In early 2025, Google’s Mandiant incident-response team documented something that upends a basic assumption of cybersecurity: in a growing number of cases, attackers are building working exploits for software vulnerabilities before the vendor has even shipped a fix. And once they break in, they are not lingering. Mandiant’s threat analysts observed initial network access being handed off to a second, separate threat group in as little as 22 seconds, a transfer so fast it suggests automation or pre-negotiated deals rather than any manual marketplace transaction.
The findings, drawn from Mandiant’s annual caseload of hundreds of incident-response engagements, were highlighted in the company’s Google Threat Intelligence reporting and reinforced during briefings in late 2024 and early 2025. They describe a threat landscape where the old rhythm of “discover, patch, protect” is collapsing under the speed of adversary operations.
Exploits are outrunning patches
The pattern Mandiant describes is not theoretical. It is visible in two U.S. government databases that anyone can query. The National Vulnerability Database, maintained by the National Institute of Standards and Technology, logs every cataloged CVE with publication dates, severity scores, and links to vendor advisories. Those timestamps make it possible to reconstruct exactly how long a flaw sat exposed before a patch became available.
CISA’s Known Exploited Vulnerabilities Catalog adds the critical second layer. The KEV list includes only vulnerabilities that CISA has confirmed are being exploited in real-world attacks, not hypothetical risks. When a CVE appears in both the NVD timeline and the KEV catalog, and the exploitation date precedes the patch date, the result is a documented case of attackers winning the race.
That race has produced some stark examples. Throughout 2024, CISA added dozens of CVEs to the KEV catalog for which vendor patches were either delayed or not yet available at the time of confirmed exploitation. Edge devices, VPN appliances, and file-transfer tools were frequent targets, categories of software that sit at the perimeter of corporate networks and are often exposed directly to the internet.
Twenty-two seconds and the access-broker economy
The 22-second handoff figure is the detail most likely to stop security professionals mid-sentence. To put it in perspective: most organizations measure their incident-response timelines in hours or days. Mandiant is describing a world where the attacker who breaks in and the attacker who monetizes that access are different groups, and the transfer between them can happen before a defender has even registered an alert.
The speed points to a maturing criminal supply chain. Initial access brokers, operators who specialize in breaching networks and then selling that foothold, have been a known fixture of underground forums for years. What appears to be changing is the degree of automation and pre-arrangement involved. Security researchers have observed brokers advertising access in near-real time, with buyers ready to deploy ransomware, exfiltrate data, or install persistent backdoors almost immediately after purchase.
Mandiant has not published the full methodology behind the 22-second measurement, including how many incidents were sampled or over what period. That means the figure should be treated as credible but not independently verified. No third-party dataset has corroborated the specific number. Still, the broader trend it represents, that handoff times are shrinking dramatically, is consistent with what other incident-response firms and law-enforcement agencies have reported about the professionalization of cybercrime operations.
Why traditional patch cycles are breaking down
Most enterprise patch management programs operate on cycles measured in days to weeks. Microsoft ships updates on the second Tuesday of each month. Other vendors follow their own cadences. NIST’s SP 800-53 security controls, the framework that underpins federal cybersecurity compliance, assume a sequence: identify a flaw, apply the vendor fix, verify the remediation.
When exploits circulate before patches exist, that sequence breaks at the first step. There is no vendor fix to apply. Defenders are left relying on compensating controls, network segmentation, application allowlisting, tighter access policies, to hold the line until a patch arrives. Organizations that have not already deployed those layers are exposed from the moment a vulnerability becomes public, or in some cases, before it does.
The problem is compounded for small and mid-sized businesses. Mandiant’s caseload skews toward large enterprises and government agencies, the organizations that can afford six-figure incident-response retainers. Whether the same pre-patch exploitation pattern holds for smaller targets running older software with less frequent update cycles is an open question. CISA’s KEV catalog confirms that exploitation of unpatched flaws is widespread, but it does not publish frequency data granular enough to calculate how often exploitation precedes a patch versus follows one.
What defenders should do now
For security teams reading this in mid-2026, the practical steps are concrete. First, cross-reference your software inventory against CISA’s KEV catalog on a daily basis, not weekly. Any CVE that CISA has confirmed as actively exploited should jump to the front of the patching queue regardless of its CVSS severity score. A “medium” severity bug that is being exploited in the wild is a more urgent problem than a “critical” one that is not.
Second, assume that patches will sometimes arrive late. Build compensating controls into your baseline architecture so they are already in place when a zero-day drops. Network segmentation that limits lateral movement, endpoint detection tuned to post-exploitation behavior, and strict least-privilege access policies all reduce the blast radius of an intrusion that exploits an unpatched flaw.
Third, pressure your vendors. Organizations with purchasing power should ask software suppliers direct questions: What is your average time from CVE disclosure to patch release? Do you participate in coordinated disclosure programs? Do you monitor for pre-patch exploitation of your own products? These are procurement questions now, not just security questions.
Finally, recalibrate your assumptions about attacker timelines. If access can change hands in seconds, then detection and response measured in hours is not fast enough. Automated alerting, pre-authorized response playbooks, and 24/7 monitoring coverage are no longer aspirational goals for mature security programs. They are table stakes for any organization whose data or infrastructure would attract a motivated adversary.
Where the evidence stands
The core claim that pre-patch exploitation is accelerating rests on solid ground. NVD timelines and CISA’s KEV catalog provide publicly auditable proof that attackers are weaponizing vulnerabilities before fixes ship, and the trend has intensified over the past two years. Google’s Mandiant reporting adds operational detail, including the 22-second handoff figure, that no government database captures. That detail is credible given Mandiant’s position as one of the world’s largest incident-response practices, but it remains proprietary and unverified by outside researchers.
What is still missing is a complete picture of the mechanisms driving the acceleration. Automated exploit tooling, zero-day broker networks, and pre-arranged access sales are all plausible contributors, but no public study has isolated their individual effects. The full scope of impact across sectors and organization sizes also remains unclear, since incident-response data inherently overrepresents large organizations that engage forensic teams.
None of those gaps, however, change the practical calculus. The window between vulnerability disclosure and active exploitation is shrinking toward zero in enough documented cases to treat it as a systemic condition, not an outlier. Organizations that wait for perfect data before adjusting their defenses are, by definition, already behind.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
