Zero‑Day Clock shows AI shrinking exploit time

Why it matters

Tom’s Hardware on May 27 highlighted a project called Zero-Day Clock that says the time between vulnerability disclosure and working exploitation has compressed from roughly a year to about a day. The project’s public website says it tracks time-to-exploit across more than 83,000 CVEs using 10 sources, including CISA’s Known Exploited Vulnerabilities catalog, ExploitDB and Metasploit. SANS Institute, in an April 14 briefing tied to AI-driven vulnerability discovery, described the shift more bluntly, saying the window between disclosure and weaponization had “collapsed into hours.” ### What is Zero-Day Clock actually measuring? Zero-Day Clock says it tracks “time-to-exploit,” or TTE, across disclosed software flaws. On its site, the project says it aggregates exploit intelligence from 10 sources and follows median TTE trends year over year rather than focusing on a single incident. Tom’s Hardware described the analysis as an attempt to visualize how AI is changing software security by shrinking the lag between a vulnerability becoming known and attackers building usable exploits. (tomshardware.com) The project’s “Collapse” page frames that trend as a broad acceleration in offensive capability. That framing is echoed in outside commentary: SANS said in April that AI-driven discovery and exploitation were compressing timelines from weeks to hours, and presented that as a planning problem for security teams rather than a one-off anomaly. ### Why are people tying this compression to AI? SANS on April 14 linked shorter exploit timelines to advances in autonomous vulnerability discovery and exploit generation. (zerodayclock.com) The institute cited Anthropic’s Claude Mythos preview and Project Glasswing, saying those systems had identified thousands of zero-days across major operating systems and browsers. SANS also said internal testing showed one model generated 181 working exploits against Firefox vulnerabilities, versus two for a previous model under the same conditions. (zerodayclock.com) Tom’s Hardware used Zero-Day Clock’s numbers to argue that AI is changing the economics and speed of exploit development. That claim sits alongside other recent reporting from Google Threat Intelligence Group, which said it tracked 90 zero-days exploited in the wild in 2025 and saw enterprise technologies account for 43 of them, or 48%, an all-time high share. ### Does that mean every disclosed bug will be exploited in a day? (sans.org) Google Threat Intelligence Group’s March 5 review did not say every vulnerability is exploited immediately. It said 90 zero-days were exploited in the wild in 2025 and that enterprise software and edge devices remained prime targets. The group also said attackers adapt techniques as vendor mitigations improve, sometimes chaining multiple vulnerabilities and sometimes succeeding with fewer bugs by aiming for lower levels of access. (tomshardware.com) That distinction matters because Zero-Day Clock is presenting an aggregate timing signal, not a guarantee about any single CVE. The public site tracks median trends, and Tom’s Hardware presented the “one day” figure as an average directional measure. ### Why does this change how defenders respond? SANS said the change requires “an actionable framework” for responding to accelerating AI-driven discovery and exploitation. (cloud.google.com) Its April briefing said the security community was dealing with a “permanent acceleration,” and listed priority actions for CISOs and security leaders. That language points to a narrower response window once a flaw is disclosed. (zerodayclock.com) Google’s 2025 zero-day review adds context on where the pressure is likely to land first. The company said nearly half of exploited zero-days in 2025 affected enterprise technologies, and said security and networking devices posed critical risk because they are trusted infrastructure with broad access across networks and data assets. ### What should readers watch next? (sans.org) Tom’s Hardware said Zero-Day Clock projects exploit windows could fall to minute-scale territory as AI tooling improves. The next place to watch is the Zero-Day Clock site itself, which publishes a live TTE dashboard and a “Collapse” timeline, alongside external tracking from groups such as Google Threat Intelligence Group and SANS as they update their exploit and vulnerability data. (tomshardware.com) (cloud.google.com)

Key numbers

• Tom’s Hardware on May 27 reported Zero-Day Clock data showing average time from vulnerability disclosure to exploit has fallen from about a year to a day.
• Tom’s Hardware on May 27 highlighted a project called Zero-Day Clock that says the time between vulnerability disclosure and working exploitation has compressed from roughly a year to about a day.
• The project’s public website says it tracks time-to-exploit across more than 83,000 CVEs using 10 sources, including CISA’s Known Exploited Vulnerabilities catalog, ExploitDB and Metasploit.
• SANS Institute, in an April 14 briefing tied to AI-driven vulnerability discovery, described the shift more bluntly, saying the window between disclosure and weaponization had “collapsed into hours.” What is Zero-Day Clock actually measuring?

What happens next

• Tom’s Hardware on May 27 highlighted a project called Zero-Day Clock that says the time between vulnerability disclosure and working exploitation has compressed from roughly a year to about a day.
• Does that mean every disclosed bug will be exploited in a day?
• It said 90 zero-days were exploited in the wild in 2025 and that enterprise software and edge devices remained prime targets.

Sources

• tomshardware.com
• zerodayclock.com
• zerodayclock.com
• sans.org
• cloud.google.com

Quick answers