For thirty years, vulnerability management relied on a comfortable buffer — months between when a flaw was found and when someone could weaponize it. That buffer is gone.
AI has stripped out the manual drag that kept weaponization slow. Reading advisories, finding exploit paths, shaping attack chains — none of it moves at human speed anymore. The Zero Day Clock, which tracks disclosure-to-exploit timeframes in real time, currently averages around 8 hours for 2026. Two years ago it was 53 days.
Patching faster is not the answer. Verizons 2026 Data Breach Investigations Report found that median fix time for known-exploited vulnerabilities is now 43 days, up from 32 last year. The share of organizations fully patching them dropped from 38% to 26%. Even the best performers only close 30 to 40% in the first week.
With 48,185 CVEs in 2025 and fewer than 0.6% ever patched, patch your way out is not workable math. And Anthropics Mythos-class model found a flaw hiding in OpenBSD — one of the most secure operating systems on the planet — for 27 years.
Automated pentesting helps but does not solve the problem. Live exploitation only works where firing an exploit is safe and where one actually exists. That leaves most enterprise exposure unreachable: no public exploit, business-critical systems you cannot risk, and day-one CVEs that have not been weaponized yet. In a typical enterprise, only 10 to 15% of exposure can be safely tested with live exploits.
Picus Securitys approach is TTP-chain validation — decomposing a CVE into the chain of techniques its exploitation requires, then testing each link against your actual deployed controls. If any required link breaks, the exploit cannot succeed in your environment. It works where live exploitation would be unsafe, and it produces evidence that holds up to scrutiny.
