The window between a vulnerability being disclosed and an attacker exploiting it has been shrinking for years. In 2026, it has all but collapsed. Where development teams once had weeks — sometimes months — to assess, prioritise, and patch, the timeline has compressed to days, hours, and in some cases, minutes. The accelerant? Artificial intelligence.
This is not a theoretical risk. The data is unambiguous, and it demands a fundamental rethink of how your team approaches vulnerability management.
TL;DR
- 28.3% of CVEs are now exploited within 24 hours of disclosure — AI has compressed the attacker’s workflow from months to hours
- CVE submissions in Q1 2026 are running a third higher than Q1 2025, which itself set a record with 48,185 published vulnerabilities
- AI-powered attack frameworks like CyberStrikeAI hit 600+ devices across 55 countries within two months of publication
- The US government is considering cutting mandatory patch windows from two weeks to three days
- Development teams must shift from reactive patching to proactive attack surface reduction — eliminating entire vulnerability categories rather than playing whack-a-mole
The Numbers That Should Worry You
In 2020, the average time from vulnerability disclosure to weaponised exploit was over 700 days. By 2025, that had fallen to 44 days. But the averages mask the real danger: 28.3% of CVEs are now exploited within 24 hours of disclosure, and 32.1% of newly tracked exploits appeared on or before the CVE’s public disclosure date.
Let that sink in. For roughly a third of vulnerabilities, attackers are ready before your team even reads the advisory.
Meanwhile, the volume is exploding. A record 48,185 CVEs were published in 2025 — a 263% increase from 2020. First-quarter 2026 submissions are running approximately one-third higher than the same period last year. NIST has effectively acknowledged it cannot keep up, announcing in April 2026 that it would triage NVD enrichment by prioritising KEV catalogue entries and critical infrastructure applications. Comprehensive coverage, they admitted, is no longer sustainable.
How AI Changed the Attacker’s Playbook
The shift is not simply about faster humans. AI has fundamentally altered the economics of offensive security. Frontier large language models improved from resolving 33% of GitHub issues in August 2024 to nearly 81% by December 2025. That capability translates directly into offensive power — writing exploit code, identifying vulnerable patterns, and automating reconnaissance at scale.
The barrier to entry has dropped through the floor. In February 2025, three teenagers with no coding background used ChatGPT to build tools targeting Rakuten Mobile’s systems. By July 2025, a single actor leveraged AI coding tools for an extortion campaign affecting 17 organisations in a single month. In December 2025, one individual breached Mexican government agencies, stealing 195 million taxpayer records.
These are not nation-state operations. They are individuals — sometimes literal children — armed with commercially available AI tools and publicly disclosed vulnerabilities.
CyberStrikeAI, an AI-powered attack framework published to GitHub in November 2025, had confirmed attacks against more than 600 devices across 55 countries by January 2026. Two months. That is the new tempo.
Your Patch Cycle Was Built for a Different Era
Most organisations still operate vulnerability management programmes designed for a world where you had weeks to respond. The typical workflow — scan, triage, ticket, schedule, patch, verify — assumes a comfortable buffer between disclosure and exploitation. That buffer no longer exists.
The US government is responding accordingly. There are active discussions to cut the default KEV remediation window from two weeks to three days. If federal agencies are being told to move that fast, your commercial development team cannot afford to be slower.
But speed alone is not the answer. You cannot out-patch an AI that weaponises vulnerabilities in hours. The maths simply does not work when you are dealing with thousands of CVEs per quarter and shrinking windows for each one.
The Shift: From Reactive Patching to Attack Surface Reduction
The organisations that will weather this shift are the ones that stop playing whack-a-mole and start eliminating entire categories of vulnerability. This means:
1. Rebuild on Verified Foundations
The September 2025 Shai-Hulud attack on the npm ecosystem compromised over 500 packages, affecting 487 organisations and resulting in $8.5 million stolen from Trust Wallet alone. Rebuilding open-source libraries from verified source code has shown 99.7% effectiveness against malicious npm packages and 98% against Python packages. If your supply chain is not verified, it is a liability.
2. Adopt Memory-Safe Languages Where It Matters
Entire classes of vulnerability — buffer overflows, use-after-free, null pointer dereferences — simply do not exist in memory-safe languages. The shift towards Rust in critical infrastructure (the Linux kernel, Android, Windows components) is not a trend; it is a strategic response to the collapsing exploit window. Every C/C++ component in your stack is an attack surface that AI can probe faster than your team can defend.
3. Automate Your Vulnerability Pipeline
Manual triage is dead. Your CI/CD pipeline needs automated SCA (Software Composition Analysis) that flags known-vulnerable dependencies before code reaches production. But do not stop at scanning — implement automated patching for non-breaking dependency updates and automated rollback for anything that fails verification. The goal is to shrink your response time from days to minutes.
4. Diversify Your Vulnerability Intelligence
With NIST acknowledging it cannot comprehensively enrich the NVD, relying on a single source of vulnerability intelligence is a single point of failure. Layer multiple feeds — vendor advisories, GitHub Security Advisories, commercial threat intelligence, and community sources. If you wait for the NVD entry, you are already behind.
5. Implement Runtime Protection
Accept that some vulnerabilities will be exploited before you can patch them. Runtime application self-protection (RASP), web application firewalls with virtual patching capabilities, and network segmentation provide defence-in-depth that buys your team time when a zero-day drops.
What This Means for Your Development Team
This is not solely a security team problem. The collapsing exploit window has implications for every developer writing and shipping code:
- Dependency choices matter more than ever. Every library you add is an attack surface. Audit before you install, pin versions, and have a plan for rapid replacement.
- Secure defaults are non-negotiable. Every configuration that ships insecure-by-default is a vulnerability waiting for an AI to find it.
- Your SBOM is a survival document. If you cannot enumerate every component in your production systems within minutes, you cannot respond fast enough when the next critical CVE drops.
- Shift security left — but also shift it everywhere. Pre-commit hooks, CI pipeline scans, runtime monitoring, and post-deployment verification. Defence-in-depth is not optional when the exploit window is measured in hours.
The Bottom Line
The collapsing exploit window is not a future threat — it is the present reality. AI has permanently altered the balance between attackers and defenders, and organisations that cling to traditional patch cycles are accepting risk they may not survive.
The good news? The same AI capabilities accelerating attacks can be deployed defensively — automated vulnerability scanning, intelligent prioritisation, and rapid remediation workflows. The teams that invest in these capabilities now will be the ones still standing when the next critical CVE drops and the clock starts counting down from 24 hours.
At REPTILEHAUS, we help development teams build security into their foundations — from secure CI/CD pipelines and automated dependency management to runtime protection and incident response planning. If your vulnerability management programme was designed for a world that no longer exists, let’s talk.
📷 Photo by Zulfugar Karimov on Unsplash
