The gap between vulnerability disclosure and exploitation has collapsed.
Rapid7’s 2026 Global Threat Landscape Report shows that confirmed exploitation of newly disclosed high and critical vulnerabilities more than doubled between 2024 and 2025, rising from 71 to 146. The median time from publication to inclusion in CISA’s Known Exploited Vulnerabilities list fell from 8.5 days to 5 days.
Meanwhile, AI is industrialising vulnerability discovery itself. Anthropic’s Mythos, an AI model the company deemed too dangerous for public release, uncovered more than 2,000 previously unknown vulnerabilities across every major operating system and web browser in just seven weeks.
But while this may be a boon for vulnerability management, other AI tools are creating their own challenges. AI-powered coding is accelerating the software development pipeline, leading to more code and a greater risk of vulnerabilities. Attackers are also using AI tools to shorten the pipeline from discovery to weaponisation.
Most vulnerability management programs were designed for a slower threat environment. They assume teams have time to scan, triage, prioritize and schedule remediation. That assumption no longer holds. Security teams need workflows that can deliver answers in days, not weeks.
Exploitation windows have collapsed from weeks to days
Last year, attackers moved fast. Newly disclosed flaws got weaponized within days of publication, sometimes before most organizations had finished their initial triage.
The underground economy has matured. It now operates like a legitimate market, with distinct roles and specialization.
Some actors focus on gaining initial access to networks while others handle encryption and extortionor sell stolen credentials on subscription. Initial Access Brokers obtain network footholds. Ransomware operators focus on encryption and extortion and infostealer operators sell credential logs on subscription.
The evidence is everywhere and, for security teams, the buffer that once allowed time to triage and remediate has essentially disappeared. Some severe flaws are now exploited almost immediately after disclosure. Vulnerability management programs built on the assumption of weeks or months to respond are mismatched to the current threat environment.
Compliance-driven approaches were not built for machine-speed attacks
Compliance frameworks establish baseline security controls. But they were never designed to function as a day-to-day prioritization engine, particularly when attackers are moving this fast.
A purely compliance-driven approach treats all high-severity vulnerabilities as equally urgent, regardless of context. Resources get spent on issues unlikely to impact the business while genuinely dangerous weaknesses wait in the queue. Our research at Hackuity shows that only 36% of organizations have adopted a true risk-based model.
Nearly half (46%) of security teams told us the sheer volume of vulnerabilities is putting significant strain on their resources. When analysts are bombarded with alerts, fatigue sets in and critical issues get buried among routine ones. More than one in four organizations say this overload has directly contributed to a data breach.
Compliance frameworks measure coverage, not threat reduction. They answer whether you’ve checked the boxes, not whether you’ve addressed the vulnerabilities most likely to be exploited. When attackers are weaponizing flaws in five days, checking boxes won’t protect you.
Why risk-based prioritization depends on automation
A genuine risk-based strategy requires three layers of context that addresses the following areas:
1. Which assets are affected, how critical are they, and what’s their exposure level?
2. Is there a working exploit, does the vulnerability appear in CISA’s KEV catalog, is there evidence of active exploitation?
3. What is the business impact if this gets exploited such as a payment system versus an isolated test machine?
When teams combine these factors, their remediation backlog shrinks to a fraction of its original size. They tackle vulnerabilities that pose the greatest real risk to the organization.
But manual processes can’t deliver this level of analysis at the speed modern attacks demand.
Our research shows organizations without full automation average 4.5 weeks to remediate critical vulnerabilities. Those with full automation average 3.5 weeks – a full week faster. That difference comes from eliminating manual correlation, de-duplication, enrichment and ticket creation.
The organizations achieving faster remediation share several characteristics:
• Consolidated data platforms providing unified visibility into assets, exposures, and threat intelligence
• Automated workflows for enrichment, de-duplication and routing that eliminate manual steps
• Clear ownership models where remediation sits with teams equipped to understand risk – typically cybersecurity or SOC teams
• Defined SLAs and automated handoffs between security and operations that remove friction
Without automation, there’s no way to match the velocity of attackers using their own automation to identify, test, and exploit vulnerabilities at scale.
Vulnerability Operations Centers provide the operational structure security teams need
The Vulnerability Operations Center (VOC) consolidates what’s currently scattered across multiple systems. Vulnerability data, asset inventories, threat feeds and business context all sit in one place. Teams can see their complete exposure picture without correlating information manually.
Automated triage, enrichment and routing handle the high-volume work. Analysts work on the vulnerabilities that pose genuine risk to the organization.
Our research shows just over half (53%) of organizations have fully implemented a VOC-based approach, with another 40% actively transitioning. Those who have adopted the model report faster prioritization, reduced noise and significantly less analyst fatigue.
A VOC doesn’t require a complete transformation overnight. The first step is centralizing vulnerability data so teams work from a single source of truth. From there, automation can be introduced gradually – starting with high-volume tasks like de-duplication and enrichment, then expanding to more sophisticated workflows.
Over time, the VOC becomes mission control for vulnerability management. Teams stop spending their time reacting to the latest CVE alert. They can plan remediation based on the real risk to the business. When attackers are exploiting vulnerabilities within days of disclosure, that planning capability becomes essential.
