The time-to-exploit is the time between a vulnerability becoming known and the first actual abuse by attackers. According to the Zero Day Clock it fell from almost a year in 2021 to around a day and a half today, and it is expected to shrink further towards hours, partly driven by ever more powerful AI. Monthly patch cycles are therefore no longer enough: the speed of patching, detection and reporting becomes decisive, and your employees play a bigger role in this than you might think.
See how 2LRN4 translates this into a measurable security awareness programme with demonstrable results.
View the programme pageWhat is the time-to-exploit and why is it shrinking?
The time-to-exploit is the time that passes between the moment a vulnerability becomes known and the moment it is first demonstrably abused. The Zero Day Clock tracks this across more than 83,000 vulnerabilities, based on sources such as the CISA Known Exploited Vulnerabilities list, ExploitDB and Metasploit. The picture is unmistakable: where attackers still needed almost a year in 2021, that time has now fallen to around a day and a half.
The makers of the Zero Day Clock expect this decline to continue, towards hours and eventually even minutes. The main driver is the rise of ever more powerful AI models, which speed up the writing of working exploit code. That part is an expectation rather than an established fact, but the direction is clear. A second signal points the same way: more than 70 percent of exploited vulnerabilities are now zero-days, which means abuse often begins before a patch is even available.
- Vulnerability: a weak spot in software that lets an attacker get in.
- Patching: a software update that closes such a weak spot.
- Exploit: the code or technique an attacker uses to abuse a weak spot.
- Zero-day: a vulnerability that is already being abused before an update for it exists.
- Virtual patching: an extra filter that blocks the attack without changing the vulnerable software itself, so you buy time until the real update is ready.
- Network segmentation: dividing your network into sections so that an attack cannot spread freely.
- MFA: logging in with more than just a password, for example also a code or a confirmation on your phone.
What this means for your IT organisation
The most important consequence is that the classic patch rhythm is no longer tenable. A process that assumes patching within thirty days, or even within a week, is simply lagging behind the facts when abuse begins within a day and a half. That calls for a different way of working.
In practice this means you prioritise based on what is actually being abused, for example using the CISA KEV list as a guide, instead of blindly working through all CVE scores. It also means you can only manage your vulnerabilities once you know what you have: an up-to-date overview of your systems and software is no longer a luxury. And where you cannot patch fast enough, you buy time with interim solutions such as virtual patching, network segmentation and temporarily shielding exposed services. Finally, the centre of gravity shifts from prevention to rapid detection and response, because there are some attacks you will not be ahead of.
What this means for your organisation as a whole
A shrinking time-to-exploit is not just an IT department problem. It affects the continuity of your entire organisation, because a successful attack brings processes to a halt, hits customers and costs money and trust. That makes it a topic for the board, and not only because of the technology. Under the NIS2 Directive and its national transpositions, demonstrable risk management is, after all, a board responsibility.
Moreover, the human factor does not disappear now that exploits arrive faster. Many attacks still begin with an employee who clicks a link, opens an attachment or gives away credentials, after which a vulnerability is used to go further. Faster exploits actually make the consequences of that first human mistake greater, because there is less and less time between the mistake and the damage. Where you once had days to notice a slip and intervene, a single wrong click can now lead to an incident within a day.
Layered security and why your employees make the difference
Good security works in layers: technology, processes and people together catch what a single measure misses. Patching is one of the most important layers, but no single layer is watertight. With a zero-day there is no patch yet, and if patching does not succeed in time, that layer temporarily falls away. That is precisely when the human layer comes into play.
So why do employees make the difference? Because an attack, even when technology does not stop it, often still needs a human action to truly get in: a click on a link, the opening of an attachment or the disclosure of credentials. And once an attack is under way after all, an alert employee who raises the alarm in time is often the only layer that still buys time. The shorter the time-to-exploit, the more weight that human layer carries, because there is less and less time between the break-in and the damage.
What you do with this in your security awareness programme
Precisely because the time windows are shrinking, behaviour becomes more important rather than less. There are four things you can take into your programme straight away.
Make fast reporting the norm. The shorter the time-to-exploit, the more value every minute has between the moment an employee sees something suspicious and the moment it reaches IT. So train not only recognition, but above all immediate reporting. Teach employees what to do and not do at such a moment: do not click, do not forward and do not clean up the device themselves, but immediately pass the suspicious email or alert on to the reporting point. Speed counts more heavily than certainty here, so when in doubt they should report too much rather than too little.
Shrink the human entry point. A large share of attacks begins with phishing or stolen credentials. Every successful phishing attempt you prevent is an exploit that never even gets in. Awareness of phishing, MFA and suspicious login alerts thus lowers the chance that the short patch window plays any role at all.
Bring patching behaviour into the culture. Awareness is not only about phishing. Teach employees that updates on their laptop and phone are not a notification to be postponed but a direct defence, especially now that abuse can follow within days or hours.
Use the figure to create urgency. The drop from a year to a day and a half is a powerful story towards the board and IT. It makes concrete why investing in fast patching and in awareness is not a luxury but a necessity. Presented honestly, with the source included, it convinces better than abstract threat.
One reporting point that everyone knows
Fast reporting only works if reporting is easy. So ask yourself whether your organisation has one reporting point that everyone knows, and not just the IT department. In practice this works best with one recognisable route: a report button in the mail environment, a fixed address such as report@yourcompany.com, or a phone number that is always staffed. The less an employee has to think about where and how, the sooner the report comes in.
Two conditions make such a reporting point truly low-threshold. It must be known to everyone, so repeat it in onboarding, in internal communication and in the places where people work, and not once a year. And it must be free of blame, because employees only report quickly if they know they will not be held to account for a mistake or a false alarm. Ten false reports are less bad than one missed real attack. In a world where abuse begins within a day and a half, that familiar, low-threshold reporting point is one of your most important layers of defence.
The common thread
The time-to-exploit is shrinking faster than most organisations adapt their processes. Technology alone cannot keep up with that pace, because there are some attacks you simply will not be ahead of. That is why the combination is decisive: faster patching and detection on the technical side, and faster recognition and reporting on the human side. An awareness programme that genuinely changes behaviour gives you the most precious minutes within that shrinking time window.
Sources for further reading
Want to follow the figures live? Take a look at the Zero Day Clock, which tracks the time-to-exploit across more than 83,000 vulnerabilities. The underlying data comes from sources including the CISA KEV catalogue and the National Vulnerability Database (NVD).
Related articles
Email security and social engineering · How phishing simulations work in training · Security awareness ROI
FAQ
What is the time-to-exploit?
The time-to-exploit is the time between a vulnerability becoming known and the first demonstrable abuse by attackers. It is a measure of how quickly attackers manage to put a new flaw to use. According to the Zero Day Clock it fell from almost a year in 2021 to around a day and a half today.
Why is the time-to-exploit shrinking so fast?
Attackers are automating the creation of exploit code ever further, and the expectation is that increasingly powerful AI models will accelerate this even more. In addition, a growing share of exploited vulnerabilities are zero-days, where abuse begins before a patch is available.
What do you do when patching cannot be done fast enough?
Prioritise based on what is actually being abused, keep an up-to-date overview of your systems, and buy time with interim solutions such as virtual patching, segmentation and temporarily shielding exposed services. In addition, shift attention towards fast detection and response.
How does security awareness help with a short time-to-exploit?
Many attacks begin with a human action, such as clicking a phishing link. Awareness lowers the chance that an attack gets in and ensures that employees report suspicious signals more quickly. In a shrinking time window, that time gained is crucial.
Why do you need one known reporting point?
Because fast reporting only works if reporting is easy. One recognisable, low-threshold route that everyone knows, for example a report button or a fixed address, shortens the time between the suspicious signal and the response. Without a blame question people report sooner and faster, and it is precisely those minutes that count when the time-to-exploit is short.