AI exploitation schedules are rapidly shrinking and will continue to shrink. Vulnerabilities are being discovered, reproduced, and weaponized faster than ever before in the history of enterprise security. As a result, the time between a vulnerability being disclosed and indiscriminate exploitation observed on the Internet is now hours instead of days.
The industry’s main answer has been primarily, “Patch faster.”
Regulators say it, boards expect it, management demands it. But for most companies, this is not a button defenders can push. Patching is a controlled process shaped by uptime requirements, stability testing, change windows, business approvals, compliance obligations, and the reality that production systems cannot be broken in the name of urgency.
While patching remains essential, patching alone, or even faster patching, is no longer the complete answer to this “new normal” and the influx of disclosed vulnerabilities. With Anthropic’s Project Glasswing update in May 2026, the imbalance can no longer be ignored. The company, along with approximately 50 partners, announced that they used Claude Mythos Preview to identify more than 10,000 high-severity or high-severity vulnerabilities across system-critical software in one month. Meanwhile, many other organizations are reporting similar results with their internal AI initiatives.
AI is industrializing vulnerability research, but not just for defenders and software vendors. Attackers use the same tools with the same speed advantage to identify and reproduce vulnerabilities and then use them against targeted organizations.
So what does this mean for exploit timelines and defenses?
the bottleneck has moved
It’s no secret that exploitation timelines have been compressed by years, and in recent years it’s not uncommon for vulnerabilities to be exploited in the single digits of time following disclosure. In the case of AI, the time between when large organizations are told there is a problem and when they see someone trying to use AI against them will continue to shrink.
Meanwhile, remediation and patching have not kept up. The Verizon 2026 DBIR makes this point clear. The median time it takes for organizations to patch critical vulnerabilities has increased over the years, from 32 days to 43 days.
Reality is cruel. Attackers operate on timelines measured in hours, while defenders operate on timelines measured in weeks. This gap is where exploitation really takes place.
Yes, there are more vulnerabilities. Yes, attackers are moving faster. But the most difficult thing for defenders is that repairs don’t happen quickly, or perhaps they can’t. Telling an organization to patch things up faster is like telling someone to grow taller. While it seems convenient and well-intentioned, it’s not an easy decision for most teams.
There is also pressure from regulators. India’s CERT-IN recently issued guidance pointing out that certain critical vulnerabilities should be patched within one day. While the intent is clear, this ignores operational reality.
The reality is that some vulnerabilities will be targeted before they can be fully remediated. Security teams must plan for this reality without creating new operational risks. That means you can answer some questions right away.
Are you using this technology? Is this vulnerability theoretical? Is this vulnerability exploitable in your environment? What would exploitation look like? What are the temporary controls that can reduce the risk during normal patching cycles?
The operating model must shift to preemptive attack, verification, and mitigation. And here’s how:
Step 1: Pre-empt what attackers can exploit
Not all disclosed vulnerabilities have the same urgency. Some vulnerabilities cannot be exploited in the real world. Others have characteristics desired by attackers, such as widespread deployment, internet reachability, repeatable exploitation, and a clear path to meaningful access to the target environment.
In the frightening near future, where hundreds, if not thousands, of vulnerabilities are published every day, preemption means identifying which vulnerabilities are most likely to be exploited in the wild, allowing a level of filtering to be performed, and teams not spending critical time investigating everything. Seriousness still matters, but it has never been the whole picture.
In an AI-driven cycle, that filtering should happen within the first few hours of disclosure, before the team works on the full list. By narrowing down the field early, organizations can stay ahead of potential exploits rather than reacting after the fact.
Step 2: Respond quickly to new threats and validate risks
When a new threat is likely to be exploited in the wild or is confirmed, defenders need the ability to react quickly and verify the organization’s specific risk before attackers move on.
This means turning new vulnerability disclosures and exploitation campaigns into environment-specific answers: Are we at risk? Where are we being exposed? Who owns the affected systems? Has exploitability been proven? Responding quickly to emerging threats in the real world requires identifying internet-facing systems across lines of business, divisions, and subsidiaries and contextualizing vulnerabilities with relevant threat intelligence.
Verification then checks whether the vulnerable component is reachable by an attacker and exploitable in the real world. A possible vulnerability will be investigated. However, verified exploitable vulnerabilities require swift and autonomous action given the speed of actual exploitation.
The sooner the team makes that distinction, the sooner they can decide what to mitigate, what to monitor, and what can be migrated through regular remediation.
Speed without accuracy is panic, and accuracy without speed is meaningless. When responding to new threats, both must come together before exploitation begins.
Step 3: Relax to buy time for effective repair
Even after an exposure is verified, remediation may require testing, change management, and coordinated deployment.
Mitigations reduce the potential for exploitation during that period. For internet-facing systems, this may include access restrictions, disabling vulnerable features, WAF or API rules, IDS or IPS updates, isolation, configuration changes, monitoring, or temporary controls to block exploit patterns. Effective mitigation must also be informed by how exploitation takes place. General rules based on CVE summaries are weaker than controls built from exploit paths, payloads, required conditions, and known bad behavior. These controls don’t have to be persistent. Organizations need to patch securely while slowing down exploits, making them less reliable, and harder to scale.
Autonomous mitigation closes the gap between the speed of attackers and the speed of patching. This is the only control that operates in the same time frame as the exploit.
This is the purpose of watchTowr
The watchTowr platform compresses defender timelines to match AI-driven attack timelines. By taking an attacker-driven approach, the platform continues to identify exploitable weaknesses and vulnerabilities, enabling organizations to respond quickly and mitigate threats in the face of a constant stream of new threats.
By leveraging AI to integrate proactive threat intelligence, external attack surface management, and autonomous mitigation, the watchTowr platform provides clarity and shows teams what attackers can see, what they can exploit, and what they can do to mitigate before a breach occurs.
Patching is still necessary and absolutely essential. But in the world of AI exploitation, patching alone is not enough to ensure availability, prevent disruption, and run at the speeds you need. The watchTowr platform, an AI-powered pre-emptive attack management solution, helps organizations stay ahead of attackers, validate exposure to emerging threats, and autonomously mitigate to gain the one thing attackers can’t beat: response time.
To schedule a demo and learn more about preemptive exposure management, visit watchtowr.com.
Source link
