Qualys has outlined what it calls a structural failure in modern vulnerability management, with new research showing that attacker exploitation timelines are now outpacing human-led remediation.
The report, “The Broken Physics of Remediation”, draws on more than one billion remediation records from over 10,000 organisations between 2022 and 2025.
Its findings point to a widening gap between how quickly attackers can exploit vulnerabilities and how fast defenders can respond, driven by the increasing automation of offensive cyber capabilities.
According to the data, the volume of closed vulnerability events surged by 6.5 times over four years, rising from 73 million in 2022 to 473 million in 2025. Qualys says this reflects a fundamental scaling problem, where demand for remediation is growing beyond what human-driven processes can realistically handle.
“In an era where adversaries increasingly operate at machine speed, any architecture that depends on human-speed response carries structural risk,” Sumedh Thakar, president and CEO of Qualys, said in a statement.
“The average Time-to-Exploit has collapsed to negative one day, with adversaries weaponising vulnerabilities before patches even exist.”
The report highlights a series of compounding challenges for security teams. Exploitation is now frequently occurring before public disclosure, while traditional metrics such as mean time to remediate (MTTR) are failing to capture actual exposure accurately. Qualys instead proposes a new metric, Average Window of Exposure (AWE), which measures the time between exploitation and remediation.
Even as teams process increasing volumes of remediation work, outcomes are deteriorating. In 2025, 63 per cent of critical vulnerabilities remained unpatched seven days after identification, up from 56 per cent in 2022. Meanwhile, 85 per cent of vulnerable assets were still exposed at the point of public disclosure, with a third remaining open after three weeks.
The research also found that while tens of thousands of vulnerabilities are disclosed each year, less than one per cent are actively weaponised and remotely exploitable, underscoring the need for more precise, risk-based prioritisation.
Saeed Abbasi, head of the Qualys Threat Research Unit, said the industry is facing a fundamental shift.
“What is emerging now is not another platform shift. It is the first time the adversary itself is becoming autonomous,” Abbasi said.
“The defensive side must make the same transition – and this report measures the cost of every day the transition is delayed.”
You can read the full report here.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.