John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Here’s a number worth sitting with: negative seven days.
That’s the average Time-to-Exploit for critical vulnerabilities right now. Negative seven means attackers are weaponizing critical flaws an average of one week before a patch exists. Before there’s anything to deploy. Before most organizations even know there’s a problem.
A Qualys analysis of over a billion CISA KEV remediation records from 10,000 organizations calls it “broken physics.” That’s not hyperbole. You can’t race someone who starts a week before the race begins.
The data doesn’t lie at this scale. 88% of 52 tracked weaponized CVEs were patched slower than they were exploited. Organizations ran 400 million more vulnerability tickets per year than baseline. The percentage of critical vulns still open at Day 7? It went from 56% to 63%. More effort, worse outcome. That’s the human ceiling.
Meanwhile, AI-assisted vulnerability discovery has overwhelmed bug bounty triage capacity. Curl stopped accepting AI-generated reports. Google paused its OSS program for them. The result is counterintuitive: more discoveries, but real critical bugs get buried faster in the noise.
Of the 48,172 CVEs disclosed in 2025, only 357 were remotely exploitable and actively weaponized. If you’re running full remediation programs against all of them, you’re burning cycles on theoretical risk while potentially missing the 357 that actually matter.
Why the remediation model is broken and what a different approach actually looks like