AI shrinks exploit windows
Researchers warn AI is compressing the time from vulnerability disclosure to active exploitation from months or years down to days — making patching a race. That means schools must treat high‑risk CVEs as urgent incidents and prioritize automated patching and rapid detection workflows. (govinfosecurity.com)
GovInfoSecurity’s report cites security researchers who say generative models and automation are compressing public disclosure‑to‑exploit timelines from months or years into days. (govinfosecurity.com)) Independent measurements show average time‑to‑exploit (TTE) collapsed from roughly 63 days in 2018 to about 5 days by 2024, reflecting accelerated attacker tooling and automation. (cybelangel.com)) Academic and industry teams have demonstrated automated pipelines that analyze CVE text, craft proof‑of‑concept exploit code, and validate it in testing environments in roughly 10–15 minutes. (cybersecuritynews.com)) Commercial and open‑source AI exploit frameworks such as HexStrike have been observed in operational use, with reports of Citrix NetScaler flaws being weaponized within days of disclosure. (blog.checkpoint.com)) Threat intelligence vendors recorded a related compression in post‑compromise timelines: CrowdStrike’s 2026 report found average enterprise breakout time fell to about 29 minutes in 2025, down from 48 minutes in 2024. (itsecurityguru.org)) Industry trackers documented a surge in AI‑related CVEs and incidents, with one API security report cataloging 439 AI‑centric CVEs in 2024 and OWASP maintaining a rolling GenAI incident roundup to track fast‑moving exploit activity. (securitynewspaper.com))
