The Collapse

Seven chapters on the death of the vulnerability window.

63 → 5 days

The Window

Time-to-Exploit (TTE) measures the gap between when a vulnerability is publicly disclosed (CVE published) and when the first working exploit appears in the wild. In 2018, defenders had a median of 63 days. By 2023, that window had compressed to just 5 days. The collapse is not linear — it's exponential.

70%

The Acceleration

In recent years, over 70% of exploited vulnerabilities were zero-days — meaning attackers had working exploits before or on the same day the vulnerability was disclosed. The traditional model of "disclose, then patch, then attackers catch up" is obsolete. Attackers are often already there.

30 min, $6

The Industrialization

AI is industrializing exploit development. Research has demonstrated LLM-powered systems generating 40+ working exploits in 30 minutes for approximately $6 in compute costs. This isn't theoretical — it's the economics of exploitation collapsing alongside the timeline.

28.3%

The Math

Nearly one in three exploited CVEs in the last year were weaponized within 24 hours of disclosure. The exponential decay model fits the data with high confidence. The math says the median TTE crosses the 1-day threshold around 2025, the 1-hour threshold around 2027, and the 1-minute threshold around 2030.

Median TTE

zerodayclock.com

20 days

The Patching Gap

The median time for organizations to apply patches is approximately 20 days. When exploits arrive in hours, a 20-day remediation cycle means defenders are exposed for 99% of the vulnerability lifecycle. The gap between exploitation speed and patching speed is widening, not closing.

Monthly cycles

What Breaks

Monthly patch cycles — the backbone of enterprise vulnerability management — become theater when TTE approaches zero. If the median exploit arrives in hours, scheduling patches for "next Tuesday" is no longer a risk management strategy. It's a hope-based strategy.

Automate

What To Do

When human-speed patching can't keep up, the response must be automated. Runtime Application Self-Protection (RASP), virtual patching, automated WAF rules, and zero-trust architectures become necessities rather than nice-to-haves. The organizations that survive the collapse of TTE will be the ones that automated their response before the window closed completely.