The Scale of the Problem
A new report from the Qualys Threat Research Unit, drawing on analysis of more than one billion CISA Known Exploited Vulnerabilities (KEV) remediation records collected across 10,000 organizations over four years, has quantified something the security industry has long suspected but never proved at this scale: the operational model underpinning enterprise security is fundamentally broken.
According to the research, vulnerability volumes have grown 6.5 times since 2022. Despite that surge, organizations are working significantly harder — closing 400 million more vulnerability events annually now than at baseline. Yet the hard numbers tell a grim story: the percentage of critical vulnerabilities still open at Day 7 has worsened, climbing from 56 percent to 63 percent over the same period.
The authors describe this as the "human ceiling" — a structural limit that no amount of additional headcount or process maturity can overcome. The constraint is not effort. It is the model itself.
Time-to-Exploit Has Gone Negative
Compounding the remediation backlog is a dramatic shift in attacker timelines. According to Google M-Trends 2026, the average Time-to-Exploit has collapsed to negative seven days, meaning adversaries are weaponizing the most serious vulnerabilities before patches even exist.
Of the 52 high-profile weaponized vulnerabilities tracked with complete exploitation timelines in the study, 88 percent were remediated more slowly than they were exploited, and half were weaponized before any patch was available.
The data illustrates the disparity with stark examples:
- Spring4Shell was exploited two days before public disclosure, yet the average enterprise took 266 days to remediate it.
- The vulnerability affecting Cisco IOS XE was weaponized a full month before disclosure, with an average close time of 263 days.
- Follina was weaponized 30 days before disclosure, with an average close at Day 55 — but the Average Window of Exposure (AWE) stretched to 85 days.
In the Follina case, the pre-disclosure blind spot accounted for 36 percent of total exposure, while the long tail of patching added a further 44 percent. Together, those two phases represent 80 percent of total exposure, leaving the measurable remediation sprint accounting for less than 20 percent of the actual risk window.
The Manual Tax and the Concept of Risk Mass
The Qualys report introduces a concept called the "Manual Tax" — the multiplier effect created when long-tail assets that human processes cannot reach drag exposure from weeks into months. For Spring4Shell, the average remediation time was 5.4 times the median. The median tells a manageable story. The average reveals the operational truth.
Infrastructure systems face a particularly harsh reality. For Cisco IOS XE, even the median remediation time was 232 days, compared to endpoint medians that consistently remain under 14 days. When the best-case outcome is eight months, the Manual Tax stops being a multiplier and becomes the baseline.
To better capture cumulative exposure, the researchers propose moving beyond CVE counts toward a metric called Risk Mass — calculated as vulnerable assets multiplied by days exposed. A companion metric, the Average Window of Exposure (AWE), measures the full duration from weaponization through remediation across an environment.
These metrics address a critical blind spot in current security dashboards, which tend to reward patch velocity without accounting for the tail of long-unpatched assets where breaches actually occur.
Signal vs. Noise in Vulnerability Disclosure
The report also highlights a resource allocation problem driven by raw CVE volume. Of 48,172 vulnerabilities disclosed in 2025, only 357 were both remotely exploitable and actively weaponized. Organizations are spending remediation cycles on theoretical exposure while genuinely dangerous gaps go unaddressed. Prioritization, not just speed, is the missing ingredient.
Why the Gap Will Keep Widening
Cybersecurity has historically evolved as a derivative of broader technology shifts — Windows security emerged alongside Windows, cloud security followed cloud adoption. Qualys researchers, along with leading practitioners, argue that AI breaks this pattern entirely.
Offensive AI agents can already discover vulnerabilities, weaponize them, and execute attacks faster than any human-staffed operation can respond. The remediation data demonstrates that humans cannot keep pace today. Autonomous offensive AI guarantees the gap will accelerate tomorrow.
The report characterizes the current transition period — where AI-powered attackers face human-speed defenders — as the industry's most dangerous window. This danger is compounded by several structural vulnerabilities dominating the near term:
- Attack surfaces expanding faster than teams can govern them
- Identity sprawl outpacing policy frameworks
- Remediation workflows still built on manual execution
What Replaces the Scan-and-Report Model
The traditional scan-and-report cycle — discover, score, ticket, manually route — was designed for lower CVE volumes and longer exploit timelines. Those conditions no longer exist. The Qualys research argues that what is needed instead is an end-to-end Risk Operations Center built around three pillars:
- Embedded intelligence delivered as machine-readable decision logic, not human-readable reports
- Active confirmation that validates whether a specific vulnerability is actually exploitable in a given environment
- Autonomous action capable of compressing response to the timescale that modern threats demand
The objective of this model is not to remove human judgment from the equation, but to elevate it — moving practitioners away from tactical execution and toward governing the policies that direct autonomous systems. The organizations already closing the physics gap between attacker speed and defender speed are not doing so with larger teams. They are succeeding because they have removed human latency from the critical path.
A Hard Mathematical Ceiling
Time-to-Exploit will not return to positive numbers. Vulnerability volume will not plateau. As the Qualys Threat Research Unit concludes, the reactive model has reached a hard mathematical ceiling, and the remaining question is whether security organizations will adopt architectures that match the mathematics — before the window between human-scale defense and autonomous-scale offense closes permanently.
"The attacker's advantage was measured in days. The defender's response was measured in seasons. This is not an intelligence failure. It is an operationalization failure." — Qualys Threat Research Unit
Source: BleepingComputer