The Exploit Doesn't Exist. You Can Still Prove It Works Against You
Home<br>News<br>Security<br>The Exploit Doesn't Exist. You Can Still Prove It Works Against You
The Exploit Doesn't Exist. You Can Still Prove It Works Against You
Sponsored by Picus Security
June 23, 2026
10:01 AM
For thirty years, vulnerability management has run on what now looks like an impossible luxury: a buffer of months between when a vulnerability was found and when someone could figure out how to weaponize it. Triage by severity, schedule the fix, validate, move on.
That generous buffer is what made the entire system work.
AI has stripped out the manual drag that kept weaponization slow. Reading the advisory, finding the path, shaping the chain, testing what works: none of it can afford to move at human speed anymore. Today, the disclosure-to-exploit timeframes run in hours, not months.
The Zero Day Clock, which tracks this in real time, currently averages around 8 hours for 2026 , down from roughly 53 days just two years ago . The figure shifts as fresh data lands, but at this point it’s sitting firmly below 24 hours.
You Can't Patch Your Way Out of This
The reflex is usually to just patch faster. But remediation isn't simply a switch you flip. Patches wait on a number of contingencies: regression testing, change windows, and uptime commitments. And today, every number that matters is unfortunately moving in the wrong direction.
Verizon's 2026 Data Breach Investigations Report, drawn from more than 13,000 organizations, found that:
The median fix time for known-exploited vulnerabilities is now 43 days, up from 32 last year.
The share of organizations fully patching them is down from 38% to 26%.
Even the best performers close only 30 to 40% of these vulnerabilities in the first week, a rate that's barely budged in years.
When offense runs in hours and remediation runs in weeks, the breach lands in between. And the runway is only getting longer.
The volume guarantees it: 48,185 CVEs in 2025, fewer than 0.6% ever patched. "Patch your way out" has stopped being workable math.
Even worse, these are pre-Mythos numbers.
Mythos is the threshold at which AI models became able to find and weaponize vulnerabilities on their own, and it isn't theoretical: Anthropic's Mythos-class model found a flaw that had been hiding in OpenBSD, widely regarded as one of the world's most secure operating systems, for 27 years.
The 2025 baseline has become the floor, not the ceiling.
The question is no longer "what's vulnerable?" because in a list where everything scores a 9 or a 10, this effectively prioritizes nothing . The real question has become,"What's actually exploitable against us, right now, with the controls we’re already running?" Finding the exposure was never the hard part. Proving the right call (patch, mitigate, monitor, or accept) is the critical gap.
From CVE to a Defensible Decision in Hours, No Exploit Required
The two-pager walks the full TTP-chaining pipeline end to end.
See how Picus decomposes any CVE into its technique chain, tests each step against your real controls, and returns a defensible verdict on the assets a live exploit can never reach.
Read the Two-Pager
Your Pentest Got Faster. It Still Can't Reach What Matters.
The popular response has been to automate the pentest.
Automated pentesting tools take the manual penetration test that used to happen once a quarter and run it continuously, at scale, firing real exploit chains against real assets. Where that can run, it's the strongest proof there is: you watch the exploit succeed. Picus does it too, with Autonomous Penetration Testing. No argument there.
But , while automating the launch makes you faster; it doesn't change what the launch can reach.
Live exploitation only works where firing an exploit is safe and where a working exploit exists. That leaves three gaps no pentest tool can close, and stacking the three of them together doesn't help either. Why?
No exploit, nothing to fire. A large share of disclosed CVEs never get a public or safe exploit. With nothing to launch, execution can't tell you whether they're exploitable in your environment.
Assets you can't risk. Business-critical, regulated, and air-gapped systems are exactly the ones you can't safely detonate an exploit against, and they're usually the ones that matter most.
The day-one window. Weaponizing a fresh exploit and wiring it into your tooling takes time. Attackers are already moving while your launch is still on the bench.
In a typical enterprise, the slice you can safely exploit live is usually only 10 to 15% of your total exposure picture. For the other 85 to 90%, execution has no answer to give.
Ground-Test the Rocket You Can't Launch
The surest way to prove a rocket will fly is to launch it. But no space program proves its fleet that way.
Some exist only as a design on paper, some are crewed and too valuable to risk, and some are still on the assembly line. So...