Research of 1 billion CISA KEV remediation information exposes limits of human-scale safety

Creator: Saeed Abbasi, Senior Supervisor, Risk Analysis Unit, Qualys

With Time-to-Exploit now at unfavourable seven days and independent AI brokers accelerating threats, the information not helps incremental growth. The structure of protection should exchange.

What Leaders Wish to Know

Research of CISA’s Recognized Exploited Vulnerabilities over the last 4 years displays essential vulnerabilities nonetheless open at Day 7 worsened from 56% to 63% regardless of groups remaining 6.5x extra tickets. Staffing can’t clear up this.

Of the 52 tracked weaponized vulnerabilities in our find out about, 88% had been patched extra slowly than they had been exploited — part had been weaponized prior to any patch existed.

The issue isn’t pace. It’s the operational style itself.

Cumulative publicity, no longer CVE counts, is the real possibility metric that safety groups now wish to measure. Whilst dashboards praise the dash to get patches applied, breaches exploit the tail. AI isn’t every other assault floor — as an alternative, the transition duration the place AI-powered attackers face human defenders is the trade’s most deadly window.

In reaction, defenders must put in force their very own independent, closed-loop possibility operations.

The Damaged Physics

New analysis from the Qualys Risk Analysis Unit, inspecting a couple of billion CISA KEV remediation information from throughout 10,000 organizations over 4 years, quantifies what the trade has lengthy suspected however by no means proved at scale. The operational style underpinning endeavor safety is damaged.

Vulnerability volumes have grown 6.5 instances since 2022. Consistent with Google M-Traits 2026, the typical Time-to-Exploit has collapsed to unfavourable seven days; in different phrases, adversaries are weaponizing probably the most critical vulnerabilities prior to patches exist. The proportion of essential vulnerabilities nonetheless open at seven days has climbed from 56 % to 63 %.

But this isn’t for loss of effort. Organizations closed 400 million extra vulnerability occasions every year now than they did at baseline. Groups paintings tougher, but it surely fails to make the adaptation the place it counts. Our researchers name this the “human ceiling” — a structural prohibit no quantity of staffing or procedure adulthood can triumph over. The constraint isn’t effort. It’s the style itself.

Of 52 high-profile weaponized vulnerabilities tracked with whole exploitation timelines, 88 % had been remediated slower than they had been exploited. For example, Spring4Shell used to be exploited two days prior to disclosure, but the typical endeavor wanted 266 days to remediate.

In a similar fashion, the flaw in Cisco IOS XE used to be weaponized a month early; moderate shut used to be 263 days.

The attacker’s benefit used to be measured in days. The defender’s reaction used to be measured in seasons. This isn’t an intelligence failure. It’s an operationalization failure.

The Guide Tax and Possibility Mass

The record identifies a “Guide Tax” — the multiplier impact the place long-tail property that human processes can’t succeed in drag publicity from weeks into months. For Spring4Shell, moderate remediation used to be 5.4 instances the median.

The median tells a manageable tale. The common tells the reality. Infrastructure methods face a harsher truth: for Cisco IOS XE, even the median used to be 232 days — in comparison to endpoint medians persistently underneath 14. When the best-case end result is 8 months, the Guide Tax is not a multiplier. It’s the baseline.

Having a look at moderate figures is not useful for decision-making. As a substitute, taking a look at Possibility Mass — susceptible property multiplied by way of days uncovered — captures what CVE counts difficult to understand round cumulative publicity. A better half metric, Moderate Window of Publicity (AWE), measures the whole length from weaponization to remediation around the atmosphere.

For example, Follina used to be weaponized 30 days prior to disclosure with a median shut at Day 55.

Alternatively, the AWE stretched to 85 days. Whilst the blind spot prior to disclosure accounted for 36 % of that 85 days, the lengthy tail of patching accounted for an extra 44 %. In overall, pre-disclosure and lengthy tail in combination constitute 80 %. The dash that will get measured makes up lower than 20.

On the identical time, of 48,172 vulnerabilities disclosed in 2025, most effective 357 had been remotely exploitable and actively weaponized. Organizations are burning remediation cycles on theoretical publicity whilst in fact exploitable gaps persist.

Why the Hole Will Widen

Cybersecurity has lengthy operated as a by-product of generation shifts — Home windows safety adopted Home windows, cloud safety adopted cloud. Main practitioners and traders now argue AI breaks that development. It’s not simply a brand new floor to protect; this can be a elementary transformation of the adversary itself.

Offensive brokers can already uncover, weaponize, and execute sooner than any human-staffed operation can reply. The remediation knowledge proves people can’t stay tempo as of late. Self sufficient AI guarantees the distance will boost up day after today.

The transition duration — the place AI-powered attackers face human-speed defenders — represents the trade’s most deadly window, compounded by way of the structural vulnerabilities that dominate the close to time period: assault surfaces expanded past what groups can govern, id sprawl that outpaces coverage, and remediation workflows nonetheless constructed on guide execution.

The normal scan-and-report style used to be constructed for decrease volumes of CVEs and longer exploit timelines. What replaces it’s an end-to-end Possibility Operations Heart: embedded intelligence arriving as machine-readable resolution common sense, lively affirmation validating whether or not a vulnerability is if truth be told exploitable in a particular atmosphere, and independent motion compressing reaction to the timescale the risk calls for.

The target isn’t to do away with human judgment however to raise it, transferring practitioners from tactical execution to governing the insurance policies that direct their very own independent methods.

The organizations already successful the physics hole don’t seem to be successful with better groups. They’re successful as a result of they have got got rid of human latency from the essential trail.

How Safety Groups can shut the Possibility Hole

The scan-and-report style — uncover, rating, price ticket, manually direction — used to be constructed for decrease volumes and longer exploit timelines.

What replaces it’s an end-to-end Possibility Operations Heart: embedded intelligence arriving as machine-readable resolution common sense, lively affirmation validating whether or not a vulnerability is if truth be told exploitable in a particular atmosphere, and independent motion compressing reaction to the timescale the risk calls for.

The target isn’t to do away with human judgment however to raise it — transferring practitioners from tactical execution to governing the insurance policies that direct independent methods. The organizations already successful the physics hole don’t seem to be successful with better groups. They’re successful as a result of they have got got rid of human latency from the essential trail.

Time-to-Exploit won’t go back to sure numbers. Vulnerability quantity won’t plateau. The reactive style has hit a troublesome mathematical ceiling.

The one last query is whether or not organizations will use the structure to check the maths — prior to the window between human-scale protection and autonomous-scale offense closes for just right.

Backed and written by way of Qualys.