Ashish Popli profile photo

Your Exploitation Window Just Collapsed

Ashish Popli April 09, 2026

There was a time when a vulnerability disclosure gave defenders a reasonable window to respond. Weeks, sometimes months, between an advisory landing and an exploit appearing in the wild. That window was the implicit assumption underneath every vulnerability management program: we have time to triage, prioritize, plan, test, and deploy.

That assumption is gone.

The data

The average time from CVE disclosure to active exploitation has dropped from 32 days to 5, according to Mandiant and Google's threat intelligence data [1]. That's not a gradual decline; it's a collapse.

VulnCheck's State of Exploitation 2026 report provides the sharper picture: 28.96% of Known Exploited Vulnerabilities (KEVs) were exploited on or before disclosure day [2]. Not within a week. Not within days. On the same day, or before the advisory was even public.

And it gets worse. VulnCheck found that approximately 80% of exploits are published before the CVE is even assigned [2]. The exploit exists in the wild before there's a formal identifier for the vulnerability it targets. Your scanner can't flag what doesn't have a CVE yet.

Rapid7's data confirms the acceleration from the defender's side. The median time from CVE disclosure to a vulnerability being added to CISA's KEV catalog dropped from 8.5 days to 5 days. The mean dropped from 61 days to 28.5 days [3]. Confirmed exploitation of high-severity vulnerabilities (CVSS 7-10) jumped 105% year-over-year, from 71 in 2024 to 146 in 2025 [3].

The speed distribution matters more than the median. 28.3% of exploited vulnerabilities were weaponized within 24 hours of disclosure [11]. Not days. Hours. For nearly a third of exploited CVEs, the traditional triage process hasn't even started before the exploit is live.

Google's Threat Intelligence Group (GTIG) reported 90 zero-day vulnerabilities exploited in the wild in 2025, with enterprise-targeted zero-days reaching an all-time high of 48% [4]. VulnCheck found that 56.4% of ransomware-related CVEs in 2025 were first exploited as zero-days, up from 33% in 2024 [2]. Ransomware operators aren't waiting for exploits to appear. They're funding the development.

Meanwhile, CrowdStrike's 2026 Global Threat Report measured the attacker's side: average eCrime breakout time, the time from initial access to lateral movement, fell to 29 minutes. The fastest observed breakout: 27 seconds [5].

Infosecurity Magazine summarized it: "What once unfolded over weeks now materializes in days, and in some cases, minutes" [6].

The defender's math doesn't work

Set the attacker's timeline against the defender's:

  • Exploitation lands: 0-5 days after disclosure (often before)
  • Scanner detects: 1-7 days after CVE is assigned (which may be after exploitation)
  • Triage and prioritization: 1-5 days after scanner detection
  • Change request and approval: 3-14 days, depending on organization
  • Patch deployment: next maintenance window (weekly, monthly, or quarterly)
  • Half of vulnerabilities closed: 9-19 months [7]

The attacker's timeline is measured in days and minutes. The defender's timeline is measured in weeks and months. And the gap is widening on both sides: attackers are getting faster while organizational remediation processes remain largely unchanged.

If your vulnerability management program assumes you have two weeks between disclosure and exploitation, that assumption is wrong for a third of exploited vulnerabilities and inaccurate for most of the rest.

Why the window collapsed

Three forces converged:

Exploit development accelerated. The CVE-GENIE framework reproduced working exploits for 51% of real-world CVEs at $2.77 average cost per vulnerability [13]. Other researchers demonstrated similar results in 10-15 minutes at roughly $1 per exploit [12]. The pipeline is fully automated: ingest the advisory, analyze the vulnerability, generate exploit code, validate against both patched and unpatched versions to eliminate false positives. Praetorian's CVE Researcher, now built on Google's Agent Development Kit, auto-triggers on any CVSS 9+ network-vector CVE and runs a four-phase pipeline from research to exploitation analysis [8]. Researchers at UC Santa Barbara demonstrated a multi-agent LLM framework that automatically converts CVE entries into working exploits, going from advisory text to proof-of-concept with no human in the loop [9]. Anthropic's own research showed Claude Sonnet 4.5 replicating the Equifax breach using standard tools; the model instantly recognized a publicized CVE and wrote exploit code without needing to look it up. A year earlier, Sonnet 3.5 failed every trial. The capability curve is that steep [10].

Disclosure and exploitation overlap. The traditional model assumed a sequence: disclosure, then analysis, then exploit development, then exploitation. Increasingly, exploitation begins during or before disclosure. Threat actors monitor the same sources (commit diffs, security mailing lists, pre-publication advisories) and move immediately.

Weaponization is commoditized. Exploit frameworks, proof-of-concept repositories, and AI-assisted exploit generation lower the bar for turning a vulnerability into a working attack. The gap between "vulnerability researcher who can find a bug" and "attacker who can exploit it" has narrowed.

What this means for your program

A 5-day exploitation window, or a zero-day one, doesn't mean "patch faster." No organizational process moves that fast. It means the answer needs to be pre-staged.

When the advisory lands, you need to already know:

  • What components in your environment are affected
  • Which instances of those components are actually exploitable (not just present)
  • Which are reachable from the internet
  • What's in the blast radius if they're compromised
  • What remediation options exist: patching, mitigation, compensating controls

If you're starting that investigation from scratch when the CVE drops, the exploit is already circulating before you finish triaging. The programs that survive the collapsed window are the ones where the exposure picture and remediation options are pre-computed, updated continuously, and ready to act on the moment a new vulnerability lands.

The exploitation window didn't shrink. It closed. The question is whether your program is designed to have the answer ready before the question is asked.

Pre-staging starts with knowing which findings are actually exploitable. A triage framework for answering that question.

References

[1] CyberMindr. (2025). "Average Time-to-Exploit in 2025."

[2] VulnCheck. (2026). "State of Exploitation 2026."

[3] Infosecurity Magazine. (2025). "AI-Enabled Adversaries Compress Time-to-Exploit."

[4] Google Threat Intelligence Group. (2026, March). "2025 Zero-Days in Review."

[5] CrowdStrike. (2026, February). "2026 Global Threat Report."

[6] Infosecurity Magazine. (2025). "AI-Enabled Adversaries Compress Time-to-Exploit."

[7] DeepStrike. (2025). "Vulnerability Statistics 2025."

[8] Praetorian. "AI-Powered CVE Research: Winning the Race Against Emerging Vulnerabilities."

[9] Ullah, S. et al. (2025). "From CVE Entries to Verifiable Exploits: An Automated Multi-Agent Framework for Reproducing CVEs."

[10] Anthropic. (2026, January). "AI Models' Expanding Cyber Capabilities."

[11] Security Boulevard. (2026, March). "46 Vulnerability Statistics 2026: Key Trends in Discovery, Exploitation, and Risk."

[12] GBHackers. (2026). "AI Systems Capable of Generating Working Exploits for CVEs in Just 10-15 Minutes."

[13] Ullah, S. et al. "CVE-GENIE: An LLM-based Multi-Agent Framework for Automated CVE Exploitation."