_Author: Saeed Abbasi, Senior Manager, Threat Research Unit, Qualys_ **With Time-to-Exploit now at negative seven days and autonomous AI agents accelerating threats, the data no longer supports incremental improvement. The architecture of defense must change.** ## The Stark Reality of Vulnerability Management Analysis of **CISA's** Known Exploited Vulnerabilities (KEV) over the past four years reveals a disturbing trend: critical vulnerabilities remaining unpatched at Day 7 have increased from 56% to 63%, despite a 6.5x increase in the number of tickets closed by security teams. This suggests that simply throwing more resources at the problem is not a viable solution. Of the 52 weaponized vulnerabilities tracked in the **Qualys** study, a staggering 88% were patched more slowly than they were exploited. Alarmingly, half of these were weaponized before any patch even existed. The core issue, according to the report, isn't a lack of speed or effort, but rather the operational model itself. ## Cumulative Exposure: The True Risk Metric The report emphasizes that **CVE** counts are no longer sufficient for measuring risk. Instead, security teams must focus on cumulative exposure, which takes into account the duration a vulnerability remains unpatched. **Qualys** introduces the concept of "Risk Mass," defined as vulnerable assets multiplied by days exposed, to capture the cumulative exposure that **CVE** counts often obscure. A companion metric, Average Window of Exposure (AWE), measures the full duration from weaponization to remediation across the environment. ## The 'Manual Tax' and Its Impact The research identifies a "Manual Tax," a multiplier effect where long-tail assets, often missed by manual processes, significantly extend exposure times. For example, the average remediation time for **Spring4Shell** was 5.4 times the median, illustrating the impact of these hard-to-reach assets. For infrastructure systems, the situation is even more dire. In the case of the **Cisco IOS XE** vulnerability, even the median remediation time was a staggering 232 days, highlighting the severe limitations of manual processes in addressing complex, widespread vulnerabilities. ## The Widening Gap: AI-Powered Attacks vs. Human Defenders The report warns that the increasing sophistication of AI-powered attacks will further widen the gap between attackers and defenders. Offensive AI agents can discover, weaponize, and execute attacks far faster than human-staffed operations can respond. The transition period, where AI-powered attackers face human-speed defenders, represents the industry's most dangerous window. This is compounded by existing structural vulnerabilities, such as expanded attack surfaces, identity sprawl, and manual remediation workflows. ## The Rise of the Risk Operations Center To address these challenges, **Qualys** advocates for the adoption of an end-to-end Risk Operations Center. This approach leverages embedded intelligence, active vulnerability confirmation, and autonomous action to compress response times to match the speed of modern threats. The goal is not to eliminate human judgment but to elevate it, shifting practitioners from tactical execution to governing the policies that direct autonomous systems. Organizations that are successfully closing the risk gap are doing so by removing human latency from the critical path. ## Key Components of a Risk Operations Center: * **Embedded Intelligence:** Machine-readable decision logic to prioritize and guide remediation efforts. * **Active Confirmation:** Validating whether a vulnerability is actually exploitable in a specific environment. * **Autonomous Action:** Automating remediation tasks to compress response times. ## Conclusion: Embrace Automation or Fall Behind **Qualys** emphasizes that the reactive, scan-and-report model is no longer sufficient in the face of rapidly evolving threats and shrinking exploit timelines. Organizations must embrace automation and AI to build autonomous, closed-loop risk operations that can effectively defend against modern attacks. The question is whether organizations will adapt their architecture to match the mathematics of the current threat landscape before the window between human-scale defense and autonomous-scale offense closes for good. **[Contact Qualys](https://www.qualys.com/) for insights into how companies manage remediation at scale with automation and AI, and how you can make that difference right now.** _Sponsored and written by [Qualys](https://www.qualys.com/)._