Artificial intelligence is no longer a theoretical concern for defenders. It is an active weapon in the hands of threat actors, and the numbers tell a story that no security team can afford to ignore. We sat down with Nahuel Benitez from the Vicarius Research Team to break down what's happening, what the data actually says, and why vulnerability prioritization and remediation have never been more critical.
Nahuel Benitez is the head of the Vicarius Research Team, where he focuses on vulnerability research, CVE remediation, and purple team operations. He holds diverse certifications like CCD, eCTHP and eCPPT. His work spans security automation, exploit analysis, and building defensive tooling for the Vicarius vRx platform.
Vicarius Team: Nahuel, there's been a lot of noise around AI and cybersecurity lately. Before we get into the hype, let's start with what's actually happening on the ground. Is AI truly being used for exploitation right now?
Nahuel Benitez: Yes, it's not theoretical anymore. Just two days ago on May 11, Google's Threat Intelligence Group published a report confirming what many of us feared was coming: a criminal threat actor used an AI model to discover and weaponize a zero-day vulnerability, a previously unknown flaw. Google Threat Intelligence Group (GTIG) stated they had "high confidence" in the attribution and that the group was planning to use it in a mass exploitation event. Google discovered it before it could be deployed at scale, worked with the vendor to patch it, and disrupted the operation. They also said they've seen several other attempts to use AI for exploit development and expect there will be more.
Vicarius Team: So the barrier to entry for exploit development is falling. Can you put some numbers on how dramatically things have changed?
Nahuel Benitez: Of course. Quick warning, the numbers are shocking. In 2020, the average time-to-exploit, meaning the window between a vulnerability being disclosed and an attacker weaponizing it, was around 745 days. By 2025, Flashpoint's data shows that it collapsed to just 44 days. But the averages don't tell the full story. The Cloud Security Alliance published a whitepaper in April 2026 showing that the mean time to exploit dropped from roughly 32 days in 2022 to approximately 5 days for 2023-era exploitation and in 2025, 32.1% of newly tracked exploits appeared on or before the day the CVE was published, an 8.5-percentage-point increase from the previous year. VulnCheck's data aligns: 28.96% of Known Exploited Vulnerabilities in 2025 were exploited on or before the day their CVE was even published. That's nearly one in three. CrowdStrike's 2026 Global Threat Report adds another dimension: 42% of exploited vulnerabilities were attacked before public disclosure, eCrime breakout time averaged just 29 minutes, a 65% speed increase over 2024, and the fastest observed breakout was 27 seconds. In one intrusion, data exfiltration began within 4 minutes of initial access. So when we talk about the "exploit window," we're not talking about weeks anymore. In some cases we could say that there is no window at all.
Vicarius Team: Let's talk about that gap. How badly are organizations falling behind on remediation?
Nahuel Benitez: This is the scary part. The attacker side of the equation is accelerating at roughly six times more since 2022, from 32 days to exploit a disclosed vulnerability down to about 5 days. But enterprise remediation speed has, if anything, degraded.
The Qualys enterprise patch benchmark from April 2026 found that the mean time to remediation for complex enterprise applications reached 5 months and 10 days. The Edgescan 2025 Vulnerability Statistics Report put it another way: 45.4% of discovered enterprise vulnerabilities remain unpatched after twelve months, with 17.4% of unpatched findings classified as high or critical severity. The average time to remediate a known high or critical severity CVE is now 74 days.
The math is simple and terrifying: defenders need an average of 55 days to patch 50% of critical vulnerabilities. Attackers need less than 5 days to exploit them.
Vicarius Team: So what does this mean for how organizations should be approaching vulnerability management?
Nahuel Benitez: It means the traditional approach is dead. The classic sequential model (discover, disclose, develop a patch, deploy) assumed a window of time that no longer exists. Organizations need to shift from reactive patching to risk-based prioritization. Not every vulnerability is equally dangerous, and trying to patch everything is a losing game when CVE volume is growing at 30%+ year-over-year. What matters is understanding which vulnerabilities are exploitable in your specific environment, which ones attackers are actually targeting, and which assets are exposed.
Vicarius Team: Where is this going? What should security leaders be preparing for?
Nahuel Benitez: We're entering an era where AI capabilities on the offensive side are growing faster than most organizations can adapt. CrowdStrike reported that AI-enabled adversary attacks rose 89% year-over-year in 2025, weaponizing AI across reconnaissance, credential theft, and evasion. The World Economic Forum's 2026 Global Cybersecurity Outlook found that 87% of respondents identified AI-related vulnerabilities as the fastest-growing cyber risk. Google tracked 90 zero-day vulnerabilities exploited in the wild in 2025 alone.
My advice to security leaders: First, accept that the exploit window has effectively collapsed and start planning accordingly. Second, invest in risk-based prioritization and continuous exposure management rather than chasing every CVE. Third, leverage automation on the defensive side just as aggressively as attackers are leveraging it on the offensive side. The tools exist, the data exists, and the platforms exist. What's needed is the organizational will to move from legacy patching models to continuous, intelligent remediation.
The organizations that adapt will survive. The ones that don't will become case studies.
Sources:
- Google Threat Intelligence Group (GTIG), "AI Vulnerability Exploitation & Initial Access," May 11, 2026
- Cloud Security Alliance, "The Collapsing Exploit Window: AI-Speed Vulnerability Weaponization," April 2026
- VulnCheck, "State of Exploitation 2026," January 2026
- CrowdStrike, "2026 Global Threat Report"
- Flashpoint, "N-Day Vulnerability Trends," February 2026
- Edgescan, "2025 Vulnerability Statistics Report"
- Qualys, "Enterprise Patch Benchmark," April 2026
- World Economic Forum, "Global Cybersecurity Outlook 2026"
