A sweeping analysis of more than one billion CISA Known Exploited Vulnerabilities (KEV) remediation records has revealed what many security teams have long suspected but struggled to quantify: the speed at which threat actors weaponize vulnerabilities has outpaced the capacity of human-driven patch management operations.
The research, published by Qualys, examined remediation telemetry from enterprise environments worldwide and found a consistent, systemic pattern — the most critical vulnerabilities tracked by CISA's KEV catalog are being actively exploited before the majority of organizations can apply patches, even when those organizations follow recommended patching timelines.
Key Findings
The Qualys analysis surfaced several findings with significant implications for how organizations think about vulnerability prioritization and remediation velocity:
Exploitation Outpaces Remediation at Scale
Across the billion-record dataset, the gap between public disclosure, CISA KEV inclusion, and active exploitation is shrinking — while the mean time to patch remains largely unchanged in most enterprise environments. This means the defensive window is narrowing even as the volume of CVEs grows.
Most Critical KEV Flaws Exploited Before Patching
For a significant proportion of KEV entries analyzed, exploitation activity was detected in the wild before the majority of vulnerable organizations had deployed the available patch — even when a patch had been available for days or weeks at the time of exploitation.
Volume Overwhelms Human Triage
The sheer volume of CVEs published annually (now projected to exceed previous records in 2026) creates a triage problem that humans cannot solve at the speed required. Security teams must evaluate, prioritize, test, and deploy patches across heterogeneous infrastructure — a process that inherently takes longer than the time threat actors need to develop and deploy working exploits.
The CISA KEV Catalog in Context
CISA's Known Exploited Vulnerabilities catalog is considered one of the most actionable vulnerability prioritization signals available to defenders. CISA adds entries only when it has evidence of active in-the-wild exploitation, making KEV inclusion a strong signal that a vulnerability is already being weaponized.
Federal agencies are required to remediate KEV entries within defined timelines (typically 14 days for internet-facing systems). The Qualys data suggests that even this elevated urgency is insufficient in many cases — exploitation is often already underway within the KEV addition window itself.
What This Means for Security Teams
The findings point to a structural mismatch between the speed of the threat landscape and the speed of human-driven security operations:
| Factor | Threat Actor Side | Defender Side |
|---|---|---|
| Time to weaponize a disclosed CVE | Hours to days (increasingly automated) | |
| Time to patch an enterprise system | Days to weeks (testing, change control, deployment) | |
| Exploitation window | Opens at disclosure or KEV addition | |
| Remediation window | Closes after patch is deployed |
The gap between these timelines means defenders are systematically operating inside threat actor decision cycles — a problem that individual effort cannot solve at scale.
Implications for Vulnerability Management Programs
The analysis reinforces several priorities that security leaders should accelerate:
1. Automated Patching for Critical Systems
For internet-facing systems and high-value targets, automated patch deployment without manual gating is becoming a necessity rather than a risk. Change control processes designed for operational stability must be re-evaluated in the context of exploitation timelines.
2. Risk-Based Prioritization Over CVSS Scores
CVSS scores alone are insufficient for prioritization — the Qualys data reinforces that KEV inclusion, EPSS scores, and asset exposure are better predictors of imminent exploitation than severity ratings.
3. Continuous Exposure Management
Point-in-time vulnerability scanning is insufficient when exploitation windows are measured in days. Continuous exposure management — real-time asset inventory, continuous scanning, and automated risk scoring — is necessary to maintain situational awareness at the speed required.
4. AI-Assisted Triage
The scale of the problem — billions of remediation events, thousands of new CVEs annually — is one where AI-assisted triage and prioritization can genuinely improve outcomes. Several vendors and open-source tools are now integrating LLM-based analysis to accelerate vulnerability assessment.
The Growing CVE Volume Problem
The volume of CVEs is not slowing down. 2026 is on track to set new records for vulnerabilities published, driven by:
- Expanded NVD and MITRE intake pipelines
- Growth in bug bounty programs surfacing previously unknown vulnerabilities
- AI-assisted vulnerability discovery tools lowering the research barrier
- Broader attack surface as software proliferates across more systems
Against this backdrop, the Qualys analysis is a data-backed confirmation that human-scale security operations cannot keep pace without systematic automation, smarter prioritization, and organizational acceptance that patching speed must increase.
What Organizations Should Do
- Treat CISA KEV additions as emergency patches — establish an automatic fast-track remediation process triggered by new KEV entries
- Implement continuous vulnerability scanning rather than periodic scan cycles
- Adopt risk-based prioritization using KEV + EPSS + asset criticality as primary inputs
- Automate patch deployment for internet-facing and critical systems where possible
- Measure mean time to patch (MTTP) for KEV entries specifically and set reduction targets
- Reduce approval chain friction for security-critical patches — not all patches require the same change control rigor