Exploit windows collapsed
- Rapid7 researchers said average time-to-exploit for disclosed software flaws has fallen from 2.3 years in 2019 to less than one day, compressing the gap between public disclosure and attacker action. - The report says attackers now move faster than standard patch cycles, and Rapid7 warned that a 90-day disclosure clock can leave defenders exposed before fixes, detections, or rollback plans are ready. - The shift tracks broader automation in vulnerability research and exploit development, pushing security teams toward emergency patching, compensating controls, and faster release coordination. (rapid7.com)
Software flaws used to sit for months or years before attackers weaponized them. Rapid7 says that window has now shrunk to less than 24 hours on average. (rapid7.com) The company’s 2025 Vulnerability Intelligence Report said average time-to-exploit was 2.3 years in 2019. By 2025, it had dropped below one day. (rapid7.com) Time-to-exploit is the gap between a vulnerability becoming public and attackers using it in the wild. That gap used to give vendors time to test patches and defenders time to prepare detections. (rapid7.com) Rapid7 said that older rhythm no longer matches how intrusions happen. Its researchers wrote that disclosure itself can now act like a starting gun for exploit development and scanning. (rapid7.com) That puts pressure on the long-running 90-day disclosure norm, where researchers privately report a flaw and publish details after three months. Rapid7 argued that fixed deadlines can expose customers if patches, mitigations, and monitoring are not ready together. (rapid7.com) The report ties the compression to cheaper cloud computing, wider access to proof-of-concept code, and automation that helps attackers turn technical writeups into usable exploits faster. It says artificial intelligence tools could push that cycle from hours into minutes or seconds. (rapid7.com) Security teams are being told to treat patching as only one part of the response. Rapid7 said organizations need prebuilt playbooks for emergency changes, temporary mitigations, detection rules, and rollback if a rushed fix breaks production systems. (rapid7.com) Outside coverage of the report echoed the same warning: disclosure and exploitation are converging, and defenders are losing slack time. Trade outlets including Dark Reading and BleepingComputer highlighted Rapid7’s finding that the average exploit window is now under a day. (darkreading.com) (bleepingcomputer.com) The practical effect is simple: once a serious flaw is public, defenders may have hours, not quarters. The old assumption that disclosure starts a 90-day countdown now looks more like a same-day incident response drill. (rapid7.com)
