Race for every new CVE
Based on several 2025 industry reports: Approximately 50 to 61 percent of newly exposed vulnerabilities saw exploit code weaponized within 48 hours. Using the CISA Known Exploited Vulnerabilities Catalog as a reference, hundreds of software flaws are now confirmed to be actively targeted within days of public disclosure. Each new announcement now triggers a global race between attackers and defenders. Both sides monitor the same feed, but one runs at machine speed while the other runs at human speed.
Major threat actors have fully industrialized their response. As soon as a new vulnerability appears in public databases, automated scripts scrape, parse, and assess it for exploitability, and now these efforts are becoming more streamlined through the use of AI. Meanwhile, IT and security teams often enter triage mode, reading advisories, classifying severity, and queuing up updates for the next patch cycle. This delay is exactly the difference that adversaries take advantage of.
The traditional cadence of quarterly or monthly patching is no longer sustainable. Attackers now weaponize critical vulnerabilities within hours of disclosure, before organizations have even analyzed or verified them, and usually before they have rolled out fixes.
exploitation economy of motion
Today’s threat ecosystem is built on automation and volume. Exploit brokers and affiliated groups operate as a supply chain, each specializing in a part of the attack process. They use vulnerability feeds, open-source scanners, and fingerprinting tools to match new CVEs against exposed software targets. Many of these targets have already been identified, and these systems already know which targets are most likely to be susceptible to imminent attack. It’s a game of quick draw, fastest gun wins.
Research from Mandiant shows that while exploits are often launched within 48 hours of public disclosure, in many organizations, IT works 8 hours a day, leaving 32 hours on the attackers’ side. This efficiency in operations reflects how the attackers have removed almost every manual step from their workflow. Once a working exploit is confirmed, it is packaged and shared on dark web forums, internal channels, and malware kits within a few hours.
failure at scale is acceptable
Attackers also enjoy luxuries that defenders cannot afford: failureEven if they crash a thousand systems on their way to compromising a hundred, the effort is still successful, Their metrics are based on yield, not uptime, The defenders, on the other hand, must achieve almost perfect stability, A single failed update or service interruption can have cascading effects and lead to loss of customer trust, This imbalance allows adversaries to take reckless risks while defenders remain constrained, and it also helps keep the operational gap wide enough for consistent exploitation,
From human-motion protection to machine-motion resilience
Awareness is not an issue. The challenge is speed of execution. Security teams know when vulnerabilities are published, but can’t move fast enough without automation. The transition from ticket-based or manual patching to orchestrated, policy-driven remediation is no longer optional if you want to remain competitive in this fight.
Automated hardening and feedback systems can significantly shorten the exposure window. By consistently applying critical patches, enforcing configuration baselines, and using conditional rollback when needed, organizations can maintain operational security while eliminating delays. And there is a hard lesson here that many people will have to overcome easily, that is loss You The cause will almost certainly be small, and it will be easier to recover from than an attack. This is a calculated risk and can be managed. The lesson is simple, do you need to roll back browser updates for 1000 systems, or recover them completely from a backup. I’m not suggesting you be careless about this, but rather weigh the value of your hesitation against the value of your task, and when the task wins, listen to your gut. IT leaders need to start understanding this, and business leaders need to realize that this is the best IT strategy. Test thoroughly and keep business criticality in mind when choosing the speed of moving forward on critical systems, but tilt the entire process in favor of streamlined automation and quick action.
Flatten the burnout curve
Automation also reduces fatigue and error. Instead of chasing down alerts, security teams define rules once, allowing the system to enforce them consistently. This shift transforms cybersecurity into an adaptive, self-reliant process rather than a cycle of manual triage and stitches. In almost all cases it takes less time to conduct audits and reviews than to implement procedures.
This new class of attack automation systems doesn’t sleep, doesn’t tire, doesn’t care about any consequences of its actions. They focus entirely on one goal, gaining access to as many systems as possible. No matter how many people you throw at the problem, the problem grows between departments, policies, personalities and egos. If your goal is to compete with a relentless machine, you need a relentless machine in your corner of the ring.
Changing what can’t be automated
Even the most advanced tools can’t automate everything. Some workloads are very critical or bound by strict compliance frameworks. But those exceptions should still be examined through the same lens: How can they be made more automated, if not, at least more efficient?
This might mean standardizing configuration, breaking down legacy systems, or streamlining dependencies that slow down the patch workflow. Every manual step left in place represents lost time, and time is the resource attackers use most effectively.
We need to take a deeper look at defense strategies to determine which decisions, policies or approval processes are creating barriers. If the chain of command or change management is slowing down improvement, it’s time to comprehensive policy change is designed to remove those obstacles. Defense automation should work at a pace consistent with the attacker’s behavior, not for administrative convenience.
quick defense in practice
Many forward-thinking enterprises have already adopted the principle of combining rapid defense, automation, orchestration, and controlled rollback to maintain agility without introducing chaos.
platforms like action1 Facilitate this approach by enabling security teams to automatically identify, deploy, and verify patches across the entire enterprise environment. This eliminates manual steps that slow down patch deployment and shortens the gap between awareness and action. If your policies are sound, your automation is sound, and your decisions are sound in practice because they’re all agreed upon in advance.
By automating remediation and verification, Action1 and similar solutions exemplify what security looks like at machine speed: fast, controlled, and flexible. The objective is not just automation, but Policy-Driven AutomationWhere human judgment defines the boundaries and technology is implemented immediately.
The future is automated defense
Both attackers and defenders draw from the same public data, but the automation built on top of that data is what decides who wins the race. Every hour represents a potential compromise between disclosure and prevention. Defenders can’t slow the pace of discovery, but they can close the gap through hardening, orchestration, and systemic automation. The future of cybersecurity belongs to those who make quick, informed action their standard operating mode, because in this race, the slowest responder is the first to be compromised.
key takeaways:
- No team of humans will ever be able to surpass the sheer speed and efficiency of the automated attack systems being created. More people leads to more decisions, delays, confusion, and error. It’s a firefight: you must use equal force, automate or lose.
- Threat actors are creating fully automated attack pipelines in which new exploit code is fed into systems using AI – or even developed by it. They work 24/7/365, they don’t get tired, they don’t take breaks, they seek and destroy as a reason to exist until stopped or otherwise instructed.
- Most mass threat actors operate on body count, not precise shots. They’re not looking “for you” as much as they’re looking for “someone else.” Your scale and value do not matter in the initial negotiation stage, which is evaluated after access is gained.
- Threat actors think nothing of using the vast amounts of their ill-gotten gains on new technology to further their offensive capabilities; For them it is an investment. Also, the industry sees it as a loss in profits. Many talented developers were involved in building and maintaining the system that attacks you, and the budget was beyond any defender’s dreams. These are not amateur scoundrels, these are highly organized enterprises that are able and more willing to invest resources than the commercial sector.
Here comes 2026. Is your network ready for this?
Comment: This article was written and contributed by Gene Moody, Field CTO at Action1.
