The timeline that vulnerability management was built on has quietly disappeared. For decades, defenders could count on weeks or months between a flaw becoming public and anyone actually turning it into a working attack.
Two forces closed that gap at once.
The first is sheer volume: new flaws are piling up far faster than ever before, with the first half of 2026 alone producing more CVEs than any full year on record prior to 2024, arriving at an alarming rate of roughly one every 7.4 minutes.
The second is speed. AI has quickly erased what was left of the cushion, as we mentioned in a recent article. Today, turning an advisory into a live exploit no longer takes skilled, patient effort. The Zero Day Clock, which tracks time-to-exploit across tens of thousands of CVEs, now puts the median time for 2026 at well under a day, down from a matter of weeks just a few years earlier.
Unfortunately for security teams, defenses haven't moved anywhere near that fast, and no team can patch its way out of a backlog that’s literally growing by the minute. But volume was only part of the problem: only a fraction of a percent of those CVEs was ever turned into a live, in-the-wild attack.
What opens up is a widening stretch of time where attackers act freely, with defenders powerless to stop them. The compounding problem is proof, separating the handful of threats that can actually be turned against you from the tens of thousands that never will.
The Risk Lives Where You Can't Fire
Running pentests continuously instead of once a quarter certainly narrows that stretch, but it carries a hard ceiling. A live exploit, used by automated pentest tools, can only be launched where it’s safe to do so and where a usable exploit already exists, which in most enterprises covers only 10 to 15% of their actual attack surface.
But the rest goes unproven with traditional automated pentesting tools: the flaws without a public exploit, the regulated and air-gapped systems too sensitive to withstand a real attack, and the freshly disclosed bugs adversaries are already using while defensive tooling is still catching up.
However, proving exploitability does not require a public exploit or a live shot at a system too critical to risk. Whether physical or virtual, a chain is only as strong as its weakest link, and you don’t have to load the whole chain to find out which link would break. Picus Platform proves exploitability either way, exploit in hand, or not.
... continue reading