For decades, vulnerability management operated within a comfortable buffer: the months between identifying a vulnerability and its potential exploitation. This allowed security teams to assess, prioritize, and remediate issues systematically. However, the advent of artificial intelligence (AI) has drastically shortened this window, compressing the timeline from discovery to exploitation to mere hours.
AI Accelerates Vulnerability Discovery
In May 2026, Anthropic reported that, alongside approximately 50 partners, its Claude Mythos Preview AI identified over 10,000 high- or critical-severity vulnerabilities in essential software within a single month. Notably, the AI uncovered 181 working exploits in Firefox, a significant leap from the two exploits found by previous models. These findings spanned major operating systems and browsers, including a 27-year-old bug in OpenBSD. Alarmingly, over 99% of these vulnerabilities remained unpatched at the time of reporting.
Collapse of the Exploitation Window
Historically, organizations had months between a Common Vulnerabilities and Exposures (CVE) disclosure and its first known exploitation—a period known as time-to-exploit (TTE). This window has now drastically narrowed. Zero Day Clock reports that the average TTE in 2026 is approximately 24 hours, a stark reduction from around 53 days in 2024. Verizon’s 2026 Data Breach Investigations Report (DBIR) indicates that 32% of initial access techniques involve exploiting vulnerabilities, a figure expected to rise due to AI’s facilitation of exploit development and vulnerability discovery.
Challenges in Accelerating Patching
The prevailing response to this accelerated threat landscape is to expedite patching processes. Regulators and executives are advocating for same-day fixes for critical vulnerabilities. However, remediation is a complex process involving regression testing, change management, approvals, and adherence to uptime and compliance requirements. Hastily applying patches can lead to operational disruptions. Data from Verizon’s 2026 DBIR reveals that the median time to fix known-exploited vulnerabilities has increased to 43 days, up from 32 days the previous year, with the percentage of fully patched organizations declining from 38% to 26%.
In this environment, traditional vulnerability management strategies are proving inadequate. Organizations are increasingly turning to Breach and Attack Simulation (BAS) platforms to proactively identify and address vulnerabilities before they can be exploited. BAS tools simulate real-world attack scenarios, allowing security teams to assess their defenses and prioritize remediation efforts effectively.
The rapid advancements in AI have transformed the cybersecurity landscape, rendering traditional vulnerability management approaches insufficient. To stay ahead of potential threats, organizations must adopt proactive strategies like BAS to continuously test and strengthen their defenses against the ever-evolving tactics of cyber adversaries.
Source: The Hacker News
