The rapid pace of vulnerability discovery and exploitation has left traditional patching strategies struggling to keep up, according to recent reports.

What Happened

For thirty years, vulnerability management has relied on a buffer of months between when a vulnerability was found and when someone could figure out how to weaponize it. However, AI has disrupted this process by stripping out the manual drag that kept weaponization slow. Today, the disclosure-to-exploit timeframes run in hours, not months.

The Zero Day Clock, which tracks this in real-time, currently averages around 8 hours for 2026, down from roughly 53 days just two years ago. The figure shifts as fresh data lands, but at this point it's sitting firmly below 24 hours. This accelerated pace has left traditional patching strategies struggling to keep up.

Background and Context

The Verizon 2026 Data Breach Investigations Report found that the median fix time for known-exploited vulnerabilities is now 43 days, up from 32 last year. The share of organizations fully patching them is down from 38% to 26%. Even the best performers close only 30-40% of these vulnerabilities in the first week, a rate that's barely budged in years.

The report also notes that "patch your way out" has stopped being workable math. With 48,185 CVEs in 2025, fewer than 0.6% ever got patched. Even worse, these are pre-Mythos numbers. Mythos is the threshold at which AI models became able to find and weaponize vulnerabilities on their own, and it isn't theoretical: Anthropic's Mythos-class model found a flaw that had been hiding in OpenBSD for 27 years.

Why It Matters to the Industry

The accelerated pace of vulnerability discovery and exploitation poses significant challenges for adult-industry platforms and operators. With traditional patching strategies struggling to keep up, it's becoming increasingly difficult to ensure the security of online services. The industry relies heavily on streaming and webcam infrastructure, servers, and platforms that are vulnerable to exploits.

The rapid pace of vulnerability discovery also makes it challenging for moderation teams to keep up with the latest threats. With new vulnerabilities being discovered every hour, it's becoming increasingly difficult to identify and mitigate risks in a timely manner.

What Comes Next

One potential solution is to adopt more proactive approaches to security, such as TTP-chain validation. This involves mapping a CVE to the chain of techniques its exploitation requires, then validating each technique against existing controls. If an environment breaks any required link, the exploit can't succeed there, and you know it without having to fire a live exploit.

Another potential solution is to leverage AI-powered tools that can help identify and prioritize vulnerabilities based on their likelihood of being exploited. These tools can also provide real-time insights into the latest threats and vulnerabilities, enabling more effective mitigation strategies.

Key Facts

  • The Zero Day Clock averages around 8 hours for 2026, down from roughly 53 days just two years ago.
  • The median fix time for known-exploited vulnerabilities is now 43 days, up from 32 last year.
  • Less than 0.6% of CVEs in 2025 were ever patched.
  • Mythos is the threshold at which AI models became able to find and weaponize vulnerabilities on their own.
  • TTP-chain validation involves mapping a CVE to the chain of techniques its exploitation requires, then validating each technique against existing controls.

The accelerated pace of vulnerability discovery and exploitation poses significant challenges for adult-industry platforms and operators. As the industry continues to evolve, it's essential to adopt more proactive approaches to security that can keep up with the latest threats.