By 2024 the mean time from a CVE being published to a working exploit was 56 days; by 2025 it had fallen to 23 days — and so far in 2026 it sits at roughly 10 hours across 3,532 CVE‑exploit pairs drawn from CISA KEV, VulnCheck KEV, and ExploitDB. Those are not idle numbers: they are the clock the attacker now uses, and the piece that follows explains why defenders’ processes have not kept pace.
The speed gap: attackers running in seconds, defenders still on human time
The article’s author, Sıla Özeren Hacıoğlu, lays out a stark contrast. Defenders’ workflows have accelerated — “the defender's clock has accelerated to run in hours” — but attackers’ timelines have compressed far faster, to the point that “the attacker's clock has leapfrogged past it and now runs in seconds.” The concrete evidence is the trend in exploit development times: 56 days in 2024, 23 days in 2025, and approximately 10 hours in 2026 across the specified KEV and ExploitDB datasets.
That shrinking window matters because many defensive actions still move at human speed: ticket creation, approval windows, manual script rewrites, and handoffs between teams. Where an AI‑assisted attacker can compromise a system in 73 seconds, the normal change‑approval chain is said to “usually take[] at least 24 hours to deploy a fix.”
Why traditional purple teaming stalls: three systemic bottlenecks
Purple teaming — the red/blue feedback loop where “Red finds the paths an attacker would take” and “Blue validates whether detections fire and prevention holds” — is conceptually simple but operationally fragile. The article identifies three concrete reasons it has not been operationalized:
- Human friction. Teams don’t talk often enough; meetings, post‑mortems, family emergencies, and the “spaghetti handoff” of copy‑pasted hashes and emailed PDFs create fatal delays. The work piles up in unread Slack messages and tickets waiting for eyeballs or approval.
- Orchestration complexity. Different teams — network, SOC, red, blue, vulnerability management, IT ops — own discrete tools and outputs. Those artifacts are reinterpreted and manually passed along, producing brittle chains where the real bottleneck is coordinating tools and people, not the technical work itself.
- AI‑enabled adversaries. Attackers armed with LLMs and automation compress exploitation time below the defenders’ procedural timelines: “For most organizations, the change‑approval process alone is now longer than the exploitation window.” Quarterly or monthly purple exercises become snapshots, not continuous validation.
What autonomous purple teaming actually is
Autonomous purple teaming replaces the human handoff with a machine‑run loop that ties red and blue as a single, continuously operating system. Hacıoğlu describes it as more than task automation (for example, generating rules or summarizing alerts); instead, it’s “an agent running the entire loop end‑to‑end,” with auditability and human override where needed.
In that model:
- Red’s findings automatically become blue’s tests.
- Blue’s detection gaps feed red’s next exercises.
- Agents execute the handoffs — no “typing‑into‑Jira” seat — while every step remains visible in an operator console.
The approach is presented as a dial: manual at first, AI‑assisted for scheduled workflows, and fully agentic for end‑to‑end runs with human review only where policy or risk dictates.
BAS, automated pentest, and AI‑powered mobilization in practice
Hacıoğlu lays out three integrated components needed to make autonomous purple teaming operational:
- Automated penetration testing (automated pentest) to answer red’s central question continuously: given today’s exposures and controls, can an attacker reach critical assets?
- Breach and Attack Simulation (BAS) to answer blue’s question: did the controls behave as intended — did the firewall block it, did the EDR detect it, did the SIEM and runbooks perform?
- AI‑powered mobilization to replace the human who would previously open tickets: agents that enrich CISA alerts, decide relevance against current posture, run simulations and validations in parallel, auto‑deploy low‑risk fixes, open tickets for moderate items, and flag the rest for human review.
In this design the output is no longer a long ranked CVE list but “one continuous action queue” focused on what is actually exploitable today and what to do before the exploitation window closes.
What this means for SOCs, IT ops, and CISA‑driven workflows
SOCs: The SOC is relieved of routine ticket‑typing and low‑risk remediation tasks; agents do the handoffs and produce both an executive view and a technical view for the SOC. Human analysts can focus on the “big picture” while the loop runs continuously.
IT ops: Change‑approval windows are the choke point noted repeatedly. AI mobilizers can auto‑deploy only low‑risk fixes and open tickets for moderate or high‑risk changes, preserving human control where policy requires it while shaving down response time for trivial, high‑impact fixes.
CISA and CTI consumers: The model assumes incoming CISA alerts are enriched by CTI agents, baselined against current posture, and immediately validated — turning alerts into actionable, prioritized tasks rather than items that require manual re‑interpretation and handoff.
The article concludes that the long‑promised purple loop can finally run continuously if the human handoffs are replaced by auditable, agentic workflows. Hacıoğlu points to an opportunity to see these ideas in practice at the Autonomous Validation Summit on May 12 & 14, hosted with Frost & Sullivan and featuring practitioners from Kraft Heinz, Hacker Valley, Glow Financial Services, and Picus CTO Volkan Erturk. The core question left on the table is procedural and organizational: will enterprises accept agentic mobilization of fixes — with human overrides and auditing — as the answer to attackers racing at machine speed?
