The age of the self-defense Time- to- exploit is no longer enough

Recent data on vulnerability mediation require rethinking the defence strategy: it is not enough to speed up processes or increase templates. A comprehensive study of the Qualys Threat Research Unit, which analyses more than a billion remediation records and tens of thousands of organizations for four years, shows that operational reality has exceeded human ability to react in time. The defence architecture must change if we want to maintain the advantage against attackers using automation and IA-based agents.

According to this analysis, the so-called Time- to- Exploit - interval between the publication of a vulnerability and its active exploitation - has already collapsed on average to negative values, which means that many failures are exploited before even a patch exists. This conclusion is not isolated: industry reports such as Google M-Trends They also document an acceleration in the operating windows. When the advantage of the attacker is measured in days and the response of the organizations in months, the traditional reactive model is obsolete.

The Qualys study puts numbers that scale that feeling. While the volume of vulnerabilities treated by teams has grown several times in a few years, the percentage of critical vulnerabilities still open at seven days has increased: more effort does not translate into less risk in the long tail of exposure. Researchers speak of a "human roof": there is a structural limit that does not correct more personal or better manual processes.

Two concepts help to understand why the usual metrics deceive. The first, which authors call "Tax Manual," describes how less visible assets or outside the reach of human flows drag the exposure of the whole from weeks to months. The second is the proposal to change the focus of counting CVE to measuring the accumulated exposure: how many vulnerable assets are multiplied by the days that remain exposed, which is referred to in the report. Risk Mass. Next to this, the Average Window of Exposure (AWE) captures the full duration from initial weaponization to effective remediation in the organisation.

These indicators show another uncomfortable truth: what shines in the dashboards - the race to apply patches soon - usually represents less than 20% of the actual exposure window. The rest comes from the blind window before the patch is published and from the long tail of systems that never get to be parked quickly. Well-documented cases such as Follina and Spring4Shell illustrate the distance between the first and the average time it takes companies to correct the failure. For technical consultations and traceability, public NVD inputs are useful resources, for example CVE-2022-30190 (Follina) and CVE-2022-22965 (Spring4Shell).

Another strong finding of the study is that an overwhelming proportion of really weaponized vulnerabilities were parched more slowly than the time they were exploited; in certain groups of incidents, exploitation preceded the existence of a valid patch. This highlights that the problem is not just speed: it is the entire operating model that continues to depend on human sequences to discover, prioritize, open tickets and run remediations.

The advance and democratization of IA tools mark a turning point: offensive automation can already discover, design exploits and execute attacks at a speed that human teams do not reach. During the transition phase in which the attackers use IA at an autonomous pace and the defenders continue to operate in human times, a particularly dangerous window opens. It is not just a new perimeter to protect, but a transformation in the capabilities of the opponent.

In the face of this reality, the proposed change is not to eliminate people from the process, but to remove human latency from the critical path and increase human role towards the governance of self-contained systems. The alternative to the model of scanning-information- typing manual is a risk operations centre - a Risk Operations Center - where intelligence comes in the form of machine-readable logic, where there is active verification of whether a vulnerability is exploitable in a specific environment and where action can be executed in a closed and automatic manner when policies allow.

In this architecture, human intervention focuses on defining and governing rules that prioritize real risks, validating exceptions and auditing the behavior of automated agents. Thus, teams move from repetitive operational tasks to strategic control and policy design roles, which is more scalable in the face of the continuous increase in attack surfaces and the proliferation of cloud identities and services.

One bad news is that the number of published vulnerabilities will continue to grow and that the Time- to- exploit will not return to long times alone. The good news is that there are already principles and technologies to close the gap: real-time correlation between threat intelligence and asset telemetry, environment-specific exploitation assessments, and automated remediation flows that can block or mitigate vectors while preparing a final repair.

This approach also requires changing the metrics of success. Stop celebrating only the speed of parking seen in medium and adopt metrics that reflect the accumulated exposure and the real risk windows allows for better decisions on where to invest automation, segmentation and compensatory measures. Medir Risk Mass and AWE returns focus to what actually reduces the probability of gaps, rather than feeding work cycles that only reduce ticket counts.

It is not a trivial transformation: it involves integrating threat intelligence, security orchestration capabilities, active validation in the environment and self-executing mechanisms with governance controls. In practice, some organizations already experience automating critical tasks - confirmation of exploitation, temporary mitigation, deployment of patches on controlled channels - and reserve human intervention for more impact decisions. For those who seek to deepen these findings and specific recommendations, the full report of Qualys develops the methodology and data behind these conclusions: The Broken Physics of Remediation.

It is also useful to review the public sources that document actively exploited vulnerabilities and the priorities that should guide operations: the catalogue of exploited vulnerabilities known to the CISA is a practical reference for prioritizing response in critical infrastructure ( CISA KEV).

In short, the lesson is clear: keeping more people and stacking processes will not stop the erosion of advantage against automated attackers. The response goes through a risk architecture that closes the critical human path with responsible autonomy, integrable and metric intelligence that shows real exposure. If this transformation is not adopted on a large scale, the window between human defense and an autonomous offensive will continue to be closed - and will be in favour of those who are already planning attacks that they do not expect.

For teams that want to explore practical solutions and implementation cases, there are events and resources where strategies for the automation of mediation and risk operation are discussed; for example, Qualys organizes conferences and materials on these topics that can serve as a starting point: ROCON EMEA and the Qualys own page with guides and tools ( Qualys).