The Race for Every New CVE
Based on multiple 2025 industry reports: roughly 50 to 61 percent of newly disclosed vulnerabilities saw exploit code weaponized within 48 hours. Using the CISA Known Exploited Vulnerabilities Catalog as a reference, hundreds of software flaws are now confirmed as actively targeted within days of public disclosure. Each new announcement now triggers a global race between attackers and defenders. Both sides monitor the same feeds, but one moves at machine speed while the other moves at human speed.
Major threat actors have fully industrialized their response. The moment a new vulnerability appears in public databases, automated scripts scrape, parse, and assess it for exploitation potential, and now these efforts are getting ever more streamlined through the use of AI. Meanwhile, IT and security teams often enter triage mode, reading advisories, classifying severity, and queuing updates for the next patch cycle. That delay is precisely the gap the adversaries exploit.
The traditional cadence of quarterly or even monthly patching is no longer sustainable. Attackers now weaponize critical vulnerabilities within hours of disclosure, long before organizations have even analyzed or validated them, and usually well before they have rolled out the fix.
The Exploitation Economy of Speed
Today’s threat ecosystem is built on automation and volume. Exploit brokers and affiliate groups operate as supply chains, each specializing in one part of the attack process. They use vulnerability feeds, open-source scanners, and fingerprinting tools to match new CVEs against exposed software targets. Many of these targets have already been identified, and these systems know in advance which targets are most likely to be susceptible to the impending attack. This is a game of quick draw, the fastest gun wins.
Research from Mandiant shows that exploitation often begins within 48 hours of public disclosure, in many organizations, IT operates on 8 hours a day, leaving the 32 hours in the attackers’ favor. This efficiency in operations illustrates how attackers have stripped almost every manual step from their workflow. Once a working exploit is confirmed, it’s packaged and shared within hours across dark web forums, internal channels, and malware kits.
Failure at Scale is Acceptable
Attackers also enjoy a luxury defenders can’t afford: failure. If they crash a thousand systems on the path to compromising a hundred, the effort is still a success. Their metrics are based on yield, not uptime. Defenders, on the other hand, must achieve near-perfect stability. A single failed update or service interruption can have a widespread impact and cause loss of customer trust. This imbalance allows adversaries to take reckless risks while defenders remain constrained, and that also helps keep the operational gap wide enough for consistent exploitation.
From Human-Speed Defense to Machine-Speed Resilience
Awareness is not the issue. The challenge is execution speed. Security teams know when vulnerabilities are published but cannot move fast enough without automation. Transitioning from ticket-based and or manual patching to orchestrated, policy-driven remediation is no longer optional if you want to remain competitive in this fight.
Automated hardening and response systems can drastically shorten exposure windows. By continuously applying critical patches, enforcing configuration baselines, and using conditional rollback when needed, organizations can maintain operational safety while removing delay. And a hard lesson here that many will have to simply get over, is the damage you may cause will almost certainly be less, and easier to recover from than an attack. It is a calculated risk, and one that can be managed. The lesson is simple, would you rather have to roll back a browser update for 1000 systems, or recover them entirely from backup. I am not suggesting you be cavalier about this but weigh the value of your hesitance against the value of your action, and when action wins, listen to your gut. IT leaders need to begin to understand this, and business leaders need to realize that this is IT’s best strategy. Absolutely test, and factor business criticality when choosing the speed at which to proceed on critical systems but tilt the whole process towards streamlined automation and in favor of rapid action.
Flatten the Burnout Curve
Automation also reduces fatigue and error. Instead of chasing alerts, security teams define rules once, allowing systems to enforce them continuously. This shift turns cybersecurity into an adaptive, self-sustaining process instead of a cycle of manual triage and stitches. It takes less time to audit and review processes than it does to enact them in almost all cases.
This new class of attack automation systems do not sleep, they do not get tired, they do not care about any consequences of their actions. They are singularly focused on a goal, gain access to as many systems as they can. No matter how many people you throw at this problem, the problem festers between departments, policies, personalities, and egos. If you aim to combat a tireless machine, you need a tireless machine in your corner of the ring.
Changing What Can’t Be Automated
Even the most advanced tools cannot automate everything. Some workloads are too delicate or bound by strict compliance frameworks. But those exceptions should still be examined through a single lens: How can they be made more automatable, if not, at least more efficient?
That may mean standardizing configurations, segmenting legacy systems, or streamlining dependencies that slow patch workflows. Every manual step left in place represents time lost, and time is the one resource attackers exploit most effectively.
We have to look at defense strategies in depth to determine which decisions, policies, or approval processes are creating drag. If the chain of command or change management is slowing remediation, it may be time for sweeping policy changes designed to eliminate those bottlenecks. Defense automation should operate at a pace commensurate with attacker behavior, not for administrative convenience.
Accelerated Defense in Practice
Many forward-thinking enterprises have already adopted the principle of accelerated defense, combining automation, orchestration, and controlled rollback to maintain agility without introducing chaos.
Platforms such as Action1 facilitate this approach by enabling security teams to identify, deploy, and verify patches automatically across entire enterprise environments. This eliminates the manual steps that slow patch deployment and closes the gap between awareness and action. IF your policies are sound, your automation is sound, and your decisions are sound in practice because they are all agreed upon in advance.
By automating remediation and validation, Action1 and similar solutions exemplify what security at machine speed looks like: rapid, governed, and resilient. The objective isn’t simply automation, but policy-driven automation, where human judgment defines boundaries and technology executes instantly.
The Future Is Automated Defense
Both attackers and defenders draw from the same public data, but it is the automation built atop that data that decides who wins the race. Every hour between disclosure and remediation represents a potential compromise. Defenders cannot slow the pace of discovery, but they can close the gap through hardening, orchestration, and systemic automation. The future of cybersecurity belongs to those who make instant, informed action their standard operating mode, because in this race, the slowest responder is already compromised.
Key takeaways:
- No team of humans will ever be able to outpace the sheer speed and efficiency of the automated attack systems being built. More people lead to more decisions, delays, confusion, and margins for error. This is a firefight: you must use equal force, automate or lose.
- Threat actors are building fully automated attack pipelines in which new exploit code is simply fed to the system —or even developed by it —using AI. They work 24/7/365, they do not fatigue, they do not take breaks, they seek and destroy as a reason for existence until turned off or directed otherwise.
- Most mass threat actors operate on body count, not precision shots. They are not looking “for you” as much as they are looking for “Anyone”. Your scale and value mean nothing at the initial compromise phase, which is evaluated AFTER access is gained.
- Threat actors think nothing about using large volumes of their ill-gotten gains on new tech to further their offensive capabilities; to them, it is an investment. At the same time, the industry sees it as a drain on profits. The system attacking you involved many talented devs in its construction and maintenance, and budgets beyond the wildest dream of any defender. These are not hobby crooks, they are highly organized enterprises just as capable, and more willing to invest in the resources than the business sector is.
Here comes 2026. Is your network ready for it?
Note: This article was written and contributed by Gene Moody, Field CTO at Action1.
