Creator: Saeed Abbasi, Senior Supervisor, Risk Analysis Unit, Qualys
With Time-to-Exploit now at destructive seven days and autonomous AI brokers accelerating threats, the information now not helps incremental enchancment. The structure of protection should change.
What Leaders Have to Know
Evaluation of CISA’s Recognized Exploited Vulnerabilities over the previous 4 years exhibits essential vulnerabilities nonetheless open at Day 7 worsened from 56% to 63% regardless of groups closing 6.5x extra tickets. Staffing can not resolve this.
Of the 52 tracked weaponized vulnerabilities in our research, 88% had been patched extra slowly than they had been exploited — half had been weaponized earlier than any patch existed.
The issue isn’t velocity. It’s the operational mannequin itself.
Cumulative publicity, not CVE counts, is the true threat metric that security groups now have to measure. Whereas dashboards reward the dash to get patches carried out, breaches exploit the tail. AI isn’t one other assault floor — as an alternative, the transition interval the place AI-powered attackers face human defenders is the business’s most harmful window.
In response, defenders must implement their very own autonomous, closed-loop threat operations.
The Damaged Physics
New analysis from the Qualys Risk Analysis Unit, analyzing a couple of billion CISA KEV remediation information from throughout 10,000 organizations over 4 years, quantifies what the business has lengthy suspected however by no means proved at scale. The operational mannequin underpinning enterprise security is damaged.
Vulnerability volumes have grown 6.5 instances since 2022. In keeping with Google M-Tendencies 2026, the typical Time-to-Exploit has collapsed to destructive seven days; in different phrases, adversaries are weaponizing probably the most severe vulnerabilities earlier than patches exist. The proportion of essential vulnerabilities nonetheless open at seven days has climbed from 56 % to 63 %.
But this isn’t for lack of effort. Organizations closed 400 million extra vulnerability occasions yearly now than they did at baseline. Groups work tougher, but it surely fails to make the distinction the place it counts. Our researchers name this the “human ceiling” — a structural restrict no quantity of staffing or course of maturity can overcome. The constraint isn’t effort. It’s the mannequin itself.
Of 52 high-profile weaponized vulnerabilities tracked with full exploitation timelines, 88 % had been remediated slower than they had been exploited. For example, Spring4Shell was exploited two days earlier than disclosure, but the typical enterprise wanted 266 days to remediate.
Equally, the flaw in Cisco IOS XE was weaponized a month early; common shut was 263 days.
The attacker’s benefit was measured in days. The defender’s response was measured in seasons. This isn’t an intelligence failure. It’s an operationalization failure.
To know the longer term round threat operations, AI and managing remediation at scale, come to ROCON EMEA, the Threat Operations Middle Convention.
Be a part of your friends and be taught extra about automated remediation.
Register Immediately
The Guide Tax and Threat Mass
The report identifies a “Guide Tax” — the multiplier impact the place long-tail belongings that human processes can not attain drag publicity from weeks into months. For Spring4Shell, common remediation was 5.4 instances the median.
The median tells a manageable story. The typical tells the reality. Infrastructure programs face a harsher actuality: for Cisco IOS XE, even the median was 232 days — in comparison with endpoint medians persistently beneath 14. When the best-case consequence is eight months, the Guide Tax is now not a multiplier. It’s the baseline.
Taking a look at common figures is now not useful for decision-making. As an alternative, Threat Mass — susceptible belongings multiplied by days uncovered — captures what CVE counts obscure round cumulative publicity. A companion metric, Common Window of Publicity (AWE), measures the complete period from weaponization to remediation throughout the surroundings.
For example, Follina was weaponized 30 days earlier than disclosure with a median shut at Day 55.
Nonetheless, the AWE stretched to 85 days. Whereas the blind spot earlier than disclosure accounted for 36 % of that 85 days, the lengthy tail of patching accounted for an extra 44 %. In complete, pre-disclosure and lengthy tail collectively signify 80 %. The dash that will get measured makes up lower than 20.
On the identical time, of 48,172 vulnerabilities disclosed in 2025, solely 357 had been remotely exploitable and actively weaponized. Organizations are burning remediation cycles on theoretical publicity whereas genuinely exploitable gaps persist.
Why the Hole Will Widen
Cybersecurity has lengthy operated as a by-product of know-how shifts — Home windows security adopted Home windows, cloud security adopted cloud. Main practitioners and traders now argue AI breaks that sample. It’s not merely a brand new floor to defend; it’s a basic transformation of the adversary itself.
Offensive brokers can already uncover, weaponize, and execute quicker than any human-staffed operation can reply. The remediation information proves people can not preserve tempo at the moment. Autonomous AI ensures the hole will speed up tomorrow.
The transition interval — the place AI-powered attackers face human-speed defenders — represents the business’s most harmful window, compounded by the structural vulnerabilities that dominate the close to time period: assault surfaces expanded past what groups can govern, identification sprawl that outpaces coverage, and remediation workflows nonetheless constructed on handbook execution.
The normal scan-and-report mannequin was constructed for decrease volumes of CVEs and longer exploit timelines. What replaces it’s an end-to-end Threat Operations Middle: embedded intelligence arriving as machine-readable determination logic, lively affirmation validating whether or not a vulnerability is definitely exploitable in a particular surroundings, and autonomous motion compressing response to the timescale the menace calls for.
The target is to not eradicate human judgment however to raise it, shifting practitioners from tactical execution to governing the insurance policies that direct their very own autonomous programs.
The organizations already profitable the physics hole are usually not profitable with bigger groups. They’re profitable as a result of they’ve eliminated human latency from the essential path.
How Safety Groups can shut the Threat Hole
The scan-and-report mannequin — uncover, rating, ticket, manually route — was constructed for decrease volumes and longer exploit timelines.
What replaces it’s an end-to-end Threat Operations Middle: embedded intelligence arriving as machine-readable determination logic, lively affirmation validating whether or not a vulnerability is definitely exploitable in a particular surroundings, and autonomous motion compressing response to the timescale the menace calls for.
The target is to not eradicate human judgment however to raise it — shifting practitioners from tactical execution to governing the insurance policies that direct autonomous programs. The organizations already profitable the physics hole are usually not profitable with bigger groups. They’re profitable as a result of they’ve eliminated human latency from the essential path.
Time-to-Exploit is not going to return to constructive numbers. Vulnerability quantity is not going to plateau. The reactive mannequin has hit a tough mathematical ceiling.
The one remaining query is whether or not organizations will use the structure to match the arithmetic — earlier than the window between human-scale protection and autonomous-scale offense closes for good.
Contact Qualys for insights into how firms handle remediation at scale with automation and AI, and how one can make that distinction proper now.
Sponsored and written by Qualys.
