Insight · May 2026
The patch window is not collapsing
You’ve probably heard the headline: "the patch window has collapsed,"
"mean time-to-exploit is trending towards zero," "AI-enabled exploitation
is closing the gap to minutes." The implication is that defenders are losing a race
that’s already over, however the data tells a more nuanced story.
The chart below shows mean time-to-exploit (excluding zero-days) as of December 31st
for every CVE publication year from 2019 onwards. Each year’s value is measured at
the same point in time relative to each year, which removes the bias
that creeps in when you look at older CVEs that have had years of subsequent elapsed time.
The snapshot includes a predictive 2026 year-end value based on the current trajectory.
Mean time-to-exploit — Dec 31 (year-over-year, like-for-like)
Time between vulnerability disclosure and exploitation, excluding zero-days. Snapshot taken at December 31st each year. 2026 is predictive.
What you see is not a collapse. The mean patch window has remained
remarkably steady at an average of 52.5 days. The 2026 prediction lands at 47.5 days,
marginally below the current average.
So where does the "collapsing patch window" narrative come from? Mostly from looking
at the data the wrong way. The chart below shows the same dataset using elapsed
mean TTE, which is the value calculated against today’s date for every CVE,
regardless of when it was published.
Mean time-to-exploit — Elapsed (the misleading view)
Mean signed TTE for each year’s CVEs measured against today, including zero-days and pre-disclosure exploitation. This is what gets cited as proof the patch window is collapsing.
This is a dramatic-looking curve: from 412 days in 2019 down to −13 days in
2026 — dipping below zero because, on average, 2026 CVEs are being exploited before
public disclosure. It looks like an open-and-shut case for "the patch window is rapidly closing",
but the curve is not really measuring exploitation speed, it’s measuring
how recent each CVE is. A 2019 CVE has had nearly seven years to
accumulate observed exploitation events. A 2026 CVE has had a few months. Any
per-year statistic that doesn’t control for elapsed time will mechanically
decline year over year, regardless of what attackers are actually doing.
The like-for-like comparison, like what does the May 2019 view of 2019 CVEs look
like compared to the May 2024 view of 2024 CVEs?, gives the honest answer.
And on that view, the patch window has held remarkably steady at an average of
around 52.5 days for the better part of a decade.
That doesn’t mean nothing has changed. Mean TTE has been gradually decreasing
the past few years and will likely continue to do so. Total exploited CVEs have
also risen recently in absolute terms. But the headline claim, that the mean
time-to-exploit is rapidly trending towards zero (or below), isn’t what the data shows.
It’s what an artifact of measurement looks like.
The full year-by-year breakdown is on the
snapshots page. Methodology and the rationale for
point-in-time snapshots is documented on the
methodology page.
Insight · May 2026
3 vendors account for almost half of all zero-days
A zero-day CVE in this dataset is one where exploitation was observed at or
before the date of public disclosure (TTE of zero or less). In the in-scope
population there are 614 of them across 1,196 entries, which is a 51.3%
zero-day rate overall.
The chart below ranks the top 12 vendors by absolute number of zero-day CVEs
in the dataset, with each vendor’s in-population zero-day rate shown on
hover.
Top vendors by zero-day count
CVEs first exploited at or before public disclosure (TTE of zero or less), top 12 vendors. Hover for the per-vendor rate.
Microsoft, Apple, and Google together account for 294 of the 614 zero-day
CVEs in the dataset, which is just under 48% of the entire zero-day population,
highlighting just how often threat actors target and exploit these vendors
products. The top 12 vendors account for around 65%. The remaining one-third
is split across the other 100-plus vendors in the catalog.
The per-vendor rate is also striking. Microsoft sits at 68% zero-day rate
within its own KEV population, Apple at 86%, Google at 92%, and Mozilla and
Qualcomm at over 90%. For these key vendors, zero-days are the norm, not the
exception.
Filter the database by vendor and check the TTE
column for "0d" badges to see the underlying CVEs for any vendor in this list.
Insight · May 2026
Enterprise edge appliances carry a zero-day premium
A common claim is that network edge appliances (VPNs, firewalls,
file-transfer gateways) skew heavily toward zero-day exploitation. The reality
is more nuanced: the category as a whole isn’t the highest-risk
population in the dataset, but a specific subset of enterprise edge
vendors carries a notable premium.
The chart below shows the zero-day rate for every edge-network vendor with at
least 5 CVEs in the dataset, sorted from highest to lowest. The dotted line
shows the dataset-wide zero-day baseline (51.3%).
Zero-day rate by edge-network vendor
Share of each vendor’s in-scope CVEs that were exploited at or before disclosure. Vendors with at least 5 CVEs in the dataset.
The pattern at the top of the chart is hard to ignore. Sophos, Fortinet,
Trend Micro, Ivanti, and SonicWall all sit at 53% zero-day rate or higher,
above the dataset baseline. These are vendors whose products
sit on the network perimeter, are reachable from the internet by design, and
run in environments where patching requires planned maintenance windows that
attackers price into their operations.
The flip side is just as interesting. Consumer and small-office network gear
(D-Link, TP-Link, QNAP) sits well below the baseline at around 20-25%.
These vendors do appear in the KEV catalog, but their exploitation typically
shows up well after disclosure as opportunistic mass-scanning catches up
with unpatched fleets.
For asset prioritisation, the implication is that internet-facing enterprise
network appliances need to be treated as zero-day risk surfaces by default,
not as standard patch periodically infrastructure.
Filter the database by any of these vendors to
see the underlying CVEs and their first-exploitation dates.
Insight · May 2026
The vendors with the shortest patch windows
Not every vendor gives defenders the same amount of breathing room. Once
zero-days and pre-disclosure exploitation are stripped out, the mean
time-to-exploit varies enormously by vendor. The chart below ranks the ten
vendors with the shortest mean TTE among CVEs that were exploited
after disclosure, restricted to vendors with more than five such
CVEs in the dataset (to filter out noise from one-off incidents).
Top 10 vendors by shortest mean time-to-exploit
Mean TTE in days, excluding zero-days and pre-disclosure exploitation, for vendors with more than five qualifying CVEs. Hover for the CVE count behind each vendor.
The top of the chart shows two vendors with patch windows under 30 days:
SolarWinds at around 26 days and Palo Alto Networks at 30 days.
These are vendors whose CVEs, once disclosed, get exploited
fast. This likely reflects a combination of the type of products they ship
(internet-facing network gear and remote-management software) and the
subsequent attacker interest in them. Either way, treat patch advisories
from these vendors as a priority.
The contrast with the bottom of the chart is stark. Microsoft, VMware, and
others sit in the hundreds of days. That doesn’t mean their CVEs are
less serious, it means the population of post-disclosure exploitations is
dominated by long-tail exploitation years after release.
The chart above leaves out zero-days and pre-disclosure exploitation by
design, so it answers a specific question: when a vendor’s CVEs are
patchable on disclosure, how long do defenders actually have. The chart
below answers a different one. It includes zero-days and negative TTE,
keeping the same minimum sample size of five CVEs, and shows the top ten
vendors by lowest mean time-to-exploit across the full distribution.
Top 10 vendors by lowest mean time-to-exploit (zero-days and negative TTE included)
Mean signed TTE in days across all in-scope CVEs, including zero-days and pre-disclosure exploitation, for vendors with at least five CVEs in the dataset. Hover for the CVE count behind each vendor.
Mozilla sits at the top with a mean signed TTE of around minus ninety days.
Effectively all of its KEV CVEs were exploited well before public disclosure.
SolarWinds and Apple round out the net-negative tier, with mean signed TTE
in the −20 to −35 day range. These are vendors whose exposure
does not show up in the first chart because most of their KEV entries fall
into the zero-day or pre-disclosure bucket that the first chart filters out.
SolarWinds appears prominently in both charts, which is worth a moment of
attention. It has fast post-disclosure exploitation when its CVEs are
patchable on disclosure, and a strongly negative signed mean when the full
distribution is considered. That combination is unusual and reflects the
vendor’s outsized role in supply-chain incidents.
Vendors are limited to those with more than five non-zero-day,
non-negative-TTE CVEs in the in-scope dataset.