The time it takes to exploit security flaws after they’re discovered is getting shorter at breakneck speed—and this trend shows no signs of reversing. Vulnerabilities are being found, recreated, and used as weapons more rapidly than ever before in the history of corporate security. Consequently, the gap between a vulnerability going public and widespread attacks being spotted online is now counted in hours, not days.
The standard response from the cybersecurity industry has largely been: apply patches more quickly.
Regulatory bodies promote it, company boards anticipate it, and senior executives insist on it. But for the majority of organizations, flipping a switch to “patch faster” simply isn’t realistic. Patching follows a careful, deliberate process governed by uptime demands, stability testing, scheduled change windows, business sign-offs, compliance requirements, and the practical fact that production systems can’t be sacrificed in the name of speed.
While patching remains a critical practice—and patching more quickly is still valuable—it no longer fully addresses the current flood of disclosed vulnerabilities that organizations face. Anthropic’s Project Glasswing release from May 2026 starkly illustrated this widening gap. The firm reported that, alongside roughly 50 partner organizations, it leveraged Claude Mythos Preview to uncover over 10,000 high- or critical-severity vulnerabilities in critical software systems within just one month—and many other groups are seeing comparable results with their own AI-powered initiatives.
AI is revolutionizing vulnerability research at an industrial scale—but the benefits aren’t going solely to the good guys. Adversaries are leveraging the same tools and the same speed advantage to discover and replicate vulnerabilities, then turning them against the very organizations they target.
So how does this reshape the landscape of exploitation timelines—and what should defenders do about it?
The Bottleneck Has Shifted
It’s widely recognized that exploitation windows have been narrowing for years, and lately it has become routine for real-world attacks to follow vulnerability disclosures within single-digit hours. With AI entering the equation, the window that large enterprises have—from learning about an attempted exploit to seeing attackers attempt to exploit it—will only keep shrinking.
Remediation and patching, however, have not kept up. The Verizon 2026 DBIR makes this painfully clear: the median time organizations take to patch a critical vulnerability actually got *worse* year over year, jumping from 32 days to 43 days.
The truth is stark: while attackers work on timescales of hours, defenders operate on timescales of weeks. That disconnect is exactly where successful exploitation occurs.
Yes, there are more vulnerabilities being found. Yes, attackers are accelerating. But the hardest reality for defenders is that remediation isn’t speeding up—and perhaps fundamentally can’t. Telling organizations to “just patch faster” is like telling someone to “just grow taller.” It sounds reasonable and well-meaning, but it isn’t something most security teams can simply decide to do.
And then there’s mounting regulatory pressure. India’s CERT-IN recently released guidance hinting at same-day—or even sub-day—patching expectations for certain critical flaws. The goal is understandable, but the guidance overlooks the operational realities many security teams face.
The practical reality is that some vulnerabilities will be exploited before full remediation is possible. Security teams must plan for this scenario without introducing new risks to operations. That means answering several critical questions swiftly:
- Do we actually use this technology?
- Is the vulnerability only theoretical?
- Can this vulnerability be exploited in our specific environment?
- What would a real-world attack look like?
- What interim controls can lower risk while the standard patching process plays out?
The operating model must evolve toward preempting, validating, and mitigating threats. Here’s how to put that into practice.
Step 1: Preempt the Vulnerabilities Attackers Will Likely Target
Not every disclosed vulnerability demands the same level of urgency. Some flaws will never see real-world exploitation. Others possess the characteristics attackers actively seek: widespread deployment, exposure to the internet, easily repeatable exploitation, and a clear path to gaining meaningful access within a target environment.
In a future that’s rapidly approaching—one where hundreds, possibly thousands of vulnerabilities are disclosed daily—preemption means pinpointing which flaws are most likely to face real-world attacks, enabling effective filtering so teams don’t waste precious time investigating everything. Severity ratings still matter, but they’ve never told the full story.
In an AI-accelerated landscape, that filtering must happen within the hours following disclosure, *before* teams can possibly review every item on the list. Narrowing the scope early is what allows organizations to stay ahead of attackers rather than scrambling to respond after breaches have already begun.
Step 2: React Quickly and Confirm Your Actual Exposure
Once it’s determined that real-world exploitation of an emerging threat is possible—or confirmed—defenders need the capability to move fast and confirm whether their organization is genuinely at risk, all before adversaries make their move.
This means converting a new vulnerability disclosure or active attack campaign into an environment-specific answer: Are we exposed? Where specifically do we have exposure? Which teams or individuals own the affected systems? Has exploitability been proven? An effective rapid-response process should identify internet-facing systems across all business units, departments, and subsidiaries, while enriching the vulnerability context with relevant threat intelligence.
Validation then confirms whether the flawed component can actually be reached and exploited by an attacker. A potential vulnerability triggers an investigation. But a confirmed, exploitable vulnerability—given how quickly real-world attacks unfold—now demands swift, autonomous action.
The faster teams can make that distinction, the faster they can determine what to mitigate immediately, what to monitor closely, and what can safely follow the standard remediation path.
Speed without accuracy just creates chaos, and accuracy without speed is meaningless. Both elements must be combined when responding to an emerging threat—before exploitation begins.
Step 3: Mitigate to Create Breathing Room for Proper Remediation
Once exposure has been confirmed, traditional remediation may still require testing, change control processes, and carefully coordinated deployment.
Mitigation reduces exploitability during that interim period. For internet-facing systems, this could mean implementing access restrictions, disabling vulnerable features, deploying WAF or API rules, updating IDS or IPS signatures, applying isolation or configuration adjustments, adding monitoring, or putting in place temporary controls that block known attack patterns. Effective mitigation should also be guided by a thorough understanding of how exploitation works. A generic security rule based on a high-level CVE summary is less effective than a control designed around the actual exploit mechanism, payload structure, required preconditions, and known malicious behavior. These controls don’t need to be permanent. They simply need to make exploitation slower, less reliable, and harder to carry out at scale while the organization completes its patching process safely.
Autonomous mitigation closes the speed gap between attackers and the patching process. It’s the only defensive measure that operates on the same timeline as exploitation itself.
This Is What watchTowr Is Built For
By harnessing AI to unify Proactive Threat Intelligence, External Attack Surface Management, and Autonomous Mitigation, the watchTowr Platform delivers clarity: it shows security teams exactly what attackers can see, what they can exploit, and what steps can be taken to mitigate risk before a compromise occurs.
Patching remains absolutely necessary and essential. But in an AI-driven exploitation landscape, patching alone simply can’t happen fast enough while still maintaining system availability and preventing operational disruption. The watchTowr Platform—an AI-Powered Preemptive Exposure Management solution—helps organizations stay ahead of attackers, validate their exposure to emerging threats in real time, and autonomously apply mitigations to secure the one advantage attackers can’t outpace: enough time to respond effectively.
To schedule a demo and learn more about Preemptive Exposure Management, visit watchtowr.com.
