The industry voices behind the warning and call to action.
“AI capability scales with the cheapness of verification. Offense has the cheapest verifier.”
Sergej Epp (Sysdig)
“The entire defense model is built on imposing cost on attackers. AI is about to make that cost zero.”
Vijay Bolina (CISO @ Stealth Frontier AI Company)
“The attackers’ AI singularity has arrived. Ours has not yet begun.”
Gadi Evron (Knostic)
“Google taught me that any machine should be rebuildable in hours. The Clock measures whether you still have hours left.”
Heather Adkins (Google)
“Attacks always get better. They never get worse. But for the first time, the same is true for defense. The race just got faster on both sides — and the side that sees the data first wins.”
Bruce Schneier (Security Technologist)
“We continue to see threat activity accelerate and the time to exploit availability and exploitation accelerate.”
Patrick Garrity (VulnCheck)
“Distributed. Immutable. Ephemeral. When exploits arrive in hours, the only system that survives is one built to be replaced.”
Sounil Yu (Knostic)
“I built DEF CON so researchers could show what they found. For thirty years, I watched the time between finding a vulnerability and exploiting it get shorter. We’re running out of timeline to show.”
Jeff Moss (Black Hat & DEF CON)
“Everything we’re doing in internet security is too little, too late. I’ve known that for decades. What I didn’t know was how fast ‘too late’ would arrive. Now there’s a Clock that measures it.”
Paul Vixie (AWS & Internet Pioneer)
“500,000 SANS-trained defenders. The Clock shows the new speed. Now we make every tool they use AI-ready.”
Rob Lee (SANS)
“Less than 5% of vulnerabilities are weaponized and time-to-exploit is already in hours. When AI scales that to 60%, no patch cycle, no SOC, and no budget survives the math.”
Caleb Sima (WhiteRabbit)
“Every patch is an exploit blueprint. AI will dramatically compress the time it takes to turn the blueprint into a working exploit.”
Thomas Dullien (Halvar Flake)
“AI agents are the new attack surface and the new defenders. We must secure both sides.”
Chris Hughes (Resilience Cyber & Zenity)
“Speed is our best defense. When exploits arrive in hours, the only viable defense is the one that’s already on by default - broad classes of architectural mitigations.”
Phil Venables (Ballistic, 4x CISO)
“When AI collapses the exploit timeline to hours, implicit trust becomes existential risk.”
John Kindervag (Creator of Zero Trust)
“MOAK proves what everyone feared. Any threat actor can now use publicly available AI models to weaponize vulnerabilities in minutes.”
Niv Hoffman (Creator of MOAK.AI, CTO @ Buzz)
“AI finds and exploits vulnerabilities faster than we patch them. We need to focus on eliminating entire bug classes.”
Clint Gibler (tl;dr sec & Semgrep)
“Every vulnerability scoring framework assumes defenders have time to prioritize. When exploitation is instant, scoring becomes a post-mortem exercise.”
Manish Bhatt (Amazon Leo & Zero Day Connoisseur)
“Security leadership spent decades optimizing calendars. Now, AI hands attackers a stopwatch. Bringing a calendar to a clock fight won’t end with lessons learnt but with a post mortem.”
Philipp Suedmeyer (CISO, Munich RE)
“Agentic AI is driving toward one-click CVE exploitation. Defenders must accelerate detection and remediation. That’s what this clock represents.”
Ashish Rajan (CISO & Cloud Security Podcast)
“We are fighting a war with the bad guys. We can only hope to win this war if we fight it together. Open source is the only approach with the agility and broad reach to meet modern security concerns.”
Loris Degioanni (Wireshark, Falco & Sysdig)
“There’s no doubt that AI is making attackers’ lives easier, continually lowering the bar to exploit software. That’s exactly why we need to double down on secure-by-design development, particularly in the age of AI coding.”
Jack Cable (Corridor)
“The future of security is the dueling banjos of the defender’s AI stack vs. the attacker’s AI stack. And the worse that imbalance is the worse this clock gets.”
Daniel Miessler (Unsupervised Learning)
“Mythos is cybersecurity's Y2K, except the deadline already passed. When AI finds thousands of zero-days that survived decades of human review, the vulnerability window doesn't shrink. It vanishes.”
George Kurtz (CEO/Founder CrowdStrike)
“Vendors outsource their quality problems to customers, who build whole organizations just to manage the treadmill. Attackers couldn’t have designed it better.”
Linus Neumann (Chaos Computer Club)
“The tipping point always comes faster than you think. I’ve seen it with cloud, AI, and digital assets.”
Sandip Wadje (BNP Paribas)
“When underwriting cyberinsurance and dealing with claims we’re seeing attackers getting faster.”
Tiago Henriques (Coalition)
“Exploits used to be crafted. Now they're manufactured. The barrier to entry isn't skill anymore, it's compute budget and patience. The clock isn't measuring human speed anymore.”
Jonathan Zanger (CTO, Check Point)
“A strong wake-up call. When weaponization timelines shrink to zero, the traditional "patching grace period" model becomes obsolete. The real answer is better software quality and architectures that reduce exploitable exposure in the first place.”
Stefan Braun (Henkel)
“Traditional patching is a losing race against the clock. The future of defensive security belongs to autonomous systems.”
Marco Balduzzi (Trend Micro)
“Artificial Intelligence is moving faster than any technology before it. Those who fail to prepare won’t fall behind — they will be left irrelevant.”
Hermann Huber (Cyberlagebild)
“I’ve funded cybersecurity startups for a decade. The companies that win compress the time between vulnerability and fix. The Zero Day Clock measures that compression for the entire ecosystem.”
Chenxi Wang (Rain Capital)
“I built security teams at Facebook, Uber, and Cloudflare. At every one, the hardest part was the same: creating urgency before the breach, not after.”
Joe Sullivan (CEO of JS Security LLC & 3x CISO)
“I co-wrote the first web application security testing standard in 2003. Twenty-two years later, cross-site scripting is still the number one vulnerability class. We are not learning. We are accumulating.”
Daniel Cuthbert (Santander)
“AI is bringing real speed and scale to defense. Attackers have it too -- but if we move fast, defenders can finally gain an edge. We should all worry about a "vuln-pocalypse," yet act with speed and urgency to secure the world's code. Exciting times!”
Ondrej Vlcek (AISLE)
“Cybersecurity in the age of AI is a marathon that we need to sprint. The urgency is real.”
David Haber (CEO and Founder of Lakera)
“Cybersecurity has always been a matter of time and resources. With AI, both have disappeared.”
David BALME (Comprendre.ai)
“Secure by Design is the only way forward. Hack yourself with the best security bug finders before release.”
Chris Wysopal (Co-founder Veracode)
“The bar to exploit vulnerabilities is now so low that “break then patch” is not a viable approach anymore.”
Stefano Zanero (Professor, Politecnico di Milano)
“Defenders still live in a pre-AI world. We can now patch at scale with the click of a button, and we need to.”
Francesco Piccoli (CEO @ Almanax)
“Vulnerability exploitation signals have become disrupted and noisy, in an ai era we need automated Response”
Francesco Cipollone (Phoenix Security)
“AI will compress SLAs to zero. Quality and defense must become continuous and automatic.”
Brett Cumming (F500 CISO)
“RunSybil exists because we saw this convergence coming. Now there's data the whole world can see.”
Ari Herbert-Voss (RunSybil)
“I reminded a few people about this back in 2018, AI is going to ruin everyone’s party. That time Is now.”
Ron F. Del Rosario (SAP Supply Chain Management)
“We reported 15 critical kernel bugs to 8 vendors. One got patched. PSIRTs aren’t built for AI-scale volume.”
Yaron Dinkin & Eyal Kraft (Hexaplex)
“We are no longer playing cat and mouse. It's just cat now while we are caught with our tails tied.”
Vidya Bodepudi (Fuze Health)
“Let’s accept that the exploit window is gone and it isn’t coming back. Then let’s build systems that assume compromise and are designed to keep running through it.”
Neal Swaelens (CEO, Manifold Security)
“In the age of AI, human eyes will no longer spot the bugs that matter.”
Floren Molina (CTO @ Santander Services Solutions)
“Time has never really been on our side, but we have acted as if it was. We no longer can avoid reality.”
Tom Byrnes (CEO / ThreatSTOP)
“"We must all hang together, or most assuredly we shall all hang separately".”
Joe Evangelisto (CISO / NetSPI)
“We've got to build systems as if there is always a zero day and the patch is never coming.”
Adrian Sanabria (Founder, The Defenders Initiative)
“Process bound defense meets ambition fueled offense. AI adoption demands immediate reconciliation.”
Nicholas Albright (Security Researcher, DISOG)
“The Clock has run out. We must equip defenders with the correct tools and incentives, or we will all suffer.”
Ryan Chow (CEO @ Metalware)
“The codebase is growing exponentially. We must radically shift to secure languages & practices. In every LoC.”
Dror-John Röcher (Founder / intcube)
“Customers don't trust marketing. Smart ones trust auditors. Zero-days won't wait for you to get certified.”
Joey Stanford (CISO, Pantheon.io)
“The agency to act swiftly determines who will be outplayed in the game of AI-led exploit/defense.”
Annie Thomas (Security Architect, TCS)
“AI has shrunk the vuln-to-exploit window. Defenders don't have luxury of time, patching to be at machine speed”
Satish Narayanan (Co-Founder, SQ1 Security)
“Traditional VM was built around the assumption that you have time to prioritize. You don't anymore.”
Lucas Masson (CEO @ Konvu)
“The clock ticks away, Old souls fade as threats evolve, AI: our last hope.”
Pieter Danhieux (CoFounder/CEO, Secure Code Warrior)
“The exploit window is collapsing. Security must move upstream into the software lifecycle.”
Nir Valtman (Co-Founder & CEO / Arnica)
“AI makes hackers faster than ever. Security teams must shift from calendar time to compute time.”
Darin Hurd (CISO @ Rate)
“Zero Trust principles must be applied far beyond 'networking' - to all layers of the stack down to hardware.”
Geoff Halstead (Faction Networks)
“In a less catastrophic sense, it reminds me of Don't Look Up.”
Danijel Grah (Offensive Security Tech Lead, NIL ltd.)
“The diff tells the truth. They read your merge before you. Write less - mean it all.”
Alexis Drai (Software developer | Open Source maintainer | Automating security & quality workflows)
“The window from disclosure to exploitation has collapsed. In the AI era, protection must happen at runtime”
Nadav Czerninski (Co-Founder & CEO @ Oligo Security)
“The exploit window is gone. Incentivize zero-fail engineering and structurally defend at machine speed.”
Arshaad Yar (CIO / The Invus Group)
“Prevention is better than cure. AI run security test pass before every code/patch release must become normal.”
Steve Jump (CISO/Risk Analyst, Custodiet Advisory Services)
“I've long said the one with the better, faster algorithms wins. We built Wirespeed because we saw this coming.”
Tim MalcomVetter (Co-Founder of Wirespeed by Coalition)
“We build fuzzers and find bugs. The gap between disclosure and weaponization was our window. Now it's gone.”
Patrick Ventuzelo (Founder & CEO / Fuzzinglabs)
“The world runs on software, It's the backbone of communication, finance, and healthcare. Security matters!”
Jorge Pinto (Information Security Specialist)
“The luxury of analysis and prioritization is quickly moving behind us. The exciting era of agentic VM is here.”
Evan London (F200 Threat and Vulnerability Management)
“Securing tomorrow requires action today.”
Joel Miller (Independent Researcher)
“Every second of delay only benefits the threat actor. Is your IR machine-speed ready?”
Matt Stamper (CEO | CISO Advisor)
“As patch windows collapse, we need resilience beyond prevention — to anticipate, withstand, recover and adapt.”
Erlend Andreas Gjære (Secure Practice)
“AI eliminates something defenders have always relied on: time. Cyber risk is now a velocity problem.”
Kara Sprague (CEO, HackerOne)
“AI is going nuts...”
Jens Schmidt (CTO / Exodos Labs, Inc.)
“The attacker's advantage grows daily. The only counter: prevention tools that work where critical code lives.”
Ramtine TOFIGHI SHIRAZI (Cofounder & CEO at SecMate)
“Reactive security is obsolete. In an AI-driven threat landscape, only secure-by-design can keep pace”
Riccardo Sirigu (Offensive Security Director / Abissi)
“Security has historically relied on the idea that there will be time to react which is no longer a privilege.”
Qasim Mithani (CEO / depthfirst)
“TTE will only drop with AI and response SLAs are already getting overwhelmed.”
Amey Kantak (DPO)
“7 months ago, we proved CVE exploitation with AI is near-instant. TTE has been in a nosedive ever since.”
Efi Weiss (Independent Researcher)
“This isn’t a race against threat attackers. It’s a debt crisis and the interest just went compound with genAI.”
Riaz Lakhani (CISO @ Redis)
“These trend lines make one thing clear, traditional defenses are insufficient. We eliminate classes of vulns.”
Joseph Saubders (CEO, RunSafe Security)
“Boards must shift from ‘Are we compliant?’ to ‘Are we fast enough?’ Patch speed is the key to resilience.”
Michala Liavaag (Cybility Consulting Ltd)
“Exploitation is entry, not outcome. Defenders own the graph--aim untiring compute at every attack path after.”
Oleg Kolesnikov (CTO CISO Office @ Microsoft)
“Most organizations underestimate the democratization of vulnerability discovery & exploitation. That complacency is more dangerous than ever.”
Mike Lockhart (CISO @ Eagleview)
“Social engineering used to require skill. Now it requires a prompt.”
Julius Muth (revel8)
“Speed is the new paradigm. Focus was the old mantra. Now we need both.”
Eoin Keary (Edgescan)
“The Zero Day Clock makes one thing clear: security now demands anti-fragility, not just resilience.”
Nils Hass (CISO @ Axel Springer SE)
“The World is changing fast and we have to adopt accordingly.”
Anders Vineberg (CISO)
“Technologies show options but it's action that makes us better. (The quote can be used by both the good and the bad.)”
Jimmy Heschl (CISO, Red Bull)
“As the paradigm shifts to AI-speed attacks, our defensive capabilities must overcome human latency and make the exact same leap.”
Ahmad Nassri (CTO, Socket)
“the world has historically benefited from the fact that vulnerability searching is a semi-rare skill and there's not huge demand for it. The models significantly alter the scarcity of that skillset in a way that favors offense and requires new tools.”
Isaac Evans (CEO, Semgrep)
“Cybersecurity is still treated as a task for a small group of specialists. If we want to live safely, everyone must contribute and help close the alarming skills gap.”
Thomas Steinbrenner (Cyberdefender)
“Threat actors used to have two limitations: skill and being human. Both of these collapsed overnight. Every previous technology shift that disrupted the world gave us TIME to adapt. We don't have this luxury now.”
Eva Benn (Cybersecurity Educator)
“The Observe, Orient, Decide, Act (OODA) Loop just got more challenging. This is an arms race. It's not just about speed it's about creating or preventing disruption.”
David Fox (Neo4j)
The gap between vulnerability disclosure and first working exploit is collapsing exponentially. Zero Day Clock tracks this collapse using ten independent data sources, computing Time-to-Exploit (TTE) for every CVE with a known exploit. The data shows defenders' response window is approaching zero.
How the Zero Day Clock computes Time-to-Exploit
Time-to-Exploit (TTE) measures the elapsed time between when a vulnerability is publicly disclosed and when a confirmed exploit becomes available. A negative TTE means the vulnerability was exploited before public disclosure — a true zero-day.
We ingest exploit intelligence from 10 independent sources (see table below), but the dashboard TTE is computed from only three trusted sources:
CISA KEV
U.S. government catalog of known exploited vulnerabilities
VulnCheck KEV
Commercial threat intelligence with confirmed exploitation dates
VulnCheck XDB
Curated exploit code repository with verified timestamps
Why not all 10 sources? Lower-confidence sources like GitHub PoC repositories, CIRCL sightings, or NVD reference URLs introduce noise. GitHub PoCs may be test code, homework, or honeypots. NVD exploit references carry no independent timestamp (they're backfilled with the CVE publication date, making TTE artificially zero). By restricting to sources with editorial review or confirmed in-the-wild exploitation, we produce a dataset that is defensible under external audit. The current dataset contains 3,513 CVE-exploit pairs from these three sources.
Even trusted sources contain data artifacts. Before computing TTE, we apply two filters:
This filtering excludes 66 CVEs where every exploit record was corrupt, and flags 951 individual exploit records as artifacts.
After filtering, TTE values are grouped by year and two central tendency measures are computed:
Both the manual trimmed mean implementation and scipy.stats.trim_mean produce identical results to six decimal places, as verified by independent audit.
TTE(year) = a · e−b(year−2018) is fit to yearly median TTEs (2018–2025) using least-squares regression, achieving R² = 0.97. This model projects when mean TTE will cross one-week, one-day, one-hour, and one-minute thresholds.We track 10 exploit intelligence sources. Sources marked trusted are used for TTE computation; the others feed the Explorer for enrichment only.
| Source | Role | Records | Used for TTE |
|---|---|---|---|
| NVD (NIST) | CVE publication timestamps (t_disclosure) | 235,851 CVEs | Explorer only |
| CISA KEV | Known exploited vulnerability dates | 1,529 | Trusted |
| VulnCheck KEV | Confirmed exploitation dates | 326,079 | Trusted |
| VulnCheck XDB | Curated exploit code repository | 6,695 | Trusted |
| ExploitDB | Public exploit archive | 45,000+ | Explorer only |
| Metasploit | Exploit framework modules | 2,300+ | Explorer only |
| nomi-sec/PoC-in-GitHub | GitHub PoC repositories | 30,000+ | Explorer only |
| CIRCL | Exploit sighting timestamps | 5,000+ | Explorer only |
| NVD References | Exploit-tagged reference URLs (no independent timestamp) | 547,113 | Explorer only |
| FIRST EPSS | Exploitation probability scores (predictive, not used for TTE) | Daily | Explorer only |
Feedback & questions to sergej.epp@zerodayclock.com