The timeline is collapsing faster than defenses can adapt

Median time-to-exploit dropped from 771 days in 2018 to 6 days in 2023 to under 1 day in 2026. Two-thirds of exploited vulnerabilities are now zero-days. The bottleneck on that timeline is no longer hacker skill. It’s compute cost.

AI has removed that bottleneck through three stacked capabilities:

• Discovery — autonomous zero-day finding at scale.
• Exploitation — models writing working exploits from vulnerability descriptions.
• Orchestration — agentic frameworks running full campaigns across many targets with minimal human input.

The lever between tiers is the harness, not the model. A frontier model in a chatbox is a vulnerability scanner. Wrapped in tools, memory, and a verifier, it becomes an autonomous attack platform. The harness closes the gap between finding and exploiting.

The evidence spans multiple independent labs: Anthropic, OpenAI, Google, DARPA, UK AISI, and independent security researchers. AI agent swarms found 100+ exploitable kernel driver vulnerabilities across major chip vendors in 30 days, for around four dollars per bug. A documented orchestration-tier espionage campaign performed 80–90% of attack work autonomously.

This is the problem defenders face. Here is what organizations should do about it.

1. Use AI agents for defensive scanning — now

Defenders have the same capability. Point LLM-driven agents at your own code, dependencies, and infrastructure. This is becoming table stakes. The asymmetry of adoption is the real risk.

2. Harden the baseline and close the gaps that should have been closed already

Egress filtering, deep network segmentation, phishing-resistant MFA for all privileged accounts, dependency lockdown, secrets rotation. These are examples of the controls that block the vast majority of AI-accelerated attacks before they escalate. Do not skip them while chasing shiny detection tools.

3. Accelerate patching through risk-based prioritization — not just speed

AI-driven discovery produces patch waves that exceed the absorption capacity of quarterly triage cycles. Build triage discipline around what actually matters: EPSS scoring, asset criticality, and exposure pathways.

Identify your key assets and their dependencies. Use that map to prioritize: which vulnerabilities on which assets actually reduce your exposure? Patch those first. Velocity matters, but directed velocity matters more. Pre-authorize remediation for critical and high-severity patches on high-value assets, and plan for sustained high-volume patching as the new normal.

4. Build resilience into your architecture and incident response

Two-thirds of exploited vulnerabilities are zero-days. Prevention-only is structurally failed.

Segment your network so successful exploitation has limited blast radius. Tabletop multiple simultaneous high-severity incidents. Pre-authorize containment actions. Design recovery playbooks that execute at machine speed, not human speed.

5. Recalibrate risk reporting around organizational resilience and financial impact

Vulnerability counts and patch compliance percentages do not map to business risk. What matters is whether you can absorb and recover from a cyber incident without material damage to your operations.

Report on what the board actually needs to know:

• Time to recover critical operations to normal state under sustained or concurrent incidents.
• Blast radius — what systems and data are exposed if a crown jewel asset is compromised.
• Cost of materialized risk quantified in terms of operational downtime, data loss, regulatory fines, and reputational damage if your key objectives are disrupted.

Compliance frameworks measure process adherence. They do not measure organizational resilience or financial exposure. Until your risk framework does, you are telling the board a story that no longer maps to actual business consequence.

Quantify it. Measure it. Report it.

---

Originally published on LinkedIn on April 29, 2026.