The timeline that vulnerability management was built on has quietly disappeared. For decades, defenders could count on weeks or months between a flaw becoming public and anyone actually turning it into a working attack.

Two forces closed that gap at once.

The first is sheer volume: new flaws are piling up far faster than ever before, with the first half of 2026 alone producing more CVEs than any full year on record prior to 2024, arriving at an alarming rate of roughly one every 7.4 minutes.

The second is speed. AI has quickly erased what was left of the cushion, as we mentioned in a recent article. Today, turning an advisory into a live exploit no longer takes skilled, patient effort. The Zero Day Clock, which tracks time-to-exploit across tens of thousands of CVEs, now puts the median time for 2026 at well under a day, down from a matter of weeks just a few years earlier.

Unfortunately for security teams, defenses haven't moved anywhere near that fast, and no team can patch its way out of a backlog that’s literally growing by the minute. But volume was only part of the problem: only a fraction of a percent of those CVEs was ever turned into a live, in-the-wild attack.