Time-to-Exploit Shrinks by Half as AI and Cybercrime Industrialization Accelerate Attacks
Patching Windows Collapse as Time-to-Exploit for Vulnerabilities Shrinks Dramatically
Related Entities(initial)
Products & Tech
Other
Full Report(when first published)
Executive Summary
A new report from Rapid7 highlights a dangerous acceleration in the threat landscape: the time between the public disclosure of a vulnerability and its widespread exploitation is shrinking dramatically. The analysis reveals that the median time for a vulnerability to be added to CISA's Known Exploited Vulnerabilities (KEV) catalog has fallen to just 5 days, down from 8.5 days previously. The mean time-to-exploit has been nearly halved, from 61 to 28.5 days. This compression of the "patching window" is attributed to the industrialization of cybercrime and the growing use of Artificial Intelligence (AI) by threat actors to reverse-engineer patches and generate exploits. The practical implication is that defenders are in a constant race against time, and known but unpatched "n-day" vulnerabilities have become a more significant and immediate threat than undisclosed "zero-day" flaws.
The Shrinking Timeline
The key findings from Rapid7's Cyber Threat Landscape Report, corroborated by research from Veracode, paint a stark picture for defenders:
- Exploitation is Doubling: The number of high- and critical-severity vulnerabilities (CVSS 7-10) confirmed to be exploited in the wild more than doubled year-over-year, from 71 in 2024 to 146 in 2025.
- Time-to-KEV Halved: The median time from a CVE's publication to its appearance on the CISA KEV list—a high-confidence indicator of active exploitation—plummeted from 8.5 days to just 5.0 days.
- Mean Time-to-Exploit Collapses: The average time from disclosure to exploitation dropped from 61.0 days to 28.5 days.
This data shows that attackers are operating on a clock, while many organizations are still operating on a calendar. The traditional monthly or quarterly patch cycle is no longer adequate to manage risk in this accelerated environment.
Drivers of Acceleration
Two primary factors are driving this trend:
- Industrialization of Cybercrime: The cybercrime ecosystem has become highly specialized. Initial access brokers find and sell entry points, ransomware-as-a-service (RaaS) gangs provide the malware, and exploit developers focus solely on turning new CVEs into weaponized code. This division of labor dramatically increases efficiency.
- Artificial Intelligence: As noted by experts like Chris Wysopal of Veracode, AI is a game-changer for exploit development. Once a patch is released, attackers can use AI-powered tools to perform binary diffing (comparing the patched and unpatched code), quickly identify the vulnerable code path, and automate the generation of a working exploit. This can be done far faster than an enterprise can test and safely deploy the patch across its environment.
N-Day vs. Zero-Day: The Real Threat
This trend fundamentally shifts the risk calculus for defenders. While zero-day vulnerabilities (flaws with no patch available) are dangerous, they are also rare and expensive to use. In contrast, n-day vulnerabilities (flaws for which a patch exists) are now the weapon of choice for a majority of attackers.
Attackers know that many organizations have slow patching processes. By focusing on recently disclosed CVEs, they can target a vast number of vulnerable systems before defenders have had a chance to react. Incident response firm Coalition confirmed this, stating they see far more exploitation of known, patched issues than true zero-days. Every patch release is now effectively a starting gun for a race between attackers and defenders.
Impact Assessment
The collapsing patching window has profound implications for security operations and risk management:
- Increased Pressure on SecOps: Security teams are under immense pressure to identify, prioritize, and remediate vulnerabilities faster than ever before. Burnout is a significant risk.
- Obsolescence of Manual Processes: Manual vulnerability management and patching are no longer viable. The speed and scale of the threat require automation.
- Higher Likelihood of Breach: The shorter the time-to-exploit, the higher the probability that an organization will be compromised by a known vulnerability before it can be patched.
- Shift in Security Investment: Organizations must shift investment towards solutions that accelerate response, such as automated patch management, risk-based vulnerability prioritization, and attack surface management.
Mitigation & Recommendations
To survive in this accelerated threat landscape, organizations must adapt their security strategies:
- Automate Patch Management: Deploy automated patching solutions that can test and deploy critical updates across the enterprise in days, not weeks or months. This is a critical application of D3-SU: Software Update.
- Risk-Based Vulnerability Prioritization: Do not treat all vulnerabilities equally. Use threat intelligence, such as CISA's KEV catalog, and vulnerability prioritization tools to focus on the flaws that are actively exploited and pose the greatest risk to your specific environment.
- Reduce the Attack Surface: You can't patch what you don't know you have. Implement continuous attack surface management to identify and eliminate exposed and unnecessary systems, thereby reducing the number of vulnerabilities that need to be patched.
- Assume Breach and Implement Compensating Controls: Since patching will never be instantaneous, implement compensating controls that can mitigate the impact of an exploit. These include robust network segmentation (D3-NI: Network Isolation), strict application control, and EDR solutions that can detect post-exploitation behavior.
Timeline of Events
Article Updates
April 30, 2026
Fortinet reports 389% surge in ransomware victims and time-to-exploit shrinking to 24-48 hours, driven by AI-enabled attacks.
MITRE ATT&CK Mitigations
Accelerate patch deployment cycles, prioritizing vulnerabilities known to be exploited in the wild.
Mapped D3FEND Techniques:
Continuously scan the attack surface and prioritize vulnerabilities based on risk and active exploitation, not just CVSS score.
Implement network segmentation as a compensating control to limit the impact of an exploit on an unpatched system.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
In response to the collapsing patching window, organizations must treat Software Update not as a routine task but as a time-critical incident response function. Manual, quarterly patching is no longer defensible. Security teams must invest in and implement automated patch management systems capable of deploying critical updates in days, not weeks. The process should be driven by risk and threat intelligence. When a vulnerability appears in CISA's KEV catalog, it should trigger an emergency change process to get the patch deployed to all affected systems within a 72-hour SLA. This requires pre-approved change windows for critical security updates and automated testing to reduce the risk of operational disruption. The goal is to move faster than the attackers, who are now weaponizing patches within a week.
With thousands of new CVEs disclosed each month, trying to patch everything is a losing strategy. Organizations must adopt a rigorous Vulnerability Prioritization and Management framework. This means moving beyond CVSS scores alone and incorporating real-world threat intelligence. The primary input for prioritization should be evidence of active exploitation, such as inclusion in the CISA KEV catalog or other threat intelligence feeds. Additionally, context from the organization's own attack surface management—is the vulnerable asset internet-facing? Is it business-critical?—is essential. By focusing patching efforts on the small subset of vulnerabilities that are both exploitable and exposed, security teams can allocate their limited resources far more effectively and have a greater impact on reducing overall risk.
Sources & References(when first published)
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.