Patch gap analysis reveals defenders cannot keep pace with exploitation of critical vulnerabilities
Qualys analysed one billion CISA KEV (Known Exploited Vulnerabilities) remediation records and found that most critical flaws are actively exploited in the wild before organisations can deploy patches. This exposes a fundamental timing mismatch between vulnerability disclosure and attacker speed.
Affected
Qualys' analysis of one billion remediation records from CISA's Known Exploited Vulnerabilities catalogue reveals a structural failure in how defenders respond to critical threats. The core finding is damning: most vulnerabilities designated as critical and actively exploited in the wild are compromised before patches reach production systems. This is not a vendor problem or a process oversight. It reflects the mathematics of scale.
The timing asymmetry is stark. Attackers operate at machine speed. Patch deployment across heterogeneous infrastructure, testing cycles, change management approvals, and the sheer logistical challenge of coordinating updates across thousands of systems means defenders operate at human speed. When a vulnerability is disclosed and immediately exploited, even a 48-hour patch cycle is too slow if an attacker has already gained initial access within hours.
The implications cut across three areas. First, organisations relying on patch-as-primary-defence are adopting a losing strategy for critical exposures. Second, CISA KEV data shows that attackers have shifted to exploiting known, documented flaws rather than investing in zero-day development. This is rational attackers targeting rational defenders. Third, enterprises with immature vulnerability management processes are facing existential risk. The patch lag is not uniform; organisations with strong segmentation, rapid patching infrastructure, and detection capabilities will fare better than those with manual processes.
Defenders should prioritise compensating controls over remediation speed where feasible: network segmentation, privileged access management, behaviour-based detection, and incident response readiness. Patching remains essential but must be accompanied by the assumption of compromise. Organisations should also adopt a vulnerability severity model that decouples CVSS scores from business logic. A critical vulnerability affecting an isolated system differs materially from one affecting customer-facing infrastructure. The one billion records in CISA KEV represent both the visibility problem and the capacity problem in infosecurity.
Sources