Slower Than the Hackers: Why “Negative Time-to-Exploit” is Killing Traditional Security

Vulnerabilities have begun to outpace defensive measures not merely by hours, but by entire days, often preceding the release of formal rectifications. According to recent empirical analyses, the average Time-to-Exploit for the most perilous defects has plummeted to a staggering negative seven days. In essence, adversaries are increasingly adept at weaponizing flaws before a vendor can even distribute a patch. Consequently, the traditional defensive paradigm—characterized by identifying a discrepancy, generating a ticket, and navigating a protracted manual approval chain—is not merely failing in isolation; it is collapsing entirely.

The research conducted by the Qualys Threat Research Unit, which draws upon over a billion vulnerability remediation records from the CISA KEV catalog across ten thousand organizations over four years, paints a grim portrait. Since 2022, the sheer volume of vulnerabilities has surged 6.5-fold. Paradoxically, the proportion of critical flaws remaining unaddressed by the seventh day has escalated from 56% to 63%. While security teams are processing a significantly higher volume of tickets, the status of truly catastrophic threats has not improved.

The authors emphasize that this stagnation is not due to a lack of industry diligence. Organizations are currently remediating 400 million more vulnerability events annually than at the study’s inception. Personnel are laboring more intensely, processes have proliferated, and task completion rates have climbed. Yet, in the “red zone” where risk transmutes into a breach, progress is virtually non-existent. Researchers define this impediment as the “human ceiling”—a structural limitation where neither additional recruitment nor heightened discipline can sustain a model originally architected for a far more leisurely offensive tempo.

This is most vividly illustrated by vulnerabilities with a documented exploitation chronology. In a sample of 52 high-profile bugs, 88% of organizations were slower to remediate the flaw than the adversaries were to exploit it. Remarkably, half of these vulnerabilities were subjected to active exploitation prior to the existence of a patch.

The disparities highlighted in the report are unsettling even by industry standards. Spring4Shell saw exploitation commence two days before public disclosure, while the average enterprise required 266 days to achieve remediation. A similar trajectory was observed with a Cisco IOS XE vulnerability: exploitation began a month earlier than anticipated by defenders, while the average time-to-remediate stretched to 263 days. The temporal units utilized by the opposing sides were fundamentally misaligned: adversaries measured their progress in days, while defenders operated in months and seasons.

The researchers contend that this data does not indicate deficient analytics or weak threat intelligence. The malady is deeper: organizations are proficient at identifying risks but lack the agility to translate that knowledge into decisive action within their infrastructure. The failure, therefore, is operational.

The report introduces the term “Manual Tax” to describe the penalty incurred by human-centric workflows, which particularly burdens the “long tail” of assets. While a team may swiftly address a subset of systems, the remaining unpatched assets inflate the average remediation time, extending the window of exposure from weeks to months. In the case of Spring4Shell, the mean time-to-remediate was 5.4 times higher than the median. While the median suggests a situation under control, the mean reveals the enduring risk posed by poorly managed legacy assets.

For infrastructure systems, the outlook is even more dire. While median remediation times for endpoints often remain below 14 days, the median for Cisco IOS XE reached an astonishing 232 days. When the “best typical result” for a significant portion of an environment is eight months, manual intervention ceases to be a mere inefficiency—it becomes the foundational cause of systemic risk.

Consequently, the authors propose shifting focus from the raw count of CVEs to “accumulated exposure.” They utilize the metric Risk Mass—the quantity of vulnerable assets multiplied by the duration they remained imperiled. This approach more accurately reflects genuine danger, as a simple vulnerability count fails to account for how long a flaw persisted or how many systems it jeopardized.

Alongside Risk Mass is the Average Window of Exposure, which measures the total interval from the onset of exploitation to final remediation across the entire environment. The Follina vulnerability serves as a poignant example: exploitation began 30 days prior to disclosure, and the average closure occurred on the 55th day. However, the total exposure window spanned 85 days. Of this, 36% occurred in the “blind spot” before public disclosure, and another 44% was attributed to the protracted “tail” of remediation. Collectively, the pre-disclosure phase and the delayed response accounted for 80% of the total risk window, while the segment of the process usually measured and lauded in reports constituted less than 20%.

Furthermore, the study challenges the operational philosophy of many security teams. In 2025, 48,172 vulnerabilities were disclosed, yet only 357 were found to be remotely exploitable and actively utilized in the wild. This suggests that a vast portion of resources is squandered on theoretical attack surfaces, while genuinely hazardous, actively exploited flaws endure within infrastructures for far too long.

The authors predict this chasm will only widen. Cybersecurity has historically evolved as a reaction to monumental technological shifts—first adapting to the Windows era, then to the cloud. AI, however, represents a departure; it alters not only the attack surface but the very nature of the aggressor. Autonomous agents are now capable of identifying, verifying, and weaponizing exploits faster than a classical, human-tethered defense team can process their task queues.

The most perilous epoch is commencing now, as adversaries accelerate via AI while defenders remain bound by human velocity. This phase is regarded as the industry’s most critical window of risk, compounded by an expanded attack surface, a proliferation of identities and access rights, and remediation workflows that remain stubbornly manual.

In light of this, the researchers advocate for abandoning the classical “scan-and-report” model. This methodology arose in an era when CVEs were less numerous and the interval between publication and exploitation afforded a margin of safety that no longer exists. Instead, the authors promote a Risk Operations Center—a continuous loop of risk management where analytics serve as logic. In this model, the system must autonomously verify the exploitability of a flaw within its specific environment and initiate the requisite countermeasures at the tempo dictated by the threat.

This does not imply the total exclusion of human oversight. On the contrary, it proposes elevating the human role. Specialists should not be relegated to repetitive manual tasks but should instead define the systemic rules and govern the underlying logic. According to Qualys, the most successful organizations will be those that eliminate human latency from the critical path of defense.

The final conclusion of the report is unequivocal: Time-to-Exploit will never return to a positive value, the deluge of vulnerabilities will not abate, and the reactive defensive model has reached its mathematical limit. The question is no longer whether the old framework can be incrementally accelerated, but whether organizations are prepared to transition to a novel defensive architecture before the window between human defense and autonomous offense closes irrevocably.