In May 2026, most enterprise IT teams still measure their patch cycles in days or weeks. Attackers, according to threat-intelligence data from Mandiant (now part of Google Cloud), are increasingly measuring theirs in hours.
The statistic making the rounds in cybersecurity circles is stark: roughly 28 percent of newly disclosed software vulnerabilities are weaponized within 24 hours of publication. That figure, attributed to Mandiant’s threat-intelligence research, has not been published in a single standalone dataset open to independent audit. But it aligns closely with a trajectory the company has documented in public reports for years, and the broader trend it describes is backed by hard government data.
The exploitation window is collapsing, and the data proves it
Mandiant’s M-Trends 2024 report, published in April 2024, found that the median time between vulnerability disclosure and first observed exploitation had dropped to just five days. That is down from 32 days the year before and 63 days in 2018. The same report noted that for the first time, zero-day exploitation (attacks that hit before a patch even exists) outpaced n-day exploitation across the incidents Mandiant investigated.
Five days is a median, meaning half of exploited vulnerabilities were weaponized even faster. A 28-percent-within-24-hours figure sits comfortably within that distribution. While the precise ratio remains an attributed industry estimate rather than a peer-reviewed measurement, the direction is not in dispute.
Government records reinforce the picture. CISA’s Known Exploited Vulnerabilities (KEV) Catalog lists flaws that federal agencies must remediate on binding deadlines because active exploitation has been confirmed. Cross-referencing KEV addition dates with National Vulnerability Database (NVD) publication dates shows that some entries land in the catalog within a single day of disclosure. The Palo Alto Networks PAN-OS command injection flaw (CVE-2024-3400), for example, was added to KEV the same day its advisory went public in April 2024, with exploitation already underway. The MOVEit Transfer vulnerability (CVE-2023-34362) followed a similar pattern in 2023, with the Cl0p ransomware group exploiting it at scale before most organizations even knew the flaw existed.
Why definitions matter
Not every “weaponized” vulnerability carries the same real-world risk, and the distinction matters when interpreting a number like 28 percent.
“Weaponized” can mean a proof-of-concept exploit posted to GitHub within hours of a CVE’s publication. It can also mean a fully operational attack chain deployed against production systems by a ransomware crew or a state-sponsored group. A proof-of-concept that surfaces quickly is a signal that attackers are paying attention, but it does not automatically translate into mass exploitation. A confirmed in-the-wild attack is a different category of threat entirely.
Mandiant has not published the methodology behind the 28-percent figure in a way that lets outside researchers determine which definition was used, what sample of CVEs was included, or over what time period the measurement was taken. That opacity is common in commercial threat intelligence: firms like Mandiant, CrowdStrike, and Recorded Future observe attacks across large client bases and can measure exploitation timelines with granularity that public databases lack, but their underlying data is proprietary.
For defenders, the practical question is less about the exact percentage and more about what it implies for process design. If even a quarter of new high-severity vulnerabilities could face exploitation attempts within a day, monthly patch cycles are structurally inadequate for the highest-risk flaws.
Where official guidance falls short
Organizations looking for rapid-response direction from federal sources will find a gap. NIST’s SP 800-53 security control catalog maps vulnerabilities to recommended safeguards, but it functions as a long-term risk-management framework, not a same-day playbook. Controls are updated on their own schedule, and they do not include CVE-specific remediation steps timed to the hours after disclosure.
The NVD itself, while authoritative for severity scores and reference links, does not track when a vulnerability was first exploited in the wild. CISA’s KEV catalog confirms that exploitation occurred but records the date an entry was added to the list, not the date the first attack was observed. That distinction introduces a lag that makes it difficult to reconstruct precise exploitation timelines from public records alone.
This is not a failure of the system so much as a reflection of what these tools were built to do. Government databases provide the foundation. Threat-intelligence firms provide the speed layer. Organizations that rely on only one without the other are flying partially blind.
What security teams should do now
The shrinking exploitation window demands changes to how organizations triage and deploy patches. Several steps can close the gap between awareness and action:
Subscribe to the CISA KEV feed and automate ingestion. KEV entries carry binding remediation deadlines for federal agencies, but any organization can use the catalog as a priority filter. Flaws that appear in KEV within days of NVD publication deserve emergency treatment, not the standard change-management queue. Tooling that continuously maps KEV updates against an organization’s asset inventory can compress response times from weeks to hours.
Layer in EPSS scores for prioritization. FIRST’s Exploit Prediction Scoring System (EPSS) estimates the probability that a vulnerability will be exploited in the wild within 30 days. Combining EPSS with CVSS severity scores and KEV status gives security teams a more nuanced triage framework than any single metric provides alone.
Create a break-glass patching path. Traditional change-control boards that convene weekly cannot keep pace with vulnerabilities already under active exploitation. Many mature security programs now maintain an exception process for emergency patches: predefined criteria (KEV listing, high CVSS, internet-facing exposure, public exploit code) that trigger accelerated deployment without waiting for the next scheduled maintenance window.
Harden before the patch arrives. Configuration controls like network segmentation, application allowlisting, and least-privilege access do not stop attackers from developing exploits, but they limit how far a compromise can spread. When a critical flaw breaks and no patch is available yet, these controls buy time. NIST’s configuration checklists and CIS Benchmarks provide actionable baselines.
Pre-build communication playbooks. When a high-impact vulnerability drops, coordination between security teams, application owners, and business leaders often becomes the slowest link. Predefined playbooks for common vulnerability classes (remote code execution on perimeter devices, authentication bypass in web applications) should specify who approves emergency downtime, how stakeholders are notified, and what temporary mitigations apply if a patch cannot be installed immediately.
Defenders cannot wait for perfect data
The unresolved sourcing around the 28-percent figure reflects a broader reality in cybersecurity: defenders rarely operate with fully transparent, independently verifiable data about attacker behavior. They work with partial government records, proprietary threat-intelligence snapshots, and frameworks designed for long-term governance rather than real-time response.
Waiting for a peer-reviewed, fully auditable exploitation-speed metric before updating patching practices would be a costly mistake. The convergence of Mandiant’s M-Trends data, CISA’s KEV catalog patterns, and the observable behavior of threat actors in recent years all point in the same direction. The window between disclosure and exploitation is collapsing, and for a meaningful share of new vulnerabilities, it has already closed to less than a day.
Security teams that assume any high-severity flaw could be exploited within hours of disclosure will design faster processes, invest in better tooling, and build the communication channels needed to act before damage spreads. In a landscape where attackers routinely move faster than patch cycles, that assumption is not paranoia. It is operational realism.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
