AI shrinks zero-day exploit time from a year to a single day, heading toward one minute — Zero-Day Clock warns security window has collapsed

(Image credit: Getty Images)

The cybersecurity world has been abuzz about AI-assisted tools finding vulnerabilities faster than ever. Even non-tech outlets have covered topics like Anthropic's Mythos bot being deemed a proverbial superweapon. We discussed one of many alerts on how the industry-standard 90-day vulnerability disclosure window is going the way of the dodo, too. Words are pretty, but programmers and politicians don't use poetry, so numbers are the proper tool for this topic. The Zero-Day Clock (ZDC) uses them to clearly display the consequences of lax security throughout the ages.The website was created by Sergej Epp from Sysdig, and the effort counts most every major tech and cybersecurity company as signatories. The lowdown is quite simple: the proverbial AI singularity made it so the mean time between a vulnerability being discovered and it being exploited has dropped from nearly a year in 2021 to just over a day in 2026 (and counting). The trend from the data is painfully visible, and the ZDC predicts that in 2027, the figure will drop to one hour and one minute eventually.

Zero Day Clock - Timeline (Image credit: zerodayclock.com)That's hardly the only stiff-drink-inducing graph, though. The percentage of zero-day exploits, meaning that malfeasants were already using them before official word came out, rose from 31% five years ago to a massive 73.2% as of today. Here, it's clearly visible that the percentage of non-exploited vulnerabilities went from ~60-70% in 2021 to a measly 25% currently... but only at the time of disclosure. Tracking the X axis shows that currently, very few vulnerabilities stay unexploited for more than a couple of weeks, and zero remain unused once past the six-week mark, in contrast with ~24% for last year.