The race between cybersecurity defenders and threat actors has reached a critical tipping point, where the speed of exploitation is now outstripping the human capacity to respond. Fresh analysis of one billion CISA KEV remediation records reveals a systemic failure in traditional vulnerability management, suggesting that the current “human-scale” approach to security is no longer sufficient to protect global networks.
For years, the industry standard for security has relied on a cycle of discovery, patching, and verification. However, data spanning four years and 10,000 organizations indicates that this operational model is breaking. The gap between the moment a vulnerability is weaponized and the moment a patch is applied has collapsed, leaving organizations exposed even when they increase their remediation efforts.
This shift is driven by a combination of skyrocketing vulnerability volumes and the emergence of autonomous AI agents that can identify and exploit flaws with unprecedented speed. As the time-to-exploit shrinks into negative territory, the industry is facing a reality where critical flaws are often exploited before a vendor can even release a fix.
The Collapse of the Remediation Window
The scale of the current crisis is quantified by a massive study of over one billion remediation records. The findings suggest that while security teams are working harder—closing 6.5 times more tickets than they did in 2022—they are effectively running in place. Despite this increase in activity, the percentage of critical vulnerabilities that remain open after seven days has actually worsened, climbing from 56 percent to 63 percent according to research analyzed by Qualys.
Perhaps the most alarming metric is the “Time-to-Exploit.” According to Google M-Trends 2026, the average time-to-exploit has collapsed to negative seven days. In practical terms, In other words adversaries are weaponizing the most serious vulnerabilities before a patch even exists as noted in the Qualys Threat Research Unit analysis. This creates a “zero-day” environment by default for the most critical flaws.
The research focused on 52 tracked weaponized vulnerabilities and found a stark disparity in timing: 88 percent of these flaws were patched more slowly than they were exploited. Half of these vulnerabilities were weaponized before any official patch was available to the public. This suggests that the problem is not a lack of effort or staffing, but a fundamental flaw in the operational model of enterprise security.
Understanding the CISA KEV Catalog
To combat this volatility, the Cybersecurity and Infrastructure Security Agency (CISA) maintains the Known Exploited Vulnerabilities (KEV) catalog. Unlike traditional vulnerability lists that rank risks based on theoretical severity, the KEV catalog is an authoritative source of vulnerabilities that have been confirmed as actively exploited in the wild.
The KEV catalog serves as a critical input for vulnerability management prioritization frameworks. It allows organizations to move away from chasing every “High” or “Critical” CVE (Common Vulnerabilities and Exposures) and instead focus on the flaws that attackers are actually using. For U.S. Federal Civilian Executive Branch (FCEB) agencies, the KEV catalog is not just a recommendation. it is tied to specific mandates under BOD 22-01, which sets strict deadlines for remediation as detailed in Qualys documentation.
Each entry in the KEV catalog includes a designated “Due Date.” What we have is the deadline by which an organization must apply mitigations or discontinue the leverage of the affected product. While these deadlines are mandatory for federal agencies, CISA strongly encourages private sector organizations to adopt similar timelines to improve their overall security posture.
Case Study: The Ivanti EPMM Vulnerability
The urgency of the KEV timeline is illustrated by recent activity involving Ivanti products. On April 8, 2026, CISA added CVE-2026-1340 to the KEV catalog. This specific vulnerability is a code injection flaw in the Ivanti Endpoint Manager Mobile (EPMM) that could allow unauthenticated remote code execution per the CISA KEV catalog.
The window for action was incredibly tight: the vulnerability was added on April 8, and the remediation due date was set for April 11, 2026. This three-day window highlights the “broken physics” of modern security; defenders are expected to identify, test, and deploy fixes in a matter of hours to maintain pace with active threats.
The AI Threat and the Need for Autonomous Defense
The acceleration of threats is no longer just a matter of better scripting; it is the result of a paradigm shift toward AI-powered attacks. The transition period where AI-powered attackers face human defenders is now considered the industry’s most dangerous window. AI agents can scan for vulnerabilities and deploy exploits at a speed and scale that no human team, regardless of size, can match.
Because of this, the research suggests that the traditional metric of “CVE counts”—how many patches were applied—is an obsolete measure of risk. Instead, security leaders must pivot toward measuring “cumulative exposure.” This metric accounts for the total time a system remains vulnerable, providing a more accurate picture of the actual risk surface.
To survive this environment, the industry must move toward “closed-loop risk operations.” This involves implementing autonomous defense systems that can identify, prioritize, and mitigate risks without requiring manual intervention for every ticket. When the time-to-exploit is negative, the only viable defense is one that operates at the same speed as the attack.
Key Takeaways for Security Leaders
- Prioritize Active Exploitation: Use the CISA KEV catalog as the primary driver for patching priority, rather than relying solely on CVSS scores.
- Shift Metrics: Move from counting patched CVEs to measuring cumulative exposure and the time between weaponization and remediation.
- Adopt Automation: Invest in autonomous risk operations to reduce the reliance on human-scale security for critical, fast-moving threats.
- Monitor the Window: Recognize that the average time-to-exploit has dropped to negative seven days, meaning patches may arrive after the first wave of attacks.
What Happens Next
As AI continues to accelerate the weaponization of software flaws, the pressure on the CISA KEV framework and corporate vulnerability management plans will only increase. The focus is now shifting toward how organizations can implement “autonomous” remediation to close the gap that human teams can no longer bridge.
Organizations are encouraged to regularly monitor the CISA Known Exploited Vulnerabilities Catalog for new additions and adhere to vendor-specific guidelines for immediate mitigation.
Do you believe autonomous AI defense is the only way forward, or can human-led security be optimized to keep pace? Share your thoughts in the comments below.