For decades, cybersecurity operated on a simple premise: when a vulnerability is disclosed, defenders race to patch systems before attackers develop exploits. The faster defenders patch, the better protected they are.
That race is over. And the defenders lost.
Mandiant's latest analysis of 112 vulnerabilities disclosed in 2024 reveals something unprecedented: an average time-to-exploit of negative one day (TTE: -1). Attackers are now exploiting vulnerabilities before patches are even publicly available.
As Head of Hacking and Solutions at Hadrian, I see organizations struggling daily with this new reality. The question is no longer "how fast can we patch?" but "how do we defend against threats we can't see coming?"
What negative time-to-exploit actually means
A negative TTE is the ultimate gut punch. It means cybercriminals are not just keeping pace with defenders. They're lapping us. They have the information before the vendor releases the fix, and they are using that head start to compromise systems while most security teams are still completely unaware.
Sophisticated threat actors are infiltrating the disclosure pipeline itself, gaining early access through insider leaks, compromised researcher systems, and monitoring code repositories before official announcements. Many vulnerabilities are known to vendors weeks before public disclosure. Attackers who discover these same flaws independently exploit systems while defenders remain unaware. When vendors publish security updates, attackers reverse engineer them to craft exploits faster than organizations can deploy patches.
Zero-day exploitation now outpaces n-day exploitation more heavily than ever before. When attackers have information before defenders, the entire vulnerability management framework collapses.
A landscape transformed
The numbers tell a dramatic story. An increasing proportion of exploited vulnerabilities are now zero-days, where attackers strike before patches exist. Even more concerning, 44% of zero-days in 2024 targeted enterprise infrastructure like security appliances, VPNs, and firewalls, the very systems designed to protect organizations.
For four consecutive years, vulnerability exploitation has been the primary breach method, surpassing phishing. Even for vulnerabilities disclosed before exploitation, 56% are weaponized within the first month. The math is brutal: defenders need 55 days on average to patch 50% of critical vulnerabilities. Whereas, attackers need fewer than zero.
And then there's AI. AI has taken this impossible reality and turbocharged it. Recent research demonstrated that GPT-4 could exploit vulnerabilities with an 87% success rate just by reading CVE descriptions. What previously demanded deep expertise and weeks of focused work now happens automatically in minutes, costing pennies per exploit.
The traditional playbook is obsolete
Most organizations rely on security approaches designed for an era where hackers performed their work manually. Annual or quarterly penetration tests provide snapshots of security posture that may have worked when TTE was longer. But in a negative TTE environment, yesterday's security posture is irrelevant. Vulnerability scanners are generating overwhelming noise from the 41,000 new CVEs published in 2024, yet they struggle to distinguish theoretical flaws from actively exploitable risks.
Reactive patching programs assume time to test, schedule, and deploy updates. By the time change management completes, a breach could happen. Manual asset discovery can't keep pace with how fast cloud infrastructure updates and Shadow IT appears. Attackers will use tools to find any of your unknown assets first.
Matching attacker speed and methods
At Hadrian, we built our platform around the idea of deploying continuous automated red teaming powered by autonomous AI agents. These agents think exactly like attackers, making real-time decisions about how to probe, exploit, and chain vulnerabilities. Our product is built to solve for a negative TTE environment.
We operate 24/7/365, discovering assets and testing vulnerabilities the moment they appear. We don't just identify potential vulnerabilities. Our AI agents actively attempt exploitation in safe, non-invasive ways to provide elimination of false positives. Our discovery automatically finds assets security teams don't know exist. When new exploits emerge, our in-house ethical hackers update the platform within 24 hours.
The results are real: London Business School provided 20 root domains, but we discovered thousands of additional assets and identified a critical flaw in their scheduling system. For ICT Group, with 1,500+ engineers constantly making changes, our event-driven architecture instantly detects changes and validates security posture continuously. This capability delivers an 80% reduction in mean time to remediate and 10x greater visibility into critical vulnerabilities.
The path forward
CISOs face real pressure: personal liability with two-thirds of Global 100 companies extending D&O insurance coverage, SEC disclosure requirements, cyber insurance mandates, and boards demanding quantifiable risk reduction. With nearly 4 million unfilled cybersecurity positions globally, automation isn't optional.
Organizations need continuous offensive security validation that works at machine speed. You must see your security posture through the attacker's eyes, continuously and automatically. You must validate defenses with the same methods attackers use to breach them. Giving defenders the oversight an attacker has is what it’s all about for the team at Hadrian.
Interested in learning how continuous automated red teaming can help your organization stay ahead of the exploitation curve? Visit hadrian.io to learn more.
{{cta-demo}}
.webp)
