GoKawiilFor thirty years, vulnerability management has run on what now looks like an impossible luxury: a buffer of months between when a vulnerability was found and when someone could figure out how to weaponize it. Triage by severity, schedule the fix, validate, move on.
That generous buffer is what made the entire system work.
AI has stripped out the manual drag that kept weaponization slow. Reading the advisory, finding the path, shaping the chain, testing what works: none of it can afford to move at human speed anymore. Today, the disclosure-to-exploit timeframes run in hours, not months.
The Zero Day Clock, which tracks this in real time, currently averages around 8 hours for 2026, down from roughly 53 days just two years ago. The figure shifts as fresh data lands, but at this point it’s sitting firmly below 24 hours.
You Can't Patch Your Way Out of This
The reflex is usually to just patch faster. But remediation isn't simply a switch you flip. Patches wait on a number of contingencies: regression testing, change windows, and uptime commitments. And today, every number that matters is unfortunately moving in the wrong direction.
Verizon's 2026 Data Breach Investigations Report, drawn from more than 13,000 organizations, found that:
The median fix time for known-exploited vulnerabilities is now 43 days, up from 32 last year.
The share of organizations fully patching them is down from 38% to 26%.
Even the best performers close only 30 to 40% of these vulnerabilities in the first week, a rate that's barely budged in years.
... continue reading