By Here is the number that should reset your patch cadence: in 2026, VulnCheck’s Known Exploited Vulnerability list has grown by 59% year-over-year. That’s 394 confirmed in-the-wild exploitations added in the first months of this year alone. Meanwhile, the average attacker now weaponizes a freshly disclosed CVE in 21 days. And the scanner you rely on to catch this? It has no coverage for 55% of critical vulnerabilities.
The KEV Surge Is Real
VulnCheck tracks exploited vulnerabilities more aggressively than the CISA KEV catalog — last year, only 23.7% of VulnCheck’s confirmed exploited CVEs even appeared in CISA’s list. The 2026 data tells a grim story: 394 CVEs already added to VulnCheck KEV with confirmed exploitation evidence, a 59% jump over the same period in 2025. The full 2025 year saw 884 KEV additions. The pace is accelerating.
Worse, 28.96% of exploited vulnerabilities in 2025 were attacked on or before the day their CVE was published. Nearly one in three. You are not racing to patch before attackers find the bug — in many cases, attackers already exploited it before the advisory shipped.
Your Scanner Has a Structural Blindspot
Cogent analyzed 69,159 CVEs and published its Q2 2026 detection gap findings in May. The conclusion is uncomfortable: 55.7% of critical CVEs received zero scanner coverage from any of the three major scanners — Tenable, Qualys, or Rapid7. Not slow coverage. Zero.
Of the 44.3% that did eventually receive scanner coverage, 62% had exploits already circulating before the detection signature was available. Run the math: 83.2% of critical vulnerabilities either have no scanner coverage at all, or attackers had working exploits before your scanner could flag them. A scanner-first security posture is not a security posture. It is a liability dressed up as a process.
AI Collapsed the Weaponization Window
The weaponization timeline has been in freefall for years, but 2025 and 2026 made the collapse undeniable. In 2020, attackers took an average of 1.6 years to turn a disclosed vulnerability into a working exploit. By 2025, that was 21 days. By April 2026, Cogent’s research clocks it at 0.5 days — driven by LLMs that can read a patch diff and generate a functional proof-of-concept exploit.
The mechanism is straightforward. When a vendor ships a patch, it publishes a diff. That diff tells anyone who reads it exactly what changed and, implicitly, what was wrong. Before AI, turning that insight into a working exploit required skill and time. Now it requires a prompt. Security researcher Himanshu Anand put it plainly: the 90-day disclosure policy is dead. The React patch-to-exploit demonstration took 30 minutes with an LLM.
The enterprise average for closing a critical vulnerability is still 60 days. Attackers operate in half a day. That 59.5-day gap is your attack surface.
The Noise Problem Is Getting Worse
There is a counter-intuitive twist in the data. VulnCheck tracked more than 14,400 exploits for 10,480 unique CVEs in 2025 — a 16.5% year-over-year increase. That sounds catastrophic, but VulnCheck notes a significant chunk of that growth is AI-generated proof-of-concept code: often non-functional, frequently misleading, and regularly treated as real threat intelligence.
Only 1% of 2025 CVEs were confirmed exploited in the wild by year end. Attackers know exactly which 1% matters. Defenders are drowning in 14,000 signals trying to find the same hundred. The AI-generated PoC flood is a distraction, and it disproportionately benefits attackers.
What to Actually Do
The gap between how fast exploits materialize and how fast organizations patch is structural — but developers and security engineers can close it at the stack level.
Stop relying on scanners as your primary signal for critical CVEs. The data shows they are blind to more than half. Supplement with VulnCheck KEV alerts, which are free via the Community plan, delivered to email or Slack, and updated the moment a new CVE gets confirmed exploitation evidence.
Adopt EPSS scoring alongside CVSS. The Exploit Prediction Scoring System updates daily. When real exploit code drops for a CVE, EPSS scores spike within 24 hours — well before most scanner vendors ship detection signatures. For any dependency in your stack with an EPSS score above 0.5, apply a 21-day patch SLA, not a next-sprint backlog item.
KEV-listed CVEs in your stack are P0. No debate, no sprint prioritization. Same-day patch where possible. The VulnCheck State of Exploitation report and the CSA whitepaper on the collapsing exploit window both make the same point: the response timelines built for a world where weaponization took months are obsolete. The question is whether your process knows it yet.
