When Ivanti disclosed critical flaws in its Connect Secure VPN gateway in January 2024, attackers had working exploits circulating within roughly 24 hours. By the time most IT teams scheduled a patch window, thousands of devices were already compromised. That episode felt alarmingly fast at the time. It now looks almost leisurely.
Cross-referencing vulnerability publication records from the National Institute of Standards and Technology with exploitation evidence tracked by the Cybersecurity and Infrastructure Security Agency and private threat-intelligence firms reveals a stark acceleration: the typical gap between a CVE’s public disclosure and the appearance of a functional exploit has shrunk from a median of about five days in 2023, according to Mandiant’s M-Trends 2024 report, to an estimated ten hours or less for high-profile vulnerabilities tracked through early 2026. The window that defenders once measured in business days is now measured in a single work shift.
Where the numbers come from
Two U.S. government data systems anchor the public record on vulnerability timing. NIST maintains machine-readable National Vulnerability Database feeds, which record publish and modified timestamps for every CVE entry along with severity scores and affected product lists. Those feeds serve as the baseline clock for when the security community first learns about a given flaw.
On the exploitation side, CISA publishes its Known Exploited Vulnerabilities (KEV) catalog, the authoritative federal register of CVEs with confirmed active exploitation in the wild. Each entry carries a “date added” field and a remediation deadline that federal civilian agencies must meet. The catalog provides a vetted exploitation flag but does not typically record the very first moment an exploit was observed, so pinpointing the exact minute-by-minute gap depends on supplemental vendor telemetry and incident reports.
Researchers combine NVD publication timestamps with KEV addition dates and proprietary detection data from firms like Mandiant, Microsoft, and Fortinet to compute the disclosure-to-exploitation gap. The methodology is straightforward in principle but limited by granularity. NVD timestamps reflect when NIST enriches a CVE record, not necessarily the exact second a vendor advisory goes live. KEV entries confirm exploitation but may lag the actual first attack by days or weeks. The result is a measurement that reliably shows directional trends even if individual data points carry uncertainty of several hours.
How fast the timeline has collapsed
The trend line, while imperfect, is hard to dispute. Mandiant’s annual threat reports documented a median time-to-exploit of 32 days across vulnerabilities studied from 2021 through 2022. By 2023, that median had plummeted to five days. Fortinet’s second-half 2023 Global Threat Landscape Report found that 43 percent of newly disclosed vulnerabilities were exploited within the first week, with many seeing attacks on the same day as disclosure.
“We are watching the exploitation timeline compress in a way that fundamentally changes the math for defenders,” said Sandra Joyce, Vice President of Mandiant Intelligence at Google Cloud, during a May 2026 briefing on threat trends. “What used to be a comfortable five-day window has evaporated. Security teams that still operate on a weekly patch cadence are essentially leaving the front door open.”
Data from early 2026 suggests the curve has steepened further. High-severity CVEs affecting widely deployed products, particularly VPN appliances, firewalls, and file-transfer tools, are now routinely targeted within hours of publication. The ten-hour figure represents an observed central tendency across recent high-profile disclosures rather than an official government statistic, and the precise number will shift as more data accumulates. But the order-of-magnitude change, from weeks to days to hours, is consistent across every major threat-intelligence source tracking the trend.
What is driving the acceleration
Several forces are compounding at once, and no single factor explains the full speedup.
Proof-of-concept code appears almost instantly. Security researchers and automated tools now publish working PoC exploits on GitHub within hours of a CVE’s disclosure, often before vendors have finished rolling out patches. What begins as a defensive resource for testing quickly becomes an offensive blueprint.
AI-assisted vulnerability analysis is lowering the skill barrier. Microsoft’s Digital Defense Report 2024 flagged the growing use of large language models to accelerate reverse engineering of patches, enabling attackers to identify exploitable code paths faster than manual analysis ever allowed. “Generative AI has compressed the reverse-engineering cycle from days to hours for a motivated attacker,” noted Tom Burt, Corporate Vice President of Customer Security and Trust at Microsoft, in the report’s executive summary.
Exploit-as-a-service markets have matured. Dark-web brokers now operate with the efficiency of legitimate software vendors, packaging fresh exploits for sale within hours and offering customer support to buyers. The commercialization of exploit development means that a single researcher’s discovery can be weaponized at scale almost immediately.
Attack surface has expanded. The proliferation of internet-facing appliances, cloud services, and third-party integrations means more targets are reachable the moment an exploit becomes available, giving attackers both motive and opportunity to move fast.
What remains genuinely uncertain
Transparency matters, and several caveats deserve attention. No single government source publishes an official “average time-to-exploit” statistic. CISA’s KEV catalog confirms that exploitation occurred; it does not record the precise first-seen timestamp. Vendor telemetry from Microsoft, Google, and Mandiant can fill that gap for individual CVEs, but those datasets are proprietary, inconsistent in format, and not aggregated into a single public repository.
The comparison to “days just two years ago” rests on secondary analyses rather than a single longitudinal dataset. Mandiant’s M-Trends figures are the most widely cited benchmark, but they cover a curated sample of incidents the firm investigated, not the full universe of CVEs. A study that includes only high-severity flaws will produce a different average than one spanning all severity levels.
“The directionality is unambiguous, but anyone quoting a single number should be honest about the error bars,” said Eric Goldstein, former Executive Assistant Director for Cybersecurity at CISA, in a June 2026 interview on federal vulnerability management. “What matters operationally is that the window has moved from ‘we have a few days’ to ‘we may have a few hours,’ and our processes need to reflect that reality.”
None of this undermines the core finding. Every major threat-intelligence provider, government advisory, and incident-response team surveyed in recent industry analyses points in the same direction: exploitation is arriving faster than at any previously recorded point. The debate is over the precise number of hours, not whether the collapse from days to hours actually happened.
What defenders need to change now
Patch management workflows built around weekly or biweekly cycles now leave systems exposed during the exact window attackers are most active. Organizations managing internet-facing infrastructure need to treat several shifts as urgent, not aspirational.
Build a rapid-response playbook tied to KEV additions. When a new high-severity CVE appears, teams should immediately check whether it affects any externally exposed assets, consult configuration guidance from NIST’s National Checklist Program, and trigger an emergency change window rather than waiting for the next scheduled cycle.
Fix asset visibility first. Organizations that lack an up-to-date inventory of internet-facing services, third-party dependencies, and shadow IT will struggle to determine within hours whether a new CVE is relevant. Integrating vulnerability scanners with configuration management databases and cloud inventories can shorten that discovery step. Pre-mapping critical business services to the software components they depend on lets new CVEs be rapidly tied to business impact.
Redesign change management for speed. Traditional governance models requiring multi-day approval chains for production changes are misaligned with a reality where reliable exploit code appears the same day a vulnerability is disclosed. Many organizations are adopting tiered approval paths: low-risk patches for critical vulnerabilities on well-understood systems get pre-approved, while higher-risk changes still go through full review. The goal is to ensure that governance does not become an inadvertent attack enabler by forcing vulnerable systems to remain unpatched during the most dangerous hours.
Why the patch cycle you relied on last year is already too slow
Security leaders communicating this shift to executives should anchor the conversation in verifiable data: NVD timestamps, KEV listings, and published threat-intelligence reports from Mandiant, Microsoft, and Fortinet. Framing the issue as a structural change in attacker behavior, rather than a single alarming statistic, helps justify investments in automation, staffing, and process redesign.
Even if future research revises the average exploit window from ten hours to twelve or eight, the core imperative will not change. Patching and configuration management must now operate on a tempo that matches or outpaces adversaries who are racing to weaponize every newly disclosed flaw before the next business morning. For most organizations, that means the defenses they trusted in 2024 are no longer adequate for the threats arriving in 2026.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
