AI-Driven Exploitation Collapses Vulnerability Windows to Hours

The vulnerability management model is breaking. Anthropic's Project Glasswing, using Claude Mythos Preview, identified over 10,000 high or critical-severity vulnerabilities across systemically important software in May 2026 alone. Approximately 50 partner organizations participated in this effort, and many others report similar results from internal AI-driven research.

The problem: attackers have access to the same AI tools, with the same speed advantages. Vulnerabilities are now being discovered, reproduced, and weaponized faster than at any point in enterprise security history. The window between disclosure and indiscriminate exploitation is measured in hours, not days.

According to Verizon's 2026 Data Breach Investigations Report, the median time to patch a critical vulnerability increased from 32 days to 43 days year-over-year. Attackers operate on timelines measured in hours. Defenders operate on timelines measured in weeks. That gap is where exploitation happens.

Why 'Patch Faster' Isn't a Strategy

The industry's response has been predictable: patch faster. Regulators say it, boards expect it, executives demand it. India's CERT-IN recently issued guidance pointing toward sub-day patching expectations for certain critical vulnerabilities.

For most enterprises, this is not operationally viable. Patching is a controlled process constrained by uptime requirements, stability testing, change windows, business approvals, and compliance obligations. Production systems cannot be broken in the name of urgency. Telling security teams to patch faster is like telling someone to be taller—it sounds helpful but ignores structural reality.

The Bottleneck Has Moved

AI has industrialized vulnerability research on both sides. While defenders gain access to tools that identify thousands of vulnerabilities per month, attackers use the same capabilities to identify and reproduce exploitable flaws at scale. The asymmetry isn't in discovery—it's in response time.

Exploitation timelines have been shrinking for years. In recent years, vulnerability disclosures have been followed by in-the-wild exploitation in single-digit hours. With AI acceleration, the window between disclosure and active targeting will continue to compress.

In a near future where hundreds or thousands of vulnerabilities are disclosed daily, security teams cannot investigate everything. The challenge is no longer just finding vulnerabilities—it's filtering which ones matter before attackers move.

Step 1: Preempt What Attackers Are Likely to Exploit

Not every disclosed vulnerability carries the same urgency. Some will never be exploited in the real world. Others have traits attackers prioritize: broad deployment, internet reachability, repeatable exploitation, and clear paths to meaningful access.

Preemption means identifying which vulnerabilities are most likely to see in-the-wild exploitation within the first hours after disclosure, before teams have worked through the full list. This filtering must happen before exploitation begins, not after.

Severity matters, but it has never been the whole picture. Context—exploitability, exposure, threat actor interest—determines actual risk. Narrowing the field early keeps organizations ahead of the exploitation window rather than reacting after compromise.

Step 2: Rapidly React and Validate Exposure

Once in-the-wild exploitation is likely or confirmed, defenders need environment-specific answers before attackers move: Are we exposed? Where are we exposed? Who owns the affected systems? Is exploitability proven in our environment?

Real-world rapid reaction identifies internet-facing systems across business units, departments, and subsidiaries, then contextualizes the vulnerability with relevant threat intelligence. Validation confirms whether the vulnerable component is reachable by an attacker and exploitable in practice.

The faster teams make this distinction, the faster they can decide what to mitigate, what to monitor, and what can move through normal remediation cycles.

Step 3: Mitigate to Buy Time for Effective Remediation

Once exposure is validated, remediation may still require testing, change control, and business approval. This takes time—time attackers will use. Mitigation buys that time without breaking production systems.

Temporary controls reduce risk while the normal patching cycle runs. These controls must answer specific questions:

• Is the vulnerability theoretical or exploitable within our specific environment?
• What would exploitation look like in our systems?
• What temporary controls can reduce risk without operational disruption?
• Can we segment, monitor, or restrict access to affected systems?

Mitigation is not a replacement for patching—it's a bridge. The goal is to reduce the attack surface and limit potential impact while working through controlled remediation processes.

What Changes Now

AI-driven vulnerability discovery is not slowing down. The tools that identified 10,000+ critical vulnerabilities in a single month will continue to improve. Attackers will use these same capabilities to compress exploitation timelines further.

The traditional vulnerability management model—prioritize, test, patch—assumes defenders have time. That assumption is no longer valid. Organizations that continue to operate on 30+ day patching cycles while attackers operate on hour-long exploitation cycles will lose.

The new model requires three capabilities: preemptive filtering to identify likely-exploited vulnerabilities within hours of disclosure, rapid validation of environment-specific exposure before exploitation begins, and immediate mitigation to reduce risk while remediation processes run.

Patching remains essential. But patching alone, or even faster patching, is no longer a complete answer. Security teams must build operational models that assume some vulnerabilities will be targeted before they can be fully remediated—and plan accordingly.