What the data actually says.

The patch window is not collapsing.

You’ve probably heard the headline: "the patch window has collapsed," "mean time-to-exploit is trending towards zero," "AI-enabled exploitation is closing the gap to minutes." The implication is that defenders are losing a race that’s already over. The data tells a more nuanced story.

The chart below shows mean time-to-exploit (excluding zero-days) as of December 31st for every CVE publication year from 2018 onwards. Each year’s value is measured at the same point in time relative to each year, which removes the bias that creeps in when you look at older CVEs that have had years of subsequent elapsed time. The snapshot includes a predictive 2026 year-end value based on the current trajectory.

What you see is not a collapse. The mean patch window expanded sharply from 2018 to 2021 (13 days → 68 days), then settled into a band roughly between 40 and 70 days for the last five years. The 2026 prediction lands at 40 days, which is comfortably inside that band, and meaningfully longer then 2018-2020’s window. There is no clean downward trend.

So where does the "collapsing patch window" narrative come from? Mostly from looking at the data the wrong way. The chart below shows the same dataset using elapsed mean TTE, which is the value calculated against today’s date for every CVE, regardless of when it was published.

This is a dramatic-looking curve: from 1,100 days in 2018 down to about 12 days in 2026. It looks like an open-and-shut case for "the patch window is rapidly closing". But the curve is not really measuring exploitation speed, it’s measuring how recent each CVE is. A 2018 CVE has had nearly eight years to accumulate observed exploitation events. A 2026 CVE has had a few months. Any per-year statistic that doesn’t control for elapsed time will mechanically decline year over year, regardless of what attackers are actually doing.

The like-for-like comparison, like what does the May 2018 view of 2018 CVEs look like compared to the May 2024 view of 2024 CVEs?, gives the honest answer. And on that view, the patch window has held remarkably steady at roughly 40–70 days for half a decade.

That doesn’t mean nothing has changed. Total exploited CVEs have risen recently in absolute terms. Edge devices skew the distribution. But the headline claim, that the mean time-to-exploit is rapidly trending towards zero, isn’t what the data shows. It’s what an artifact of measurement looks like.

The full year-by-year breakdown is on the snapshots page. Methodology and the rationale for point-in-time snapshots is documented on the methodology page.

3 vendors account for almost half of all zero-days.

A zero-day CVE in this dataset is one where exploitation was observed at or before the date of public disclosure (TTE of zero or less). In the in-scope population there are 689 of them across 1,262 entries, which is a 54.6% zero-day rate overall. The common assumption is that zero-day pressure is spread broadly across the vendor landscape. It isn’t.

The chart below ranks the top 12 vendors by absolute number of zero-day CVEs in the dataset, with each vendor’s in-population zero-day rate shown on hover.

Microsoft, Apple, and Google together account for 333 of the 689 zero-day CVEs in the dataset, which is just over 48% of the entire zero-day population. The top 12 vendors account for around 68%. The remaining one-third is split across the other 100-plus vendors in the catalog.

The per-vendor rate is also striking. Microsoft sits at 79% zero-day rate within its own KEV population, Apple at 84%, Google at 90%, and Mozilla and Qualcomm at over 90%. For these key vendors, zero-days are the norm, not the exception.

Filter the database by vendor and check the TTE column for "0d" badges to see the underlying CVEs for any vendor in this list.

Enterprise edge appliances carry a zero-day premium.

A common claim is that network edge appliances (VPNs, firewalls, file-transfer gateways) skew heavily toward zero-day exploitation. The reality is more nuanced: the category as a whole isn’t the highest-risk population in the dataset, but a specific subset of enterprise edge vendors carries a notable premium.

The chart below shows the zero-day rate for every edge-network vendor with at least 5 CVEs in the dataset, sorted from highest to lowest. The dotted line shows the dataset-wide zero-day baseline (54.5%).

The pattern at the top of the chart is hard to ignore. SonicWall, Fortinet, Ivanti, F5, Palo Alto, VMware, and Citrix all sit at 53% zero-day rate or higher, well above the dataset baseline. These are vendors whose products sit on the network perimeter, are reachable from the internet by design, and run in environments where patching requires planned maintenance windows that attackers price into their operations.

The flip side is just as interesting. Consumer and small-office network gear (D-Link, TP-Link, Zyxel, QNAP) sits well below the baseline at 0% to 30%. These vendors do appear in the KEV catalog, but their exploitation typically shows up well after disclosure as opportunistic mass-scanning catches up with unpatched fleets.

For asset prioritisation, the implication is that internet-facing enterprise network appliances need to be treated as zero-day risk surfaces by default, not as standard patch-on-Tuesday infrastructure.

Filter the database by any of these vendors to see the underlying CVEs and their first-exploitation dates.