Qualys: human patching limits
- Qualys analysed one billion CISA KEV remediation records and concluded human‑scale patching is increasingly inadequate. (prsol.cc) - Their data shows time‑to‑exploit can be negative seven days and that autonomous agents are accelerating threats. (prsol.cc) - They recommend narrowing deterministic execution paths and automating dependency discovery and remediation across the wider control plane. (prsol.cc)
Software updates used to buy defenders time. Qualys says that window has closed for many of the internet’s most abused flaws. (qualys.com) Qualys said in March that it analyzed more than 1 billion remediation records tied to CISA’s Known Exploited Vulnerabilities catalog across 10,000 organizations from 2022 through 2025. The company said 88% of 52 high-profile weaponized flaws were fixed more slowly than they were exploited. (qualys.com) CISA’s catalog is the U.S. government’s running list of bugs already exploited in the wild, and federal civilian agencies are required to remediate listed items by set deadlines under Binding Operational Directive 22-01. As of April 19, 2026, the catalog listed 1,569 vulnerabilities. (cisa.gov, cisa.gov) The basic problem is timing. Qualys said average time-to-exploit has fallen to negative one day, meaning attackers are often using a flaw before a patch exists, and half of the 52 weaponized cases in its study were exploited before public disclosure. (cdn2.qualys.com) That leaves security teams chasing a moving target with tools built for a slower era. Qualys said critical vulnerability volume rose 6.5 times over four years while the share still open at Day 7 and Day 30 got worse, not better. (cdn2.qualys.com) The company argues that common metrics miss the real exposure. It introduced “Average Window of Exposure” to measure the span from weaponization to remediation, and “Risk Mass” to count cumulative exposure-days across all affected systems. (qualys.com) Qualys also says most disclosed bugs never become urgent in the real world. In a separate March post, it said more than 48,000 CVEs were published in 2025, but only a small fraction became remotely exploitable, actively weaponized threats, while the rest still consumed remediation time. (qualys.com) That is where the company’s recommendation shifts from patching everything to proving what is actually exploitable in a specific environment. Qualys said organizations need deterministic validation, narrower execution paths, and automated remediation loops that can validate, mitigate, and revalidate without waiting on manual ticket queues. (qualys.com, qualys.com) Qualys sells products built around that approach, including TruRisk Eliminate and its “Agent Val” validation workflow, so the report also doubles as a case for its platform. Its central claim is narrower than “patching is dead”: when exploitation starts before disclosure, human-scale patching stops being the clock that matters. (qualys.com, qualys.com)
