The Remediation Paradox: More Effort, Worse Outcomes
A landmark study by the Qualys Threat Research Unit (TRU) has quantified what many security teams intuitively suspected: organizations are working harder on vulnerability remediation but achieving less safety. The report, titled "The Broken Physics of Remediation," analyzed over 1 billion CISA KEV remediation records from more than 10,000 organizations spanning 2022 to 2025 — the largest dataset of its kind.
The core finding is striking: closed vulnerabilities grew 6x over the study period (from 73 million in 2022 to 473 million in 2025), yet the percentage of critical vulnerabilities still open at Day 7 increased from 56% to 63%. More remediation activity is producing worse security outcomes.
Key Findings
The Human Ceiling
Qualys calls this phenomenon the "human ceiling" — the structural limit of remediation architectures built around human decision-making speed. As attack surfaces expand and vulnerability volumes grow exponentially, human-paced processes cannot keep pace. The data shows the ceiling is not a future threat; organizations have already hit it.
"Any architecture dependent on human-speed response carries structural risk." — Qualys TRU
Time-to-Exploit Has Gone Negative
Citing Google M-Trends 2026 data, the report notes that average Time-to-Exploit is now negative 7 days — meaning attackers are weaponizing the most critical vulnerabilities before patches even exist. Of the 52 KEV vulnerabilities studied in depth:
- 50% were exploited before public disclosure
- 88% were remediated more slowly than they were exploited
This means the "patch before exploit" model is mathematically broken for the most critical flaws.
Remediation Velocity Breakdown by Year
| Year | Closed Vulns | Critical Open at Day 7 |
|---|---|---|
| 2022 | 73 million | 56% |
| 2023 | ~200 million | 58% |
| 2024 | ~350 million | 61% |
| 2025 | 473 million | 63% |
The data shows a consistent, worsening trend even as absolute remediation volume increased dramatically.
New Metrics Introduced
The report argues that traditional metrics like Mean Time to Remediate (MTTR) are insufficient because they only measure response speed — not cumulative exposure. Qualys introduces two replacement metrics:
Risk Mass
Risk Mass = vulnerable assets × days exposed
This captures the total exposure burden over time, not just whether a vulnerability was eventually closed. A vulnerability left open for 30 days on 100 systems has 10x the risk mass of the same flaw left open for 3 days on the same systems.
Average Window of Exposure (AWE)
The full duration from exploitability onset to complete remediation across the fleet. AWE replaces MTTR as the primary KPI because it accounts for the time attackers have advantage, not just how fast defenders act once they notice.
The Manual Tax
The report identifies a "Manual Tax" — the inherent latency introduced by human-driven processes at each stage of the remediation pipeline:
Vulnerability published
→ Human reviews scanner output (hours to days)
→ Ticket created in ITSM system (hours)
→ Ticket assigned and acknowledged (hours to days)
→ Patch tested in staging (days to weeks)
→ Patch deployed to production (hours)
→ Verification scan run (hours)
→ Ticket closed (hours)
Each step adds delay. For zero-days exploited before disclosure, the entire pipeline is already behind before it starts.
A Positive Signal
Amid the sobering data, the report identified one positive pattern: 15% of organizations that had operationalized their remediation pipeline were able to patch by the time a vulnerability was added to the CISA KEV catalog. This represents the viable benchmark — proof that the model can work when automation closes the human-speed gap.
The Path Forward: Autonomous Risk Operations
Qualys frames the conclusion as architectural rather than operational: the problem is not that security teams are doing their jobs poorly — it is that the jobs were designed for a threat landscape that no longer exists.
The report calls for a shift from Security Operations Centers (SOC) to Risk Operations Centers (ROC): autonomous, closed-loop systems that:
- Continuously assess exploitability (not just CVE scores)
- Trigger automated remediation without human bottlenecks
- Measure risk mass and AWE, not MTTR
- Prioritize by attacker timelines, not CVSS scores
"The attacker's timeline is the only one that matters — and that timeline is predictable." — Saeed Abbasi, Head of Threat Research, Qualys
Implications for Security Teams
- Stop optimizing MTTR — it measures the wrong thing. Measure AWE and risk mass instead
- Automate the routine — human review should be reserved for high-complexity decisions, not routine patch deployment
- Prioritize by exploitability, not CVSS — a CVSS 6.0 flaw with active KEV exploitation is more urgent than an unweaponized CVSS 9.8
- Acknowledge the ceiling — staffing more people into a broken architecture does not fix the architecture
- Invest in closed-loop pipelines — scan → assess → remediate → verify, without human queues at each stage