The Exploit Doesn't Exist. You Can Still Prove It Works Against You

For thirty years, vulnerability management has run on what now looks like an impossible luxury: a buffer of months between when a vulnerability was found and when someone could figure out how to weaponize it. Triage by severity, schedule the fix, validate, move on.

That generous buffer is what made the entire system work.

AI has stripped out the manual drag that kept weaponization slow. Reading the advisory, finding the path, shaping the chain, testing what works: none of it can afford to move at human speed anymore. Today, the disclosure-to-exploit timeframes run in hours, not months.

The Zero Day Clock, which tracks this in real time, currently averages around 8 hours for 2026, down from roughly 53 days just two years ago. The figure shifts as fresh data lands, but at this point it’s sitting firmly below 24 hours.

You Can't Patch Your Way Out of This

That generous buffer is what made the entire system work.

You Can't Patch Your Way Out of This

The Exploit Doesn't Exist. You Can Still Prove It Works Against You

The Exploit Doesn't Exist. You Can Still Prove It Works Against You

Other newsrooms on this story

Related reading

AI-Driven Exploitation is Destroying Vulnerability Management. Here’s How to…

Other newsrooms on this story

Related reading

AI-Driven Exploitation is Destroying Vulnerability Management. Here’s How to…

Claude Mythos exposed a hard truth: Your enterprise patching process is way too…

You Can’t Patch Your Way Out of This One

AI Broke Vulnerability Management. That's Why CISOs Are Moving Budget to BAS.

73 Seconds to Breach, 24 Hours to Patch: The Case for Autonomous Validation

Why Mythos Finding Vulnerabilities Faster Doesn't Make You More Secure