When Palo Alto Networks disclosed a critical flaw in its PAN-OS firewall software in late 2024, attackers were already exploiting it. The vulnerability had been weaponized before the company could ship a fix, leaving thousands of organizations exposed with no defensive option beyond pulling devices offline or applying makeshift workarounds. It was not an isolated case. According to research published by Google’s Mandiant threat intelligence team, the average time it takes attackers to exploit a newly discovered software flaw dropped to just five days in their most recent analysis, and 70 percent of the zero-day vulnerabilities they tracked were exploited before any patch existed.
That finding aligns with a pattern documented across multiple independent sources: the window between a vulnerability becoming known and attackers weaponizing it has been collapsing for years, and it has now shrunk to the point where traditional patch-and-protect strategies routinely fail.
The data behind the trend
Two additional sources help frame how widespread and persistent this problem has become. A peer-reviewed study titled “Patching zero-day vulnerabilities: an empirical analysis,” published in 2021 in the Journal of Cybersecurity, applied survival-analysis methods to measure how long zero-day vulnerabilities persist before vendors release fixes. The researchers found multiple cases in which threat actors had working exploits days or weeks ahead of vendor advisories. Their statistical framework treated each vulnerability as a time-to-event observation, and the results showed that pre-patch exploitation is a recurring structural pattern, not a rare outlier.
On the government side, the Cybersecurity and Infrastructure Security Agency maintains its Known Exploited Vulnerabilities (KEV) catalog, a continuously updated list of software flaws with confirmed evidence of active exploitation. As of mid-2026, the catalog contains more than 1,100 entries spanning dozens of software products used across federal agencies and private enterprises. Each entry represents a case where CISA analysts confirmed that attackers were actively abusing a specific flaw. Cross-referencing those entries against vendor patch-release dates reveals how often exploitation is already underway when a fix finally ships.
Taken together, the Mandiant data, the academic research, and the federal catalog converge on the same conclusion: attackers are routinely beating defenders to the punch, and the fraction of vulnerabilities exploited before a patch is available is substantial. Mandiant’s 70 percent figure represents the most aggressive recent estimate; other analyses using different methodologies and datasets place the share lower, but consistently above 25 percent.
Why the gap keeps shrinking
Several forces are compressing the timeline. The most significant is automation. Once a proof-of-concept exploit surfaces on a security forum or in a vendor advisory’s technical details, attackers can adapt it into scanning tools and botnets that sweep the internet for unpatched systems within hours. The marginal cost of hitting one more target drops close to zero, while defenders still face the per-system burden of testing, scheduling, and deploying each fix.
Organizational friction makes the defender’s side even slower. Change-management processes, maintenance windows, compatibility testing, and the need to avoid disrupting critical operations all add days or weeks to patch deployment. A security team may recognize a flaw’s severity immediately but still have to negotiate downtime with application owners and wait for third-party vendors to validate updates. During that delay, automated exploit infrastructure is already probing for exposed services.
The economics are lopsided by design. Writing a reliable exploit for a newly disclosed flaw is a one-time investment that can be reused across thousands of targets. Defending against it requires patching every vulnerable instance, often across mixed environments that include legacy systems resistant to updates. Even a small reduction in the time needed to weaponize a vulnerability translates into a disproportionate advantage for attackers.
Recent examples that illustrate the speed
The pattern has played out repeatedly in high-profile incidents. In early 2024, Ivanti disclosed vulnerabilities in its Connect Secure VPN appliances that were already under active exploitation by suspected state-sponsored groups. CISA issued an emergency directive requiring federal agencies to disconnect affected devices, an unusual step that reflected how little time defenders had to respond. Months earlier, the MOVEit Transfer vulnerability exploited by the Cl0p ransomware group followed a similar arc: mass exploitation began before most organizations were even aware the flaw existed, ultimately affecting hundreds of companies and millions of individuals.
These are not obscure products. They are widely deployed enterprise tools, and the speed of exploitation meant that even well-resourced security teams were caught flat-footed. The incidents underscore a point the data already makes: waiting for a patch and then scheduling a rollout is no longer a viable standalone strategy.
What organizations can do now
Patching remains essential. Timely updates are still the single most effective way to close a known vulnerability, especially once exploitation is confirmed. But the evidence from Mandiant, the Journal of Cybersecurity study, and the KEV catalog all point to the same practical reality: patching must sit inside a broader strategy that assumes exploitation may begin before a fix is available.
One shift gaining traction among security teams is treating vulnerability management less like scheduled maintenance and more like incident response. When a flaw appears in the KEV catalog, some organizations now assign it an incident ticket, designate an owner, and track remediation with the same urgency they would apply to an active breach. That approach forces faster decisions, clearer communication with business stakeholders, and better documentation of residual risk when a patch cannot be applied immediately.
Compensating controls fill part of the gap during the pre-patch window. Network segmentation limits how far an attacker can move after an initial compromise. Application allowlisting and endpoint detection tools can block or flag exploit behavior even when the underlying code is still vulnerable. Web application firewalls and runtime protection add another layer at the application level. None of these replace patching, but they reduce the blast radius when a patch is not yet available or not yet deployed.
Monitoring external intelligence sources also helps. Automating alerts tied to new KEV catalog entries gives security teams hours or days of lead time compared to waiting for vendor emails or scheduled scan results. Pairing that with data from sources like Mandiant’s annual threat reports and Rapid7’s vulnerability intelligence research provides a more grounded picture of attacker behavior than marketing-driven threat briefs alone.
The race defenders cannot afford to lose
The shrinking window between disclosure and exploitation is not a trend that is likely to reverse. Attacker tooling is becoming more efficient, vulnerability research is more widely shared, and the sheer volume of new flaws disclosed each year continues to grow. For defenders, the math is unforgiving: every vulnerability is a race, and losing even a fraction of those races can mean a breach.
What the current evidence does make clear is that the old model of quarterly patch cycles and reactive security is structurally inadequate for the threat environment organizations face in 2026. The organizations that fare best will be those that treat every confirmed exploitation as an emergency, layer defenses so that no single control is a point of failure, and accept that the contest between attackers and defenders is now measured in hours, not weeks.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
