The industry may be on the cusp of a crushing wave of vulnerability reporting thanks to AI platforms such as Claude Mythos, but the truth is, the number of known exploited vulnerabilities (KEV) has already been growing for years.
According to Verizon’s 2026 Data Breach Investigations Report, which Qualys assisted with, the number of KEV instances blew out 7.7 times over the last four years.
As Qualys said, this equates not to a problem of discipline when it comes to patching, but rather a scale problem, as teams rush to keep up with the onslaught of vulnerabilities under active exploitation.
Saeed Abbasi, senior manager of the Threat Research Unit at Qualys, said that 2024 was a “high water mark” for remediation speed, with organisations working faster than they ever had before, showing improvements from 2022 to 2023 and from 2023 to 2024.
But then we come to 2025, and everything changes.
“The curve shifted back to 2023 levels, with 35 per cent still open at day 28 (up from 27 per cent in 2024), and the long tail hardened at 9 per cent,” Abbasi said in a blog post.
“That 9 per cent translates to roughly 47 million vulnerability instances with no near-term path to closure under current operating models.”
Which is not to say that teams were slacking off. In fact, the detection-to-disclosure timeline remained steady. As Abbasi asserted, “the engine did not slow. The load grew.”
“Total KEV-linked instances grew 7.7 times in four years, from 68.7 million to 527.3 million. At day 28, the absolute open backlog grew from 31 million to 184 million instances,” Abbasi said.
“Volume scaled past the capacity that years of tooling and process investment had built.”
Qualys’ work on the report revealed some further troubling truths. For instance, even 28 days after a vulnerability has been added to CISA’s KEV catalogue, more than a third of these vulnerabilities remain unpatched.
Stretch out that timeline, and the situation looks even more dire. After one year of observation, Qualys found millions of KEV instances were still unaddressed, creating what the company called “chronic, compounding risk”.
Changing times, changing tactics
With four years of data to analyse, Abbasi has come to a worrying conclusion.
“For more than a decade, the operating thesis of vulnerability management has been that faster manual remediation could outrun the attacker. The four-year survival analysis retires that thesis,” Abbasi said.
“The remediation engine is running at the same RPM. The load has increased nearly eightfold. No incremental investment in staffing, tooling, or process closes a structural gap of this shape.”
According to Abassi, the best – and possibly only – solution is an architectural shift to machine speed remediation, risk-driven operations, and aggressive gathering of threat intelligence.
“The data is the strongest case we have made to date for changing the model,” Abassi said.
You can read the full Verizon 2026 Data Breach Investigations Report here.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.