Enterprise Cybersecurity has hit a turning point. It is no longer an assumption that patching can keep up with attackers at a fast enough rate; it is now a mathematical impossibility.
According to the Qualys Threat Research Unit (TRU) report “The Broken Physics of Remediation,” the current average Time to Exploit (TTE) for vulnerabilities is negative one day; this means vulnerabilities are being used as weapons before there is any way to fix them through patching. Organizations that are still running on a human-speed response cycle have already lost this race.
The report found that the average TTE is negative one day based on more than 1 billion remediation records submitted by more than 10,000 organizations between 2022 and 2025. The report reveals a growing gap between the number of critical vulnerabilities and the rate of unpatched vulnerabilities within a week. Critical vulnerabilities have increased by 6.5 times over the past four years; however, the percentage of unpatched vulnerabilities after seven days has increased from 56 to 63.
In short, even though organizations have spent more money, purchased more tools, and hired more staff, they are continuing to lose ground against cybercriminals. The report calls this the ‘Human Ceiling’, the stage at which adding people or processes will not significantly reduce risk.
When Attacks Move Faster Than Disclosure
Attackers don't wait to launch attacks anymore. The attacks remain active and within reach, as demonstrated by the MOVEit Transfer vulnerability, which has shown how quickly attackers can commoditize vulnerabilities and launch an attack on thousands of organizations at once. Another example is the continued threat to enterprises from years to come (through long tails) of Log4Shell vulnerabilities, revealing that slow remediation processes may have long-lasting ramifications.
As Qualys' research shows, nearly 50% of all vulnerabilities will be exploited before being made public, indicating the shift from manual exploitation to automating the exploitation of vulnerabilities through migrations involves the automation of exploitation by scaling up their attacks. Attackers identify a class of vulnerability and quickly template their exploitation across a large ecosystem.
Automation-enhanced and AI-enabled reconnaissance have led to this evolution, allowing for the execution time of attacks to range from hours to minutes, far faster than an organization can perform manual triage and patch systems.
In support of this paradigm shift, available industry-wide data illustrates the ongoing disparity between how quickly attackers gain initial access to targets and an organization’s response.
According to Mandiant, attackers achieve initial access to targets within hours or days, versus an average of 200 days that IBM Security estimates for enterprise organizations to discover, contain, and respond to a breach. All of the discrepancies described above ultimately increase the distance between the speed at which attackers launch attacks and the length of time that enterprise organizations take to respond to any attack.
From Patch Speed to Exposure Economics
The traditional measures, such as Mean Time To Remediate (MTTR) do not adequately represent the actual cyber risk anymore because they do not take into consideration how long a system is at risk.
Instead of looking at how quickly a patch is applied, we need to measure how long a system is exposed to the risk of that vulnerability not being patched.
The two additional metrics provided in this report that can help us measure this exposure are as follows:
-
Average Window of Exposure (AWE): The overall time that all of the vulnerabilities within an asset have an opportunity of being exploited.
-
Risk mass: The total amount of cumulative exposure due to a vulnerability over time.
These new metrics shift us away from measuring operational efficiency of incident response to focusing on the impact that incidents have on our business.
A clear example of this can be demonstrated from the widely exploited “Follina” vulnerability, which resulted in 33,000 exposure-days across only 400 assets due to delays in remediating the vulnerability. This is not an issue with how quickly a patch was applied; this represents an accumulation of unmanaged business risks.
For senior boards and executives, this re-framing provides them with a way to measure their exposure as a cumulative value in terms of time and to directly relate this to their company’s resilience as an enterprise.
Why This Matters More in India’s Digital Economy
These challenges matter a lot for India. India’s digital infrastructure now covers real-time payments, e-governance, and fast-growing cloud use. This has made the country more vulnerable to cyber attacks than ever before. The Indian Computer Emergency Response Team and other agencies have often warned about the increasing number and complexity of threats facing Indian businesses.
In sectors such as BFSI, telecom, and digital commerce, even short exposure windows can translate into systemic risk. As digital services scale, the tolerance for delayed remediation continues to shrink.
In this environment, cybersecurity is no longer just an IT function; it is a core pillar of digital trust.
The Shift to Autonomous Risk Operations
To correct the discrepancies outlined above, the report suggests introducing a paradigm shift away from reactive patching and towards proactively managing cyber risk through autonomous risk management.
At the heart of this new way of working is the idea of having one Risk Operations Centre (ROC), where detecting, validating, and remediating vulnerabilities will all take place within a constant, machine-learned feedback loop that operates at machine speed.
Unlike traditional reactive or proactive assumptions about what should occur, this operational model requires using real-time machine-consumable intelligence (data) to answer an important operational question: Is this vulnerability exploitable in this environment right now?
Through incorporating configuration-related variables, compensating controls (where applicable) and dynamic threat/contextual information (if available) into their analysis, organisations will be able to assign priority to reported exploits based on actual exposure rather than theoretical risks alone, helping to reduce "noise" (false positives), increase response times from days/weeks/months to hours/minutes/seconds and improve the accuracy of automated response actions.
The new model aims to move from "risk whack-a-mole" toward an operationally usable, intelligence-driven remediation methodology.
A Governance Challenge, Not Just a Security Problem
The issue now, regarding prolonged exposure to a software problem for CIOs and CISOs, has gone from being technical to one of governance. There is a direct link between the length of time systems are exposed to a vulnerability and potential financial and operational risk regarding regulatory compliance, cyber insurance rates, and business continuity. In many instances, prolonged exposure has also become an issue of accountability at the board level. The data demonstrate that manual remediation will not be able to meet the demands of machine speed. As they indicate in their conclusion, “You Cannot solve a one-minute Problem Using a One-Month Process.”
The real challenge for enterprises is no longer whether to automate their processes but how quickly they can automate their processes, especially if the curve of time for exposure is creating a gap greater than their ability to respond.
In the age of machines running at machine speed, resilience will not be achieved by adding more personnel, but by deploying systems that can observe, evaluate, and react at a speed that continues to outpace that of the code used by the attacker.
Winners vs Losers in the Machine-Speed Era
As this change continues to speed up, a significant divide is developing:
Successful Organisations: Most businesses are making advances in self-correcting solutions, continuous validation of exposed assets, and the development of fully integrated Security Technology Architecture.
Unsuccessful Businesses: The majority of businesses continue to rely on patch maintenance, manual processes, and disparate security technologies/solutions.
The future will not be determined by budget but rather the design of the organisation.
