Prioritization to Predication, Vol. 6

Cybersecurity is a continuous game of cat-and-mouse, but who actually owns the momentum? This sixth volume investigates the entire vulnerability lifecycle—from reservation and publication to exploitation and remediation—to identify the forces that widen or shrink the attacker-defender divide. We track 18,000 CVEs to see how quickly exploitation spreads across the internet relative to the speed of defensive patching.

The findings offer a rare breath of fresh air: defenders actually control the momentum most of the time. It takes defenders about one month after a patch release to remediate 50% of vulnerable assets, while it takes attackers 2.5 months to reach 50% of their maximum exploitation prevalence. This report rewards the click by proving that while attackers have the upper hand for 9 out of 15 months, the window of defender advantage is almost entirely dependent on coordinated disclosure.

The research also deconstructs the impact of “Zero-Day” and pre-patch exploit drops. When exploit code is released before a patch is available, the timeline of exploitation in the wild shifts 47 days earlier, and defenders lose their momentum for 12 out of 15 months. This study reinforces the absolute necessity of risk-based prioritization and strong visibility into exploit activity as a foundation of modern defense.

Key Findings

• Limited Widespread Exploitation: Only 6% of exploited vulnerabilities published in 2019 reached widespread prevalence (affecting more than 1 in 100 organizations).
• Early Weaponization: Exploit code is already available for more than 50% of vulnerabilities—those that are eventually exploited in the wild—on the very day of CVE publication.
• The 45% Exploitation Window: Half of all exploited vulnerabilities see their first detected attack in the wild within 30 days of a patch becoming available.
• Defender Velocity Advantage: Defenders reach the 50% remediation milestone in one month, while attackers take 2.5 months to reach the same level of prevalence across target firms.
• Pre-Patch Exploit Penalty: Releasing exploit code before a patch is available shifts exploitation 47 days earlier and causes attackers to control the momentum for nearly the entire study period.
• High Scanner Visibility: Over 80% of vulnerabilities are detected by scanners within 30 days of a patch being released, providing defenders with a high-fidelity find-fix opportunity.