What if your software was already being exploited before the vulnerability was even discovered? That's not a hypothetical anymore. It's April 2026, and the numbers are in: the average time-to-exploit for critical vulnerabilities has hit **negative seven days**. Let that sink in. ## The Broken Physics of Patching On April 10, Qualys published a study analyzing **one billion CISA KEV remediation records** across 10,000 organizations over four years. The conclusion? Our entire defensive model is broken. Of 52 tracked weaponized vulnerabilities, **88% were patched more slowly than they were exploited**. Half were weaponized before any patch existed at all. Even worse: despite security teams closing 6.5x more tickets, the percentage of critical vulnerabilities still open at Day 7 actually **worsened** from 56% to 63%. More effort. Worse outcomes. ## The Mythos Inflection Point This isn't just about volume. It's about speed and scale. Enter Claude Mythos — Anthropic's AI model that doesn't just find vulnerabilities, it finds them at machine speed. On April 7, Anthropic launched **Project Glasswing**, partnering with major tech companies to deploy Mythos against critical open-source software. Within days, it had identified thousands of zero-days. Glasswing is limited to 12 vetted partners with coordinated disclosure. But the technology itself isn't contained. The same capabilities that power defensive vulnerability research can power offensive exploitation. As Qualys put it: *"AI is not another attack surface — instead, the transition period where AI-powered attackers face human defenders is the industry's most dangerous window."* ## The Script Kiddie Renaissance The Verge reported this week on the rise of what they're calling **"killer script kiddies"** — AI-assisted amateur hackers who don't need to understand the exploits they're deploying. For decades, script kiddies were a nuisance. They ran pre-built tools they didn't understand, defaced websites, spread viruses. Today? They point AI at your infrastructure and get professionally crafted exploit chains in return. The barrier to entry for sophisticated attacks has collapsed. ## What "Negative Seven Days" Actually Means The concept is simple but terrifying: - **Day -7:** Attackers (human or AI-assisted) discover a vulnerability - **Day -6 to 0:** Exploitation begins in the wild - **Day 0:** Vendor learns of the vulnerability - **Day +7:** Average patch deployment By the time your security team even knows there's a problem, you've already been owned for a week. Qualys found that **critical vulnerabilities still open at Day 7 worsened from 56% to 63%** — despite all the automation, all the tools, all the investment. ## CISA's Two-Front War The CISA KEV catalog tells the same story. April's updates added both brand-new 2026 zero-days and vulnerabilities dating back over a decade — still being actively exploited. As one analysis put it, defenders are fighting a **"two-front war":** securing modern cloud infrastructure while purging decade-old exploits still lurking in legacy systems. And with 13 new CVEs added to KEV in just five days last week, the pace is only accelerating. ## What Actually Works Now Qualys's recommendation? **Autonomous, closed-loop risk operations.** Translation: stop expecting humans to keep up. The math doesn't work. One billion remediation records proved it. What does work: - **Continuous automated scanning** — not monthly, not weekly, continuously - **AI-assisted prioritization** — focus on what's actually exploitable, not just what's theoretically vulnerable - **Automated remediation workflows** — reduce the human bottleneck between discovery and patch - **Assumption of compromise** — design for the reality that you'll be breached, not the fantasy that you can prevent it ## The Bottom Line We're past the point where incremental improvement works. The operational model itself needs to change. Cumulative exposure — the total time your systems remain vulnerable across all flaws — is the real risk metric. Not CVE counts. Not patch rates. Cumulative exposure. And right now, that exposure is growing faster than any human-scale defense can shrink it. The next breach isn't coming. For most organizations, it's already happened — they just don't know it yet. --- *Sources: Qualys Threat Research Unit (April 2026), CISA KEV Catalog, Unit 42 Threat Bulletin (April 2026), The Verge (April 28, 2026)*