Skip to content
Security & Trust

The Patch Window Went Negative: Exploits Now Precede Fixes by a Week

Mandiant's 2026 data puts mean time-to-exploit at -7 days — patches now arrive after attackers already have a foothold.

A
Adyog Research
· 4 min read
Share on X LinkedIn
The Patch Window Went Negative: Exploits Now Precede Fixes by a Week
Key finding

Mean time-to-exploit: -7 days (Source: Mandiant M-Trends 2026 report, Google Cloud Threat Intelligence (2026))

The Patch Window Just Went Negative

Mandiant's M-Trends 2026 report, published by Google Cloud's threat intelligence group, puts a specific number on a trend security teams have described anecdotally for years: attackers are moving faster than defenders can patch. The report's mean time-to-exploit (TTE) metric — the gap between a vulnerability becoming known and an attacker weaponizing it — has gone negative, averaging -7 days across the incidents Mandiant tracked. In plain terms, exploitation is now landing roughly a week before a fix is available, not after.

-7 days
Mean time-to-exploit
Source: Mandiant M-Trends 2026 report, Google Cloud Threat Intelligence (2026)

The Catalog Behind the Curve

The negative window shows up downstream in CISA's Known Exploited Vulnerabilities (KEV) catalog, the U.S. government's running list of flaws confirmed as actively exploited. The catalog now holds more than 1,300 entries — vulnerabilities that were, by definition, weaponized before or shortly after disclosure reached defenders. Under Binding Operational Directive 26-04, which replaced the earlier BOD 22-01 in June 2026, federal civilian agencies now face risk-tiered remediation deadlines ranging from 3 to 60 days depending on severity and exploitation status. The broader population of site operators has no binding deadline at all — only the same exposure clock.

1,300+ entries
CISA KEV catalog size
Source: CISA Known Exploited Vulnerabilities catalog (July 2026)

Why Periodic Patching No Longer Matches the Threat Model

A negative TTE inverts a planning assumption budget-signers have relied on for a decade: that a patch cycle measured in weeks is an acceptable risk posture because attackers need time to reverse-engineer a fix before they can exploit it. When AI-assisted vulnerability research compresses that reverse-engineering step, the assumption breaks first for whichever systems already carry a backlog of disclosed, unpatched CVEs — the tooling doesn't need to discover anything new, it only needs to catch up to what's already public. Among vulnerabilities scored by FIRST's Exploit Prediction Scoring System, 100 currently sit above an EPSS probability of 0.5, meaning the model assesses better-than-even odds of exploitation within 30 days — a queue that no single team can work through on a weekly patch cadence.

100
Vulnerabilities above EPSS 0.5
Source: FIRST EPSS model, via WebPulse threat data collection (July 15, 2026)

What WebPulse's Own Sample Shows

WebPulse's detection layer, which fingerprints framework signatures across a sample of more than 466,000 sites, doesn't measure exploitation directly — it measures exposure surface: which framework a site is running, and what that framework's aggregate CVE history looks like. In a world where the patch can arrive after the exploit, knowing which framework is underneath matters more than it used to. A site owner checking whether a specific patch exists is now checking the wrong question a week too late, on average; the question that holds up is which framework is running and how large its disclosed-CVE backlog is.

466K+ sites across 30 frameworks
Detected framework sample size
Source: WebPulse scan data (July 2026)

The Budget-Signer Read

None of this changes what a CVE is or how it gets fixed. It changes how much runway a patch cycle actually buys, and for whom. Federal agencies operate under BOD 26-04 remediation timelines that assume some lead time exists between disclosure and exploitation; Mandiant's data says that assumption no longer holds, on average, across the incidents it tracked. For everyone else — the far larger population of commercial and public-sector sites outside the federal directive — the practical implication is the same: whichever detected frameworks are running are already carrying whatever CVEs sit unpatched today, and the exploit clock is no longer waiting for a fix to exist.

Share this insight