For nearly two decades, vulnerability management has followed a familiar pattern: identify vulnerabilities, assign severity scores, prioritize remediation, and patch within established service-level agreements.
That model was built for a world where attackers operated at human speed. Today, that assumption is becoming increasingly dangerous.
Recent advances in AI-powered vulnerability research suggest that organizations may be entering a period where software flaws can be discovered, analyzed, chained together, and weaponized far faster than traditional security programs were designed to handle. While the number of vulnerabilities continues to grow, the more significant change is the shrinking amount of time defenders have to respond.
As AI accelerates vulnerability discovery and exploit development, security leaders must focus on rapidly identifying exploitable exposures and reducing the time between discovery and mitigation.
What Changed?
Several developments over the past year have fundamentally altered the vulnerability landscape.
AI is finding vulnerabilities that humans missed for decades
Anthropic's Project Glasswing and Claude Mythos Preview demonstrated the ability to identify vulnerabilities that had survived years, and in some cases decades, of human code review and automated testing. Anthropic reported that some vulnerabilities identified by Mythos had remained undiscovered despite millions of prior security tests.1
AI-assisted exploit development is now occurring
In May 2026, Google's Threat Intelligence Group reported what it believes was the first observed AI-generated zero-day exploit. The exploit was designed to bypass multi-factor authentication and was intended for large-scale deployment before being disrupted.2
This is a significant milestone because it demonstrates that AI is moving beyond vulnerability discovery and into exploit development.
The discovery-to-exploitation window is shrinking
Recent industry research indicates the time between vulnerability disclosure and exploitation continues to shrink, while the Cybersecurity Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) report that a growing percentage of the most frequently exploited vulnerabilities are being leveraged as zero-days. Together, these trends underscore the importance of reducing exposure windows and prioritizing vulnerabilities based on real-world exploitability.
Most vulnerability programs were designed around three assumptions:
Assumption 1: Severity equals risk
Many organizations still prioritize vulnerabilities primarily using Common Vulnerability Scoring System (CVSS) scores.
The problem is that CVSS was never designed to measure actual business risk.
The Exploit Prediction Scoring System (EPSS), developed by FIRST, was created specifically because severity scores alone are poor predictors of real-world exploitation. EPSS estimates the likelihood a vulnerability will be exploited within the next 30 days.3
CISA similarly directs organizations to incorporate its Known Exploited Vulnerabilities (KEV) Catalog into prioritization decisions because KEV tracks vulnerabilities that are actively exploited in the wild.4
Assumption 2: Vulnerabilities are evaluated individually
Attackers rarely think this way. A medium-severity vulnerability that appears insignificant on its own may become highly dangerous when combined with:
Misconfigurations
Excessive privileges
Weak segmentation
Exposed services
Identity weaknesses
AI systems are increasingly capable of discovering these attack chains faster than human analysts.5
Assumption 3: Monthly scans and 30-day SLAs provide sufficient protection
Monthly scanning schedules and 30-day patch SLAs emerged during an era when discovery, exploit development, and attacker operations all required substantial human effort.
Today's threat landscape increasingly includes automation on the attacker side.
When AI can identify vulnerabilities continuously and assist in exploit development, quarterly assessments, monthly scans, and static patch cycles create growing exposure windows.6
What Leaders Should Measure Instead
The most important shift is moving from measuring vulnerability counts to measuring exposure.
Exposure Window
Instead of asking, "How many critical vulnerabilities do we have?" ask, "How long does an exploitable vulnerability remain reachable in our environment?" The exposure window begins when a vulnerability becomes exploitable and ends when compensating controls, segmentation, isolation, mitigation, or patching eliminate that risk.
Exploitability
Security Leaders should move from severity-based prioritization to exploitability-based prioritization by combining vulnerability severity (CVSS), likelihood of exploitation (EPSS), evidence of active exploitation (CISA KEV), and organization-specific context such as asset criticality, internet exposure, and attack-path reachability. This approach aligns with guidance from NIST, FIRST and CISA that severity alone is insufficient for determining risk.
A CVSS 6.5 vulnerability actively exploited in the wild often deserves more attention than a CVSS 9.8 vulnerability that cannot realistically be reached by an attacker.
Speed
Organizations should begin measuring how quickly they can identify, validate, contain, and remediate exploitable exposures. As AI accelerates vulnerability discovery and exploit development, the effectiveness of a vulnerability management program is increasingly determined by the speed at which exposure windows can be reduced rather than by the number of vulnerabilities patched. Recent federal discussions about shortening remediation timelines and CISA's emphasis on prioritizing actively exploited vulnerabilities reinforce the importance of response speed as a security outcome.
To do this, security leaders should track:
- Mean time to detect exposure - Mean time to validate exposure - Mean time to mitigate exposure - Mean time to remediate
These metrics more accurately reflect operational resilience than raw patch counts.
What Leaders Should Do Now
Organizations do not need to wait for a complete transformation to improve resilience. Several practical actions can be implemented immediately.
Include KEV and EPSS for prioritization
Rather than relying exclusively on CVSS, also incorporate these:
Many successful attacks depend on lateral movement. Improving network segmentation, identity segmentation, and privileged access management can dramatically reduce blast radius even before vulnerabilities are patched.
Move toward continuous visibility
Rather than relying solely on periodic scans, organizations should continuously evaluate: internet-facing assets, cloud exposures, misconfigurations, identity risks. Every environment change can alter exploitability.
Automate validation
Many enterprises already use vulnerability management platforms. The next step is to confirm that remediation efforts truly eliminate exposure, not just close tickets. Integrating and automating workflows between vulnerability management and remediation systems can speed validation and help ensure mitigations are in place.
Align Security and Engineering Around One Metric
Instead of measuring number of patches deployed and number of tickets closed, measure reduction in exposure window. This creates a shared outcome that both security and engineering teams can influence.
What Large Organizations Are Already Doing
Cloudflare publicly stated it is testing frontier AI security models to identify vulnerabilities within its own systems and better understand how attackers may use similar capabilities.7
Mozilla reported using Claude Mythos Preview to identify hundreds of security flaws within Firefox releases, significantly increasing vulnerability discovery compared with traditional methods.8
U.S. Federal Agencies - CISA's KEV program requires federal agencies to prioritize vulnerabilities known to be actively exploited rather than relying solely on severity ratings. This represents one of the clearest examples of moving toward exploitability-based prioritization.9
Executive Takeaway
Vulnerability management is undergoing a fundamental shift. For years, organizations focused on how many vulnerabilities they had and how quickly they could deploy patches.
In an era where AI can discover vulnerabilities that survived decades of review and assist in exploit development at unprecedented speed, the organizations best positioned to succeed will be those that understand their true exposure, prioritize risk in context, and rapidly reduce opportunities for attackers. In this new environment, resilience is increasingly defined by how quickly an organization can identify, validate, and mitigate exploitable risk.
