When Citrix disclosed a critical flaw in its NetScaler networking equipment in late 2023, attackers began exploiting it within hours. The same pattern played out with vulnerabilities in Ivanti VPN appliances, Barracuda email gateways, and Progress Software’s MOVEit file transfer tool. Each time, the gap between public disclosure and real-world attack shrank to almost nothing.
Now Mandiant, the Google-owned threat intelligence firm, has put a number on the trend: 28.3% of newly disclosed software vulnerabilities face active exploitation within 24 hours of becoming public. The figure, drawn from the company’s closely watched M-Trends reporting, which synthesizes data from hundreds of incident response engagements each year, confirms what many security teams have felt on the ground. The window to patch is no longer measured in weeks. For a growing share of flaws, it is measured in hours.
What the data actually shows
Mandiant’s M-Trends reports have served as an industry benchmark for more than a decade, compiling findings from the firm’s frontline investigations into breaches at government agencies, Fortune 500 companies, and critical infrastructure operators worldwide. The 28.3% figure measures the share of new vulnerabilities where Mandiant observed exploitation attempts within the first day after public disclosure.
That finding aligns with what U.S. government tracking systems have been signaling independently. CISA’s Known Exploited Vulnerabilities (KEV) catalog, an authoritative registry of flaws confirmed to be weaponized in real attacks, has grown steadily since its launch in late 2021. Each entry carries a binding remediation deadline for federal civilian agencies under Binding Operational Directive 22-01, typically 14 to 21 days depending on severity. Those tight windows exist because CISA recognizes that exploitation is happening fast enough to outrun traditional patch cycles.
The National Vulnerability Database maintained by NIST provides a second reference point. Its public portal enriches each CVE record with severity scores, affected product identifiers, and timestamps that let researchers measure how quickly vulnerability information moves through the ecosystem. Together, the KEV catalog and the NVD confirm that rapid exploitation is not a fringe concern. It is the operating reality U.S. federal cybersecurity policy is now built around.
Where the picture gets complicated
The 28.3% statistic is striking, but several factors shape how it should be interpreted.
First, “disclosure” is not a single event. A vulnerability’s life cycle includes multiple milestones: the vendor’s initial security advisory, the assignment of a CVE identifier, the NVD’s enrichment and publication of the full record, and sometimes the release of public proof-of-concept exploit code. These events can be separated by hours or even weeks. If Mandiant’s 24-hour clock starts at a different point than the alert that triggers action inside most security operations centers, the practical risk window could be wider or narrower than the headline suggests.
That timing question became more urgent after the NVD experienced a well-documented processing backlog in 2024, during which enrichment of new CVE records slowed significantly. Organizations that depend on NVD data to trigger their patching workflows may have faced even larger gaps between real-world exploitation and internal awareness than Mandiant’s number implies.
Second, the statistic reflects Mandiant’s specific vantage point. The firm’s incident response client base skews toward large enterprises, government contractors, and high-value targets, exactly the organizations most likely to attract sophisticated attackers moving quickly. The 28.3% figure may overrepresent the exploitation pace for flaws in enterprise-grade infrastructure like VPN appliances, firewalls, and remote management tools, while underrepresenting the pace for vulnerabilities in consumer software or niche applications that draw less attacker interest.
Third, there is a meaningful difference between an exploitation attempt and a successful compromise. Automated scanners sweep the internet constantly, probing for known vulnerability signatures within minutes of a disclosure. If the 28.3% figure counts any observed exploit traffic, including failed probes, it captures a different risk than if it counts only confirmed intrusions. Mandiant has not published a granular breakdown distinguishing the two in connection with this specific metric.
Why the trend matters more than the precise number
Even with those caveats, the direction is unmistakable. Data from Mandiant, CISA, and other threat intelligence providers including Rapid7 and Palo Alto Networks’ Unit 42 all point to the same conclusion: the average time between vulnerability disclosure and first exploitation has compressed dramatically over the past five years. Attackers have industrialized the process of scanning for and weaponizing new flaws, using automation and shared toolkits to move faster than most defenders can respond through manual workflows.
The consequences hit hardest at organizations still running periodic patch cycles. A vulnerability disclosed on a Monday morning could be under active exploitation before most IT teams finish triaging their Tuesday ticket queue. Monthly or quarterly patching schedules, still common in industries with heavy change-management requirements, leave systems exposed for weeks during a window that attackers are now collapsing to hours.
For federal agencies, BOD 22-01 provides a forcing function, but even its 14-day remediation deadlines may lag behind the fastest exploitation timelines Mandiant describes. Private-sector organizations face no equivalent mandate, which means their response speed depends entirely on internal governance and tooling.
What security teams should do with this information
The practical response starts with rethinking how patch prioritization works. Severity scores matter, but speed of exploitation matters just as much. A vulnerability rated “medium” on the CVSS scale that is already being scanned for by automated attack tools may warrant faster action than a “critical” flaw with no known exploit in circulation. CISA’s KEV catalog offers a ready-made filter: if a vulnerability appears there, it has been confirmed as exploited in the wild and should move to the front of the remediation queue regardless of its CVSS rating.
Beyond prioritization, organizations need to build operational capacity for rapid response. That means pre-authorized emergency patching protocols for internet-facing systems, so that fixes for actively exploited flaws do not get stuck in multi-week change approval chains. It means automated vulnerability scanning that runs continuously rather than on a weekly or monthly schedule. And it means mapping internal asset inventories against CISA’s KEV entries and NVD severity data so that when a new high-priority flaw drops, the team already knows which systems are affected.
NIST’s risk management frameworks, including the SP 800-53 control families and the Cybersecurity Framework, provide structured approaches for embedding this kind of speed-sensitive prioritization into governance processes. Organizations that have adopted these frameworks can use them to justify the budget and staffing needed to move from scheduled maintenance to continuous vulnerability response.
Tracking internal remediation speed against external benchmarks also helps. Measuring how long it takes to patch a vulnerability after it appears in the KEV catalog creates a concrete performance metric. Over time, that data reveals whether patching processes are keeping pace with the threat environment or falling behind.
The race defenders can’t afford to lose
Mandiant’s 28.3% figure is best understood not as a precise universal measurement but as a credible signal from one of the industry’s most experienced incident response teams, reinforced by converging government data. The exact percentage matters less than what it represents: a threat landscape where attackers routinely beat defenders to the punch on newly disclosed flaws.
For organizations still treating vulnerability management as a scheduled chore, that reality demands a shift. The most resilient teams in June 2026 are the ones treating every new disclosure as a potential emergency, using authoritative government data to guide their priorities, and building the operational muscle to patch critical systems in hours rather than weeks. The attackers have already made their timeline clear. The only question is whether defenders can match it.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
