AI-driven exploitation timelines are rapidly shrinking, and they are not going to stop shrinking. Vulnerabilities are being discovered, reproduced, and weaponized faster than ever in the history of enterprise security. As a result, the window between a vulnerability being disclosed and indiscriminate exploitation observed across the internet is now measured in hours, not days.
The industry’s main answer has largely been: patch faster.
Regulators say it, boards expect it, and executives demand it. But for most enterprises, it is not a button defenders can press. Patching is a controlled process shaped by uptime requirements, stability testing, change windows, business approvals, compliance obligations, and the reality that production systems cannot be broken in the name of urgency.
While patching is still essential, patching alone or even faster patching is no longer a complete answer to this “new normal” and influx of disclosed vulnerabilities. Anthropic’s Project Glasswing update in May 2026 made the imbalance hard to ignore. The company said it, along with approximately 50 partners, used Claude Mythos Preview to identify more than 10,000 high- or critical-severity vulnerabilities across systemically important software in a single month, while many other organizations are reporting similar results with internal efforts, driven by AI.
AI is industrializing vulnerability research, but not just for defenders or software vendors. Attackers are using the same tools, with the same speed advantage, to identify and reproduce vulnerabilities that are then used against the organizations they target.
So, what does this mean for exploitation timelines and defense?
The Bottleneck Has Moved
It’s no secret that exploitation timelines have been shrinking for years, and in recent years, it has not been uncommon for vulnerability disclosures to be followed by in-the-wild exploitation in single-digit hours. With AI, the window a large organization may have from being told there is a problem to seeing someone try to use it against them will only continue to compress.
Remediation and patching, on the other hand, have not kept pace. The Verizon 2026 DBIR is clear on this point: the median time for an organization to patch a critical vulnerability increased year over year, from 32 days to 43 days.
The reality is brutal: while attackers operate on timelines measured in hours, defenders operate on timelines measured in weeks. That gap is where exploitation actually happens.
Yes, there are more vulnerabilities. Yes, attackers are moving faster. But the hardest part for defenders is that remediation isn’t getting, and maybe can’t get, faster. Telling organizations to “just patch faster” is like telling someone to “be taller.” It sounds useful and well-intentioned, but it is not something most teams can simply decide to do.
Then there is pressure coming from regulators. India’s CERT-IN recently issued guidance pointing toward sub-day patching expectations for certain critical vulnerabilities. The intent is clear, but this ignores operational reality.
The realistic view is that some vulnerabilities will be targeted before they can be fully remediated. Security teams need to plan around that reality without creating new operational risk. That means answering a few questions quickly:
- Do we use this technology?
- Is the vulnerability theoretical?
- Is the vulnerability exploitable within our environment?
- What would exploitation look like?
- What temporary controls can reduce risk while the normal patching cycle runs?
The operating model needs to shift to preempt, validate and mitigate. And here’s how to do it.
Step 1: Preempt What Attackers Are Likely to Exploit
Every disclosed vulnerability does not carry the same urgency. Some vulnerabilities will never become exploited in the real world. Others have the traits attackers look for: broad deployment, internet reachability, repeatable exploitation, and a clear path to meaningful access to a target environment.
In a scarily near future where we see hundreds, if not thousands of vulnerabilities disclosed daily, preemption means identifying which vulnerabilities are most likely to see in-the-wild exploitation so that a level of filtering can be done, and teams don’t spend critical time investigating everything. Severity still matters, but it has never been the whole picture.
In an AI-driven cycle, that filtering has to happen in the first hours after disclosure, before teams have worked through the full list. Narrowing the field early is what keeps organizations ahead of the exploitation window rather than reacting to it after the fact.
Step 2: Rapidly React to Emerging Threats and Validate Exposure
Once in-the-wild exploitation of an emerging threat is determined to be likely or confirmed, defenders need the ability to rapidly react and validate their organization’s specific exposure before attackers move.
That means turning a new vulnerability disclosure or exploitation campaign into an environment-specific answer: are we exposed? Where are we exposed? Who owns the affected systems? Is exploitability proven? Real-world rapid reaction to emerging threats should identify internet-facing systems across business units, departments, and subsidiaries, and contextualize the vulnerability with relevant threat intelligence.
Validation then confirms whether the vulnerable component is reachable by an attacker and exploitable in the real world. A possible vulnerability creates an investigation. But a validated, exploitable vulnerability, given the speed of in-the-wild exploitation, now necessitates rapid, autonomous action.
The faster teams make that distinction, the faster they can decide what to mitigate, what to monitor, and what can move through normal remediation.
Speed without accuracy is panic, and accuracy without speed is irrelevant. Both must be combined when responding to an emerging threat, before exploitation begins.
Step 3: Mitigate To Buy Time For Effective Remediation
Once exposure is validated, remediation may still require testing, change control, and coordinated rollout.
Mitigation reduces exploitability during that window. For internet-facing systems, this might include access restrictions, disabling vulnerable functionality, WAF or API rules, IDS or IPS updates, isolation, configuration changes, monitoring, or temporary controls that block exploit patterns. Effective mitigation should also be informed by how exploitation works. A generic rule based on a CVE summary is weaker than a control built from the exploit path, payload, required conditions, and known-bad behavior. These controls do not need to be permanent. They need to make exploitation slower, less reliable, and harder to scale while the organization patches safely.
Autonomous mitigation closes the gap between the attacker’s speed and patching speed. It is the only control that operates in the same timeframe as exploitation.
This Is What watchTowr is Built For
By leveraging AI to bring together Proactive Threat Intelligence, External Attack Surface Management, and Autonomous Mitigation, the watchTowr Platform provides clarity: showing teams what attackers can see, what they can exploit, and what can be done to mitigate before compromise.
Patching is still necessary, and absolutely essential. But in a world of exploitation driven by AI, patching alone cannot be done at the required speed while ensuring availability and preventing disruption. The watchTowr Platform, an AI-Powered Preemptive Exposure Management solution, helps organizations preempt attackers, validate emerging threat exposure, and autonomously mitigate to gain the one thing attackers can’t outrun: time to respond.
To schedule a demo and to learn more about Preemptive Exposure Management, visit watchtowr.com.
