Project patchwindow
vulnerability exploitation analysis
Analysis of every CVE in the CISA Known Exploited Vulnerabilities catalog from 2019 onwards, with enriched disclosure, first exploitation, and first publicly reported exploitation dates. Enables like-for-like comparison of vulnerability exploitation across years, so you know what’s changed, and what to prepare for moving forward.
Headline numbers
Key insights on how vulnerability exploitation has changed in 2026.
Seven vulnerability exploitation insights
Mean time-to-exploit excl zero-days: Dec 31 (2026 is predictive)
Time between vulnerability disclosure and exploitation (excludes zero-days), as of December 31st each year
Key insight: the patch window is not collapsing and 2026 mean TTE is on track to be slightly below the historic average
Mean time-to-exploit incl zero-days: Dec 31 (2026 is predictive)
Time between vulnerability disclosure and exploitation (includes zero-days), as of December 31st each year
Key insight: when you include zero-days and negative TTE, 2026 is trending to have a mean TTE 10% greater than the historic average
Zero-day rate: CVE publication year
Percentage of vulnerabilities exploited before CVE publication date, as of Jun 30th each year
Key insight: the zero-day rate for 2026 is slightly below the average when compared to previous years
Mean time-to-exploit: Jun 30 (zero-days and negative TTE included)
Time between vulnerability disclosure and exploitation including zero-days and pre-disclosure exploitations (counted as negative values), as of Jun 30th each year
Key insight: When including zero-days and negative TTE, 2026 has a less negative mean TTE than the historic average.
CVEs exploited: Jun 30
Number of in-scope CVEs that had been both disclosed and exploited by Jun 30th each year
Key insight: total vulnerabilities exploited has increased in 2025 and 2026, however the % of overall vulns exploited is at an all-time low below 0.3%
Top vendors in KEV, zero-day breakdown
Twelve vendors with the most KEV-listed CVEs, split by zero-day vs. non-zero-day
Key insight: most exploited vendors are dominated by widely distributed providers of operating systems, browsers, and edge devices
Mean time-to-exploit: Elapsed
The elapsed mean TTE across all years does not provide a like-to-like comparison between years, and severely biases recent years’ mean TTE downwards due to shorter overall elapsed times
Key insight: a common graph used to falsely claim the mean TTE has collapsed
Going deeper
Search the database
Every in-scope CVE with source-attributed first-exploitation dates. Filter, sort, expand rows for sources, export the full CSV.
Year-by-year snapshots
Features snapshots that include and exclude negative TTE values.
Insights & analysis
Long-form analysis of what the data shows. Updated as new patterns emerge.
Methodology
Purpose, scope, definitions, confidence model, source rules, and known limitations.