Cyber shield with a clock and an orange timer arc, symbolising the collapsing patch window in 2026
Cyber Security

Time-to-Exploit Just Went Negative: Why Patching Is No Longer Enough in 2026

By, zero-adm
  • 6 Jul, 2026
  • 6 Views

The average software flaw is now exploited about seven days before a patch even exists. Mandiant’s M-Trends 2026 report puts the mean time-to-exploit at −7 days — negative — meaning attackers routinely weaponize vulnerabilities before they are public and before any fix ships. In 2018 that same window was +63 days. It crossed zero in 2024. Patch management, the control most security programs still lean on, no longer buys the time it once did.

Time-to-exploit is the gap between when a vulnerability becomes known and when attackers first exploit it — and in 2026 that gap has inverted.

What does a “negative” time-to-exploit actually mean?

It means the fix is arriving after the breach, not before it. Mandiant’s frontline data traces the collapse clearly: 63 days of breathing room in 2018, near-zero by 2024, and −7 days in the 2026 report. Many of the vulnerabilities used for initial access are now exploited as zero-days — weaponized before a patch exists — and the average campaign begins a full week before the CVE is even published.

The knock-on speed is just as stark: Mandiant clocked attackers handing off initial access to ransomware operators in as little as 22 seconds. The old assumption — that you have days to test and deploy a fix — is gone.

Why is the patch window collapsing?

Because vulnerability discovery has been handed to machines. In February 2026, Anthropic’s red team reported that its Claude model found and validated more than 500 high-severity vulnerabilities in production open-source software. Its Mythos Preview model went further, autonomously identifying thousands of zero-days across every major operating system and web browser — and, critically, fewer than 1% have been patched by maintainers so far.

This capability cuts both ways. Google’s Threat Intelligence Group reported it likely thwarted an attempt by a hacker group to use AI for a “mass exploitation event.” When both attackers and researchers can find flaws at machine speed, the bottleneck is no longer finding the bug — it’s the human triage-and-patch cycle, which has not sped up to match.

Why it matters for your business

If your security strategy assumes a comfortable gap between disclosure and exploitation, that assumption is now a liability. A −7 day window means:

  • “Patch on CVE release” is structurally too slow. By the time a fix ships, exploitation may already be weeks old.
  • CVSS score is the wrong first filter. What matters is whether a flaw is being exploited in your stack right now, not its theoretical severity.
  • Prevention alone can’t be the plan. If you cannot always patch in time, you must be able to detect and respond in time.

For an SME without a 24/7 SOC, this is not an abstract debate — it is the difference between a contained incident and a business-ending one.

And in Switzerland and Europe?

The regulatory direction already assumes this world. Since 2025, Swiss operators of critical infrastructure face a reporting duty to the NCSC (Bundesamt für Cybersicherheit) within 24 hours of a significant cyberattack — a timeline that only makes sense if you can detect fast. FINMA’s operational-resilience expectations push regulated financial institutions toward tested response and recovery, not just prevention. In the EU, NIS2 and DORA codify the same shift: assume compromise, prove you can respond.

A practical note for Swiss SMEs: you do not need an enterprise budget to act on this. You need to change what you prioritize, not necessarily how much you spend.

What to do now: 4 steps

  1. Prioritize by exploitability, not by CVSS. Feed threat intelligence (e.g. CISA KEV, vendor advisories) into patching so “actively exploited” jumps the queue ahead of “theoretically critical.” Fix what attackers are actually using first.
  2. Buy time with virtual patching. Where you cannot patch instantly, shield: WAF/IPS rules, network segmentation, and disabling exposed features close the window while a permanent fix is tested.
  3. Assume breach — invest in detection and response. Tested incident-response runbooks, EDR/managed detection, and readiness to meet the NCSC 24-hour reporting duty matter more than a perfect patch cadence. Rehearse the response, don’t just document it.
  4. Turn AI onto defense and tighten the supply chain. Use AI-assisted triage and detection to keep pace, and re-check third-party and open-source dependencies — where the same zero-days now sit unpatched.

The uncomfortable truth: in 2026, you will not out-patch a machine-speed adversary. You can out-prepare one.

Which side of the seven days is your organization on — still patching after disclosure, or already detecting before it?

Frequently asked questions

Is patch management now useless?

No — it remains essential hygiene. But it can no longer be the primary control. Patching closes known gaps; it cannot cover the window before a patch exists, which is now where much exploitation happens.

What is a negative time-to-exploit?

It means attackers, on average, exploit a vulnerability before it is publicly disclosed and before a patch is released. Mandiant’s M-Trends 2026 estimates this at −7 days.

Does this only affect large enterprises?

No. SMEs are more exposed, because they rarely run 24/7 detection. The same internet-facing software and open-source dependencies are exploited regardless of company size.

What single change matters most?

Shift budget and attention from “patch everything” to “detect and respond fast,” and prioritize the handful of flaws that are actively being exploited.