Competition per new CVE
Based on multiple industry reports in 2025, approximately 50 to 61 percent of newly disclosed vulnerabilities had exploit code weaponized within 48 hours. Using CISA’s Known and Exploited Vulnerabilities Catalog as a reference, we have seen hundreds of software flaws being actively targeted within days of publication. Every new announcement sparks a global competition between attackers and defenders. Both sides monitor the same feed, but one operates at machine speed and the other at human speed.
Major threat actors have fully industrialized their responses. As soon as a new vulnerability appears in a public database, automated scripts scrape it, parse it, and assess its potential for exploitation. And now, these efforts are being further streamlined through the use of AI. Meanwhile, IT and security teams often go into triage mode, reading advisories, categorizing severity, and queuing updates for the next patch cycle. This delay is exactly the gap that attackers exploit.
The traditional pace of patching quarterly or even monthly is no longer sustainable. Attackers now weaponize critical vulnerabilities within hours of their disclosure, long before organizations can analyze or verify the vulnerabilities, and typically well before they deploy patches.
economy of speed exploitation
Today’s threat ecosystem is built on automation and volume. Exploit brokers and related groups operate as a supply chain, each specializing in one part of the attack process. They use vulnerability feeds, open source scanners, and fingerprinting tools to match new CVEs to publicly available software targets. Many of these targets have already been identified, and these systems know in advance which targets are most likely to be affected by an impending attack. This is a quick draw game and the fastest gun wins.
Mandiant research shows that exploits often begin within 48 hours of public availability, and that in many organizations IT is running eight hours a day, giving attackers the remaining 32 hours. This operational efficiency indicates that the attacker has removed nearly all manual steps from the workflow. Once the exploit is validated, it is packaged and shared across dark web forums, internal channels, and malware kits within hours.
Massive failures are acceptable
The attacker also enjoys a luxury that the defender does not have: failure. Even if 1000 systems crash on the way to compromising 100, the effort was a success. Those metrics are based on yield, not uptime. Defenders, on the other hand, need to achieve near-perfect stability. A single failed update or service interruption can have far-reaching effects and lead to a loss of customer trust. This imbalance allows the adversary to take reckless risks while the defender remains constrained, which also helps maintain operational gaps sufficient for consistent exploitation.
From human speed protection to machine speed resilience
Awareness is not the problem. The challenge is execution speed. Security teams know when vulnerabilities are disclosed, but without automation they can’t react quickly enough. If you want to stay competitive in this battle, moving from ticket-based or manual patching to orchestrated, policy-driven remediation is no longer an option.
Automated curing and response systems can significantly shorten the exposure window. By continuously applying critical patches, enforcing configuration baselines, and using conditional rollbacks when necessary, organizations can eliminate delays while maintaining operational security. And the hard lesson here that many people have to easily overcome is that the damage you can cause will almost certainly be less than the attack and easier to recover from. It’s a calculated risk and one that can be managed. The lesson is simple. Do you need to roll back a browser update for 1000 systems, or do you need to completely restore from a backup? I’m not suggesting you be cavalier about this, but weigh the value of hesitation against the value of action, and if action wins, listen to your intuition. IT leaders need to start understanding this, and business leaders need to realize that this is the best strategy for IT. Be sure to test and consider the criticality of your business when choosing the speed at which to process critical systems, but prioritize quick action towards streamlined automation of the entire process.
Flatten the burnout curve
Automation also reduces fatigue and errors. Rather than chasing alerts, security teams can define rules once and have the system continuously enforce them. This shift transforms cybersecurity into an adaptive, self-sustaining process rather than a manual triage-and-stitch cycle. In almost all cases, auditing and reviewing processes will take less time than enacting them.
This new kind of attack automation system never sleeps, never tires, and doesn’t care about the consequences of its actions. They only focus on their goals and make sure they have access to as many systems as possible. No matter how many people you throw at this problem, the problem festers between departments, policies, individuals, and egos. If you aim to fight a tireless machine, you need a tireless machine in your corner of the ring.
Change what can’t be automated
Even the most advanced tools can’t automate everything. Some workloads are too sensitive or are bound by strict compliance frameworks. However, these exceptions should be viewed through a single lens. If you can’t automate it, how can you at least make it more efficient?
That might mean standardizing configurations, segmenting legacy systems, or streamlining dependencies that slow patch workflows. If all manual steps remain, time is lost. Time is one of the most effective resources used by attackers.
Determining which decisions, policies, and approval processes are holding you back requires a deep look into your defense strategy. If your chain of command or change management is slowing down remediation, it may be time to make a complete policy change to eliminate those bottlenecks. Defense automation must operate at a pace commensurate with attacker behavior, not for administrative convenience.
actual defense acceleration
Many forward-thinking companies have already adopted the principles of accelerated defense, which combines automation, orchestration, and controlled rollbacks to stay agile without causing disruption.
Platforms like Action1 facilitate this approach by enabling security teams to automatically identify, deploy, and validate patches across enterprise environments. This eliminates the need for manual steps that delay patch deployment, closing the gap between awareness and action. If the policies are sound, if the automation is sound, if the decisions are actually sound, it’s because they’re all agreed upon in advance.
By automating remediation and validation, Action1 and similar solutions exemplify what security at machine speed looks like: fast, managed, and resilient. The goal is not just automation, but policy-driven automation, where boundaries are defined by human judgment and technology is executed instantly.
The future is automated defense
Attackers and defenders utilize the same public data, but it is the automation built on top of that data that determines the winner of the race. Every hour between disclosure and remediation creates a potential breach. Defenders cannot slow the pace of discovery, but they can close the gaps through hardening, orchestration, and system automation. The future of cybersecurity belongs to those who make immediate, informed action their standard mode of operation. Because in this competition, the slowest responders are already at risk.
Important points:
Human teams cannot outperform the overwhelming speed and efficiency of automated attack systems being built. More people means more decisions, delays, confusion, and more potential for error. This is a gunfight. The key is to use equal power, automate or lose. Threat actors are building fully automated attack pipelines using AI to simply feed new exploit code into, or be developed by, the system. They work 24/7, never tire, never take a break, searching for and destroying the reason for their existence until they are turned off or told to do so. Most large-scale threat actors operate based on numbers rather than accurate fire. They’re not looking for “you”, they’re looking for “anyone”. Size and value mean nothing at the initial compromise stage, which is evaluated after access is gained. Threat actors have no qualms about using the large amounts of ill-gotten gains from new technologies to increase their attack capabilities. For them, it’s an investment. At the same time, the industry sees it as a waste of profits. The system that attacks you has involved many talented developers in its construction and maintenance, and has cost defenders unimaginable amounts of money. These are not hobbyist scammers, but highly organized companies, just as competent as the business sector, and more willing to invest their resources than the business sector.
2026 is coming. Is your network ready for it?
Note: This article was written and contributed by Gene Moody, Field CTO at Action1.
Source link
