 2026 it's increasingly hard to find one that nobody else has already burned.
Why ransomware affiliates buy instead of phish
The economic argument changed in 2025 and crystallized in Q1 2026. A ransomware affiliate running a phishing-driven access program needs to maintain infrastructure (lure domains, sending IPs, redirect chains, telemetry-evading payload delivery), tolerate increasingly aggressive takedown response from email vendors, and accept conversion rates that fell from a 2023-era average of around 0.4% to a 2026 average estimated at 0.07–0.12% across vendor-published data. The fully-loaded cost of a successful phish-driven access event for a competent affiliate is now in the $4,000–$9,000 range once you account for infrastructure, time, and burn rate.
$7,200 for a turnkey VPN credential — sold with proof of access, often a screenshot of an internal portal, occasionally a video of the broker logged into an internal SharePoint — looks like a bargain by comparison. The buyer pays once, gets a working session, and skips the entire campaign-operations overhead. The seller, in turn, has typically harvested the credential from a stealer log (cost: $5–$15) or a pre-positioned malware foothold (cost: amortized across tens of thousands of victims). The marginal cost to the seller is near zero. The price is set by what the affiliate is willing to pay versus the cost of phishing themselves.
The shift to a buy-not-build market is the single most important defender-relevant fact about Q1 2026. It means that the question "would a phish get through our filters" is no longer the right question. The right question is "is a working credential to our environment sitting in a stealer log or a broker listing today, and would we know if it were."
The "fresh access" tax
Listings less than 24 hours old commanded an average premium of 2.4x over equivalent access advertised as 7+ days old. The premium is rational: fresh access has not yet been tested, sold to multiple buyers, or noticed by the victim's defenders. The value depreciates fast. For a defender, the practical implication is that the window between a credential being listed and being burned is now measured in days, and the most valuable monitoring you can do is the kind that catches a listing within hours of posting.
A second pricing signal worth highlighting: brokers increasingly advertise defender posture alongside the access. Listings now routinely include phrases like "no EDR detected," "VPN does not enforce MFA," "AD has no Tier 0 segmentation," and "domain admins exempt from CA policy." These are not marketing flourishes. They are technical attributes that buyers explicitly filter on, and they tell you which of your defensive controls the broker market values.
If your environment has any of the following, a listing for it commands the upper end of the price range:
- Single-factor VPN, or VPN where MFA is bypassable via a fallback method (SMS, push without number-matching, voice-call OTP)
- SSL-VPN appliances on out-of-support firmware (Pulse Secure, Fortigate, Citrix NetScaler running pre-2024 builds)
- Active Directory with no tiered admin model — meaning domain admins log into ordinary workstations
- SaaS tenants where break-glass admin accounts have no MFA and no conditional access
- Internal infrastructure reachable from VPN without further authentication (the "soft inside" pattern)
What to monitor today
The forums are not behind paywalls or invitation walls in any meaningful sense. They are behind language and reputation friction. Defenders can monitor them directly with a dedicated, isolated workstation, a Russian-language reading workflow, and a few months of patient observation to learn the conventions. For organizations that don't want to staff that, the work-effort math favors a feed subscription. Either way, the monitoring is non-optional in 2026.
- Scrape or subscribe to a feed of the three primary forums. The signals you want are: any listing whose victim description plausibly matches your environment (industry, country, employee-count band, technology stack); any listing for "U.S. tech, ~500 employees, VPN access" if that describes you; and any name-drop or domain-drop in chatter threads.
- Cross-reference against your stealer-log corpus. A listing that names a victim is often preceded by 24–72 hours of stealer-log appearances containing the victim's domain. The two together raise confidence dramatically.
- Run continuous external surface validation. If the listing claims "VPN access, no MFA," your defenders should already know that's not true today. The way you know is by testing it weekly, not by asking the network team whether they think MFA is enforced.
- Burn the credential, don't just rotate it. When you suspect a listing for your environment, revoke every active session, invalidate every refresh token, and force re-enrollment of every device with VPN access. Password rotation alone leaves the active sessions intact.
How CELVEX Group tests for this
Our dark-web monitoring module runs THREAT-DARKWEB-IAB-MON-001, defined in core/test_catalog/_supplement_threat_intel_2026-03.py. The test executes four checks against the customer's brand and infrastructure footprint:
- Forum listing match. Continuous scraping of XSS.is, Exploit.in, and RAMP for listings whose victim metadata (industry, geography, employee count, named technologies, sometimes leaked screenshots) plausibly matches the customer.
- Direct identifier check. Customer domains, registered SaaS tenants, and known subsidiary names are matched verbatim against listing text and threadbody chatter, with the matches translated and surfaced into the customer's report.
- Defender-posture corroboration. Where a listing advertises a specific defensive weakness ("no EDR," "VPN does not enforce MFA"), we run the corresponding active validation against the customer's actual perimeter to determine whether the claim is testable today. False claims are common; true ones are urgent.
- Pricing-context delta. Whenever a listing matches the customer, we report the asking price relative to the Q1 2026 baseline, the listing's age, and the seller's prior-listing reputation, so the customer can prioritize response.
The output is not a list of forum URLs. It's a triaged, translated, severity-ranked feed of listings that plausibly affect the customer, with the defensive controls each listing names already validated against the customer's actual infrastructure. Customers running this against their environment receive a notification within the same hour a fresh listing matching their footprint is posted.
Bottom line
The initial-access broker market in Q1 2026 is bigger, more specialized, and more efficient than at any point in its decade-long history. VPN credentials are now its premium product because they deliver buyers past the part of the kill chain that's hardest to replicate, and ransomware affiliates are paying because the unit economics now favor buying over phishing. RDP is fading because EDR caught up. SaaS access is abundant and cheap.
The defenders who will outperform in 2026 are the ones who treat the broker market as a real, monitorable signal — not as something happening to other companies — and who invest in the specific capability of seeing themselves listed before the buyer does. Everything else is downstream of that.
Sources
Run a free Exposure Check — 60 seconds, no signup
See whether your perimeter advertises any of the defender-posture signals IAB listings explicitly price on. No account required.
Start your Exposure Check