The industry voices behind the warning and call to action.
“AI capability scales with the cheapness of verification. Offense has the cheapest verifier.”
Sergej Epp (Sysdig)
“The entire defense model is built on imposing cost on attackers. AI is about to make that cost zero.”
Vijay Bolina (CISO @ Stealth Frontier AI Company)
“The attackers’ AI singularity has arrived. Ours has not yet begun.”
Gadi Evron (Knostic)
“Google taught me that any machine should be rebuildable in hours. The Clock measures whether you still have hours left.”
Heather Adkins (Google)
“Attacks always get better. They never get worse. But for the first time, the same is true for defense. The race just got faster on both sides — and the side that sees the data first wins.”
Bruce Schneier (Security Technologist)
“We continue to see threat activity accelerate and the time to exploit availability and exploitation accelerate.”
Patrick Garrity (VulnCheck)
“Distributed. Immutable. Ephemeral. When exploits arrive in hours, the only system that survives is one built to be replaced.”
Sounil Yu (Knostic)
“I built DEF CON so researchers could show what they found. For thirty years, I watched the time between finding a vulnerability and exploiting it get shorter. We’re running out of timeline to show.”
Jeff Moss (Black Hat & DEF CON)
“Everything we’re doing in internet security is too little, too late. I’ve known that for decades. What I didn’t know was how fast ‘too late’ would arrive. Now there’s a Clock that measures it.”
Paul Vixie (AWS & Internet Pioneer)
“500,000 SANS-trained defenders. The Clock shows the new speed. Now we make every tool they use AI-ready.”
Rob Lee (SANS)
“Less than 5% of vulnerabilities are weaponized and time-to-exploit is already in hours. When AI scales that to 60%, no patch cycle, no SOC, and no budget survives the math.”
Caleb Sima (WhiteRabbit)
“Every patch is an exploit blueprint. AI will dramatically compress the time it takes to turn the blueprint into a working exploit.”
Thomas Dullien (Halvar Flake)
“AI agents are the new attack surface and the new defenders. We must secure both sides.”
Chris Hughes (Resilience Cyber & Zenity)
“Speed is our best defense. When exploits arrive in hours, the only viable defense is the one that’s already on by default - broad classes of architectural mitigations.”
Phil Venables (Ballistic, 4x CISO)
“When AI collapses the exploit timeline to hours, implicit trust becomes existential risk.”
John Kindervag (Creator of Zero Trust)
“MOAK proves what everyone feared. Any threat actor can now use publicly available AI models to weaponize vulnerabilities in minutes.”
Niv Hoffman (Creator of MOAK.AI, CTO @ Buzz)
“AI finds and exploits vulnerabilities faster than we patch them. We need to focus on eliminating entire bug classes.”
Clint Gibler (tl;dr sec & Semgrep)
“Every vulnerability scoring framework assumes defenders have time to prioritize. When exploitation is instant, scoring becomes a post-mortem exercise.”
Manish Bhatt (Amazon Leo & Zero Day Connoisseur)
“Security leadership spent decades optimizing calendars. Now, AI hands attackers a stopwatch. Bringing a calendar to a clock fight won’t end with lessons learnt but with a post mortem.”
Philipp Suedmeyer (CISO, Munich RE)
“Agentic AI is driving toward one-click CVE exploitation. Defenders must accelerate detection and remediation. That’s what this clock represents.”
Ashish Rajan (CISO & Cloud Security Podcast)
“We are fighting a war with the bad guys. We can only hope to win this war if we fight it together. Open source is the only approach with the agility and broad reach to meet modern security concerns.”
Loris Degioanni (Wireshark, Falco & Sysdig)
“There’s no doubt that AI is making attackers’ lives easier, continually lowering the bar to exploit software. That’s exactly why we need to double down on secure-by-design development, particularly in the age of AI coding.”
Jack Cable (Corridor)
“The future of security is the dueling banjos of the defender’s AI stack vs. the attacker’s AI stack. And the worse that imbalance is the worse this clock gets.”
Daniel Miessler (Unsupervised Learning)
“Mythos is cybersecurity's Y2K, except the deadline already passed. When AI finds thousands of zero-days that survived decades of human review, the vulnerability window doesn't shrink. It vanishes.”
George Kurtz (CEO/Founder CrowdStrike)
“Vendors outsource their quality problems to customers, who build whole organizations just to manage the treadmill. Attackers couldn’t have designed it better.”
Linus Neumann (Chaos Computer Club)
“The tipping point always comes faster than you think. I’ve seen it with cloud, AI, and digital assets.”
Sandip Wadje (BNP Paribas)
“When underwriting cyberinsurance and dealing with claims we’re seeing attackers getting faster.”
Tiago Henriques (Coalition)
“Exploits used to be crafted. Now they're manufactured. The barrier to entry isn't skill anymore, it's compute budget and patience. The clock isn't measuring human speed anymore.”
Jonathan Zanger (CTO, Check Point)
“A strong wake-up call. When weaponization timelines shrink to zero, the traditional "patching grace period" model becomes obsolete. The real answer is better software quality and architectures that reduce exploitable exposure in the first place.”
Stefan Braun (Henkel)
“Traditional patching is a losing race against the clock. The future of defensive security belongs to autonomous systems.”
Marco Balduzzi (Trend Micro)
“Artificial Intelligence is moving faster than any technology before it. Those who fail to prepare won’t fall behind — they will be left irrelevant.”
Hermann Huber (Cyberlagebild)
“I’ve funded cybersecurity startups for a decade. The companies that win compress the time between vulnerability and fix. The Zero Day Clock measures that compression for the entire ecosystem.”
Chenxi Wang (Rain Capital)
“I built security teams at Facebook, Uber, and Cloudflare. At every one, the hardest part was the same: creating urgency before the breach, not after.”
Joe Sullivan (CEO of JS Security LLC & 3x CISO)
“I co-wrote the first web application security testing standard in 2003. Twenty-two years later, cross-site scripting is still the number one vulnerability class. We are not learning. We are accumulating.”
Daniel Cuthbert (Santander)
“AI is bringing real speed and scale to defense. Attackers have it too -- but if we move fast, defenders can finally gain an edge. We should all worry about a "vuln-pocalypse," yet act with speed and urgency to secure the world's code. Exciting times!”
Ondrej Vlcek (AISLE)
“Cybersecurity in the age of AI is a marathon that we need to sprint. The urgency is real.”
David Haber (CEO and Founder of Lakera)
“Cybersecurity has always been a matter of time and resources. With AI, both have disappeared.”
David BALME (Comprendre.ai)
“Secure by Design is the only way forward. Hack yourself with the best security bug finders before release.”
Chris Wysopal (Co-founder Veracode)
“The bar to exploit vulnerabilities is now so low that “break then patch” is not a viable approach anymore.”
Stefano Zanero (Professor, Politecnico di Milano)
“Defenders still live in a pre-AI world. We can now patch at scale with the click of a button, and we need to.”
Francesco Piccoli (CEO @ Almanax)
“Vulnerability exploitation signals have become disrupted and noisy, in an ai era we need automated Response”
Francesco Cipollone (Phoenix Security)
“AI will compress SLAs to zero. Quality and defense must become continuous and automatic.”
Brett Cumming (F500 CISO)
“RunSybil exists because we saw this convergence coming. Now there's data the whole world can see.”
Ari Herbert-Voss (RunSybil)
“I reminded a few people about this back in 2018, AI is going to ruin everyone’s party. That time Is now.”
Ron F. Del Rosario (SAP Supply Chain Management)
“We reported 15 critical kernel bugs to 8 vendors. One got patched. PSIRTs aren’t built for AI-scale volume.”
Yaron Dinkin & Eyal Kraft (Hexaplex)
“We are no longer playing cat and mouse. It's just cat now while we are caught with our tails tied.”
Vidya Bodepudi (Fuze Health)
“Let’s accept that the exploit window is gone and it isn’t coming back. Then let’s build systems that assume compromise and are designed to keep running through it.”
Neal Swaelens (CEO, Manifold Security)
“In the age of AI, human eyes will no longer spot the bugs that matter.”
Floren Molina (CTO @ Santander Services Solutions)
“Time has never really been on our side, but we have acted as if it was. We no longer can avoid reality.”
Tom Byrnes (CEO / ThreatSTOP)
“"We must all hang together, or most assuredly we shall all hang separately".”
Joe Evangelisto (CISO / NetSPI)
“We've got to build systems as if there is always a zero day and the patch is never coming.”
Adrian Sanabria (Founder, The Defenders Initiative)
“Process bound defense meets ambition fueled offense. AI adoption demands immediate reconciliation.”
Nicholas Albright (Security Researcher, DISOG)
“The Clock has run out. We must equip defenders with the correct tools and incentives, or we will all suffer.”
Ryan Chow (CEO @ Metalware)
“The codebase is growing exponentially. We must radically shift to secure languages & practices. In every LoC.”
Dror-John Röcher (Founder / intcube)
“Customers don't trust marketing. Smart ones trust auditors. Zero-days won't wait for you to get certified.”
Joey Stanford (CISO, Pantheon.io)
“The agency to act swiftly determines who will be outplayed in the game of AI-led exploit/defense.”
Annie Thomas (Security Architect, TCS)
“AI has shrunk the vuln-to-exploit window. Defenders don't have luxury of time, patching to be at machine speed”
Satish Narayanan (Co-Founder, SQ1 Security)
“Traditional VM was built around the assumption that you have time to prioritize. You don't anymore.”
Lucas Masson (CEO @ Konvu)
“The clock ticks away, Old souls fade as threats evolve, AI: our last hope.”
Pieter Danhieux (CoFounder/CEO, Secure Code Warrior)
“The exploit window is collapsing. Security must move upstream into the software lifecycle.”
Nir Valtman (Co-Founder & CEO / Arnica)
“AI makes hackers faster than ever. Security teams must shift from calendar time to compute time.”
Darin Hurd (CISO @ Rate)
“Zero Trust principles must be applied far beyond 'networking' - to all layers of the stack down to hardware.”
Geoff Halstead (Faction Networks)
“In a less catastrophic sense, it reminds me of Don't Look Up.”
Danijel Grah (Offensive Security Tech Lead, NIL ltd.)
“The diff tells the truth. They read your merge before you. Write less - mean it all.”
Alexis Drai (Software developer | Open Source maintainer | Automating security & quality workflows)
“The window from disclosure to exploitation has collapsed. In the AI era, protection must happen at runtime”
Nadav Czerninski (Co-Founder & CEO @ Oligo Security)
“The exploit window is gone. Incentivize zero-fail engineering and structurally defend at machine speed.”
Arshaad Yar (CIO / The Invus Group)
“Prevention is better than cure. AI run security test pass before every code/patch release must become normal.”
Steve Jump (CISO/Risk Analyst, Custodiet Advisory Services)
“I've long said the one with the better, faster algorithms wins. We built Wirespeed because we saw this coming.”
Tim MalcomVetter (Co-Founder of Wirespeed by Coalition)
“We build fuzzers and find bugs. The gap between disclosure and weaponization was our window. Now it's gone.”
Patrick Ventuzelo (Founder & CEO / Fuzzinglabs)
“The world runs on software, It's the backbone of communication, finance, and healthcare. Security matters!”
Jorge Pinto (Information Security Specialist)
“The luxury of analysis and prioritization is quickly moving behind us. The exciting era of agentic VM is here.”
Evan London (F200 Threat and Vulnerability Management)
“Securing tomorrow requires action today.”
Joel Miller (Independent Researcher)
“Every second of delay only benefits the threat actor. Is your IR machine-speed ready?”
Matt Stamper (CEO | CISO Advisor)
“As patch windows collapse, we need resilience beyond prevention — to anticipate, withstand, recover and adapt.”
Erlend Andreas Gjære (Secure Practice)
“AI eliminates something defenders have always relied on: time. Cyber risk is now a velocity problem.”
Kara Sprague (CEO, HackerOne)
“AI is going nuts...”
Jens Schmidt (CTO / Exodos Labs, Inc.)
“The attacker's advantage grows daily. The only counter: prevention tools that work where critical code lives.”
Ramtine TOFIGHI SHIRAZI (Cofounder & CEO at SecMate)
“Reactive security is obsolete. In an AI-driven threat landscape, only secure-by-design can keep pace”
Riccardo Sirigu (Offensive Security Director / Abissi)
“Security has historically relied on the idea that there will be time to react which is no longer a privilege.”
Qasim Mithani (CEO / depthfirst)
“TTE will only drop with AI and response SLAs are already getting overwhelmed.”
Amey Kantak (DPO)
“7 months ago, we proved CVE exploitation with AI is near-instant. TTE has been in a nosedive ever since.”
Efi Weiss (Independent Researcher)
“This isn’t a race against threat attackers. It’s a debt crisis and the interest just went compound with genAI.”
Riaz Lakhani (CISO @ Redis)
“These trend lines make one thing clear, traditional defenses are insufficient. We eliminate classes of vulns.”
Joseph Saubders (CEO, RunSafe Security)
“Boards must shift from ‘Are we compliant?’ to ‘Are we fast enough?’ Patch speed is the key to resilience.”
Michala Liavaag (Cybility Consulting Ltd)
“Exploitation is entry, not outcome. Defenders own the graph--aim untiring compute at every attack path after.”
Oleg Kolesnikov (CTO CISO Office @ Microsoft)
“Most organizations underestimate the democratization of vulnerability discovery & exploitation. That complacency is more dangerous than ever.”
Mike Lockhart (CISO @ Eagleview)
“Social engineering used to require skill. Now it requires a prompt.”
Julius Muth (revel8)
“Speed is the new paradigm. Focus was the old mantra. Now we need both.”
Eoin Keary (Edgescan)
“The Zero Day Clock makes one thing clear: security now demands anti-fragility, not just resilience.”
Nils Hass (CISO @ Axel Springer SE)
“The World is changing fast and we have to adopt accordingly.”
Anders Vineberg (CISO)
“Technologies show options but it's action that makes us better. (The quote can be used by both the good and the bad.)”
Jimmy Heschl (CISO, Red Bull)
“As the paradigm shifts to AI-speed attacks, our defensive capabilities must overcome human latency and make the exact same leap.”
Ahmad Nassri (CTO, Socket)
“the world has historically benefited from the fact that vulnerability searching is a semi-rare skill and there's not huge demand for it. The models significantly alter the scarcity of that skillset in a way that favors offense and requires new tools.”
Isaac Evans (CEO, Semgrep)
“Cybersecurity is still treated as a task for a small group of specialists. If we want to live safely, everyone must contribute and help close the alarming skills gap.”
Thomas Steinbrenner (Cyberdefender)
“Threat actors used to have two limitations: skill and being human. Both of these collapsed overnight. Every previous technology shift that disrupted the world gave us TIME to adapt. We don't have this luxury now.”
Eva Benn (Cybersecurity Educator)
“The Observe, Orient, Decide, Act (OODA) Loop just got more challenging. This is an arms race. It's not just about speed it's about creating or preventing disruption.”
David Fox (Neo4j)
“We spent decades making attacks expensive. AI just made them cheap. That is not a security problem anymore. It is an economics problem, and the math does not favour defenders.”
Jeevan Jutla (Gecko Security)
“As time‑to‑exploit approaches zero, the cost of insecurity returns to where it belongs: operations, downtime, and business survival.”
W John FInnigan (Founding Member, Office Smith LLC)
“AI is fueling the rise of IT security threats. The Zero Day Clock illustrates this clearly and helps raise awareness of the issue.”
Christopher Ruppricht (CISO, SCHUFA Holding AG)
“The age of AI superpowers shouldn’t belong only to the bad guys - let’s empower our blue teams and co‑author the post‑Mythos agenda.”
Romain Aviolat (Group CISO @ Kudelski Group)
“The Zero Day Clock proves we can no longer wait for a CVE to act. Real-time visibility into PreCVEs is essential for software supply chain security, allowing us to identify risks and harden architectures before a vulnerability is even named.”
Cassie Crossley (CEO/Co-Founder, VulNow & Author)
“AI is accelerating the discovery of vulnerabilities and reducing the time required for hacking. Only a very good structure and a well-established process can help reduce the attack surface.”
Gianclaudio Moresi (CISO)
“The zero day clock provides a compelling reason to act . Agentic based defence is the only way to detect and respond against AI cyberattacks 2026 and beyond.”
Nimitt Jhaveri (CEO BitScore Cybertech)
“We know our adversaries. Now we need to know ourselves better, and respond faster than ever before.”
Herman Young (CISO, Investec)
““At machine speed, you can’t outpace the attacker. You can only remove the attack surface and deceive what remains. You can’t attack what you can’t see.””
Tony Fergusson (CISO in Residence, Zscaler)
“The entire security model needs to evolve with the pace at which vulnerability can be exploited. We need to move from doing point-in-time security testing like pentests are done today to always-on security testing.”
Rene Brandel (CEO @ Casco)
“Let's embrace obsolescence management. Patching and reactive models are outdated. Traditional SOCs can't scale to instant exploitation. AI makes attacks cheaper and defenses more expensive. Let's be strategic, collaborative, resilient, & coordinated.”
Walter Heffel (CISO, Enersa))
“These are unprecedented times. CISOs need to rebuild the SOC from scratch before it is too late. Human analysts are too slow. A CISO supported by a staff consisting mostly of machine-speed intelligent agents is the future of security.”
Matt Mahoney (Security Researcher)
“If you maintain edge security appliances like firewalls, ZeroDayClock shows that the very devices you trust to protect your network may now be your greatest risk.”
Glen Kendell (President/CEO, Concourse Cloud)
“Human speed will no longer be sufficient, we need to adapt to machine speed NOW to restore the symmetry again between attacker and defender speed.”
Martin Schöpper (Group CISO @ ZEISS)
“In a zero-day world, detection is already late, the only winning move is to design systems that assume compromise from the start.”
Mohit Chanana (CISO, Chevron Phillips Chemicals)
“No doubt we are entering a world where AI can attack and defend —faster than any human. The question now is who who powers, owns & controls it.”
ENDIKA GIL URIARTE (ALIAS ROBOTICS)
“The real clock isn't measuring time-to-exploit. It's measuring time-to-intent”
Murat Cakir (Cyber Mechanic threatroute66)
“If you have operationalized an assume-breach defense, nothing much changes. More attacks give you opportunities to get stronger, faster. Think of this like an immune system. Learn from the attacks. But, if you haven’t been assuming breach, good luck.”
Robert Ficcaglia (SunStone Secure)
“The Zero Day Clock shows that time is no longer on the defender’s side. For organisations that underpin society, like postal and logistics services, this means designing systems that can withstand compromise — not just react to it.”
Erkan Kahraman (PostNord)
“Attackers’ openness is winning over defenders siloed paradigms. The uneven battlefield proves that defenders cannot pick up the pace without a significant paradigm shift. One may argue that defenders are somewhat enriching attackers paradoxically.”
Ernest Ketcha (CEO, KHICS)
“My patch SLA says 30 days. My adversary's runtime says 30 seconds. The auditor asks which one we documented. The Zero Day Clock asks which one mattered.”
Bruce Fram (CEO @ AppSecAI)
The gap between vulnerability disclosure and first confirmed exploitation is collapsing exponentially. Zero Day Clock tracks this collapse across 3,500+ CVEs with confirmed in-the-wild exploitation — roughly 1.5% of all CVEs published since 2018. The data shows defenders' response window is approaching zero.
Frequently asked questions about what ZeroDayClock measures and how.
How the Zero Day Clock computes Time-to-Exploit
Vulnerability introduced
Code written with the flaw
Vendor / researcher discovers
Internal knowledge only
Vendor advisory / patch
Optional — some skip this step
CVE published (NVD)
t_disclosure — ZeroDayClock measures from here
Exploit signal confirmed
KEV confirmed exploitation — ZeroDayClock measures to here
Patch released
Fix or workaround available
Patch applied by organisations
Defender's window closes
Time-to-Exploit (TTE) measures the elapsed time between when a vulnerability is publicly disclosed (NVD publication date) and when the first confirmed in-the-wild exploitation signal was observed.
The dashboard tracks only CVEs with confirmed in-the-wild exploitation. Of ~235,000 CVEs published since 2018, only 3,500+ (≈1.5%) qualify. These are identified using two primary sources and one timestamp supplement:
CISA KEV
U.S. government mandate — active exploitation confirmed by federal agencies. Launched November 2021. Drives 7% of TTE timestamps.
VulnCheck KEV
Analyst-confirmed exploitation via Shadowserver honeypots, GreyNoise telemetry, and vendor advisories. Broader and faster than CISA. Drives 74% of TTE timestamps.
VulnCheck XDB (timestamp supplement)
Verified public exploit code. Used as a timing proxy for pre-2022 CVEs where KEV timestamp coverage is thin due to CISA KEV's late launch. Drives 19% of TTE timestamps.
Inclusion requires a KEV signal. Exploit code databases alone, without a KEV confirmation, are not sufficient for inclusion. Lower-confidence sources (GitHub PoCs, CIRCL sightings, NVD reference URLs) feed the Explorer tool for enrichment only and are excluded from TTE computation.
Five filters are applied before computing TTE:
TTE values are grouped by cohort year and two central-tendency measures are computed:
Zero-day: TTE ≤ 0 — exploitation confirmed on the same calendar day as disclosure or earlier. Includes genuine pre-disclosure (TTE < 0) and same-day events (TTE = 0) where intra-day order cannot be determined at date-only timestamp precision. Overall zero-day rate: 37% all years; 68% in 2026.
Independent reproducibility guide
Step-by-step instructions to reproduce every graph calculation from the source database. Validated by an independent audit agent: 9/9 checks passed, 0 discrepancies.
We track 10 exploit intelligence sources. Sources marked trusted are used for TTE computation; the others feed the Explorer for enrichment only.
| Source | Role | Records | Used for TTE |
|---|---|---|---|
| NVD (NIST) | CVE publication timestamps (t_disclosure) | 235,851 CVEs | Explorer only |
| CISA KEV | Gov-confirmed active exploitation in the wild — drives 7% of TTE timestamps | 1,529 | Trusted |
| VulnCheck KEV | Analyst-confirmed exploitation via Shadowserver/GreyNoise/advisories — drives 74% of TTE timestamps | 326,079 | Trusted |
| VulnCheck XDB | Verified public exploit code — timestamp supplement for early-year CVEs where KEV coverage is thin | 6,695 | Trusted |
| ExploitDB | Public exploit archive | 45,000+ | Explorer only |
| Metasploit | Exploit framework modules | 2,300+ | Explorer only |
| nomi-sec/PoC-in-GitHub | GitHub PoC repositories | 30,000+ | Explorer only |
| CIRCL | Exploit sighting timestamps | 5,000+ | Explorer only |
| NVD References | Exploit-tagged reference URLs (no independent timestamp) | 547,113 | Explorer only |
| FIRST EPSS | Exploitation probability scores (predictive, not used for TTE) | Daily | Explorer only |
Feedback & questions to sergej.epp@zerodayclock.com