Insights

What the data actually says

Long-form analysis of patterns the snapshots make visible: how the patch window, exploitation volume, and zero-day rate has changed over time, and what that means for patch management programs moving forward.

The patch window is not collapsing

You’ve probably heard the headline: "the patch window has collapsed," "mean time-to-exploit is trending towards zero," "AI-enabled exploitation is closing the gap to minutes." The implication is that defenders are losing a race that’s already over, however the data tells a more nuanced story.

The chart below shows mean time-to-exploit (excluding zero-days) as of December 31st for every CVE publication year from 2019 onwards. Each year’s value is measured at the same point in time relative to each year, which removes the bias that creeps in when you look at older CVEs that have had years of subsequent elapsed time. The snapshot includes a predictive 2026 year-end value based on the current trajectory.

Mean time-to-exploit — Dec 31 (year-over-year, like-for-like)

Time between vulnerability disclosure and exploitation, excluding zero-days. Snapshot taken at December 31st each year. 2026 is predictive.

What you see is not a collapse. The mean patch window has remained remarkably steady at an average of 52.5 days. The 2026 prediction lands at 47.5 days, marginally below the current average.

So where does the "collapsing patch window" narrative come from? Mostly from looking at the data the wrong way. The chart below shows the same dataset using elapsed mean TTE, which is the value calculated against today’s date for every CVE, regardless of when it was published.

Mean time-to-exploit — Elapsed (the misleading view)

Mean signed TTE for each year’s CVEs measured against today, including zero-days and pre-disclosure exploitation. This is what gets cited as proof the patch window is collapsing.

This is a dramatic-looking curve: from 412 days in 2019 down to −13 days in 2026 — dipping below zero because, on average, 2026 CVEs are being exploited before public disclosure. It looks like an open-and-shut case for "the patch window is rapidly closing", but the curve is not really measuring exploitation speed, it’s measuring how recent each CVE is. A 2019 CVE has had nearly seven years to accumulate observed exploitation events. A 2026 CVE has had a few months. Any per-year statistic that doesn’t control for elapsed time will mechanically decline year over year, regardless of what attackers are actually doing.

The like-for-like comparison, like what does the May 2019 view of 2019 CVEs look like compared to the May 2024 view of 2024 CVEs?, gives the honest answer. And on that view, the patch window has held remarkably steady at an average of around 52.5 days for the better part of a decade.

That doesn’t mean nothing has changed. Mean TTE has been gradually decreasing the past few years and will likely continue to do so. Total exploited CVEs have also risen recently in absolute terms. But the headline claim, that the mean time-to-exploit is rapidly trending towards zero (or below), isn’t what the data shows. It’s what an artifact of measurement looks like.

The full year-by-year breakdown is on the snapshots page. Methodology and the rationale for point-in-time snapshots is documented on the methodology page.

3 vendors account for almost half of all zero-days

A zero-day CVE in this dataset is one where exploitation was observed at or before the date of public disclosure (TTE of zero or less). In the in-scope population there are 614 of them across 1,196 entries, which is a 51.3% zero-day rate overall.

The chart below ranks the top 12 vendors by absolute number of zero-day CVEs in the dataset, with each vendor’s in-population zero-day rate shown on hover.

Top vendors by zero-day count

CVEs first exploited at or before public disclosure (TTE of zero or less), top 12 vendors. Hover for the per-vendor rate.

Microsoft, Apple, and Google together account for 294 of the 614 zero-day CVEs in the dataset, which is just under 48% of the entire zero-day population, highlighting just how often threat actors target and exploit these vendors products. The top 12 vendors account for around 65%. The remaining one-third is split across the other 100-plus vendors in the catalog.

The per-vendor rate is also striking. Microsoft sits at 68% zero-day rate within its own KEV population, Apple at 86%, Google at 92%, and Mozilla and Qualcomm at over 90%. For these key vendors, zero-days are the norm, not the exception.

Filter the database by vendor and check the TTE column for "0d" badges to see the underlying CVEs for any vendor in this list.

Enterprise edge appliances carry a zero-day premium

A common claim is that network edge appliances (VPNs, firewalls, file-transfer gateways) skew heavily toward zero-day exploitation. The reality is more nuanced: the category as a whole isn’t the highest-risk population in the dataset, but a specific subset of enterprise edge vendors carries a notable premium.

The chart below shows the zero-day rate for every edge-network vendor with at least 5 CVEs in the dataset, sorted from highest to lowest. The dotted line shows the dataset-wide zero-day baseline (51.3%).

Zero-day rate by edge-network vendor

Share of each vendor’s in-scope CVEs that were exploited at or before disclosure. Vendors with at least 5 CVEs in the dataset.

The pattern at the top of the chart is hard to ignore. Sophos, Fortinet, Trend Micro, Ivanti, and SonicWall all sit at 53% zero-day rate or higher, above the dataset baseline. These are vendors whose products sit on the network perimeter, are reachable from the internet by design, and run in environments where patching requires planned maintenance windows that attackers price into their operations.

The flip side is just as interesting. Consumer and small-office network gear (D-Link, TP-Link, QNAP) sits well below the baseline at around 20-25%. These vendors do appear in the KEV catalog, but their exploitation typically shows up well after disclosure as opportunistic mass-scanning catches up with unpatched fleets.

For asset prioritisation, the implication is that internet-facing enterprise network appliances need to be treated as zero-day risk surfaces by default, not as standard patch periodically infrastructure.

Filter the database by any of these vendors to see the underlying CVEs and their first-exploitation dates.

The vendors with the shortest patch windows

Not every vendor gives defenders the same amount of breathing room. Once zero-days and pre-disclosure exploitation are stripped out, the mean time-to-exploit varies enormously by vendor. The chart below ranks the ten vendors with the shortest mean TTE among CVEs that were exploited after disclosure, restricted to vendors with more than five such CVEs in the dataset (to filter out noise from one-off incidents).

Top 10 vendors by shortest mean time-to-exploit

Mean TTE in days, excluding zero-days and pre-disclosure exploitation, for vendors with more than five qualifying CVEs. Hover for the CVE count behind each vendor.

The top of the chart shows two vendors with patch windows under 30 days: SolarWinds at around 26 days and Palo Alto Networks at 30 days. These are vendors whose CVEs, once disclosed, get exploited fast. This likely reflects a combination of the type of products they ship (internet-facing network gear and remote-management software) and the subsequent attacker interest in them. Either way, treat patch advisories from these vendors as a priority.

The contrast with the bottom of the chart is stark. Microsoft, VMware, and others sit in the hundreds of days. That doesn’t mean their CVEs are less serious, it means the population of post-disclosure exploitations is dominated by long-tail exploitation years after release.

The chart above leaves out zero-days and pre-disclosure exploitation by design, so it answers a specific question: when a vendor’s CVEs are patchable on disclosure, how long do defenders actually have. The chart below answers a different one. It includes zero-days and negative TTE, keeping the same minimum sample size of five CVEs, and shows the top ten vendors by lowest mean time-to-exploit across the full distribution.

Top 10 vendors by lowest mean time-to-exploit (zero-days and negative TTE included)

Mean signed TTE in days across all in-scope CVEs, including zero-days and pre-disclosure exploitation, for vendors with at least five CVEs in the dataset. Hover for the CVE count behind each vendor.

Mozilla sits at the top with a mean signed TTE of around minus ninety days. Effectively all of its KEV CVEs were exploited well before public disclosure. SolarWinds and Apple round out the net-negative tier, with mean signed TTE in the −20 to −35 day range. These are vendors whose exposure does not show up in the first chart because most of their KEV entries fall into the zero-day or pre-disclosure bucket that the first chart filters out.

SolarWinds appears prominently in both charts, which is worth a moment of attention. It has fast post-disclosure exploitation when its CVEs are patchable on disclosure, and a strongly negative signed mean when the full distribution is considered. That combination is unusual and reflects the vendor’s outsized role in supply-chain incidents.

Vendors are limited to those with more than five non-zero-day, non-negative-TTE CVEs in the in-scope dataset.