“The Zero Day Clock ... currently averages around 8 hours for 2026, down from roughly 53 days just two years ago.”
Zero Day Clock: disclosure-to-exploit compressed to hours
Vulnerability disclosure no longer buys weeks of breathing room. According to the reporting, the Zero Day Clock — a real‑time tracker of disclosure-to-exploit timeframes — averaged around eight hours for 2026, a dramatic fall from roughly 53 days two years earlier. The article frames that shift as the result of AI removing the manual drag that once slowed weaponization: reading advisories, mapping exploit paths and shaping chains now move far faster than human pace.
Why patching can't keep pace: Verizon's 2026 Data Breach Investigations Report
Remediation timelines are drifting in the wrong direction even as attacks accelerate. Verizon's 2026 Data Breach Investigations Report, drawn from more than 13,000 organizations, found the median fix time for known‑exploited vulnerabilities is now 43 days, up from 32 last year. The share of organizations fully patching those vulnerabilities dropped from 38% to 26%. Even the best performers close only 30–40% of these vulnerabilities in the first week — a rate that has barely moved.
Volume compounds the problem: 48,185 CVEs were recorded in 2025, and fewer than 0.6% of those were ever patched, producing what the source calls “not workable math” for any strategy that assumes patching alone will stop the problem.
The limits of automated pentesting and live exploitation
Automation has sped up pentesting—continuous, automated tooling can fire real exploit chains where it is safe to do so. But the reporting identifies three hard gaps that automated execution cannot close:
- No exploit: many disclosed CVEs never get a public or safe exploit to launch.
- Assets you can't risk: business‑critical, regulated, and air‑gapped systems are off limits for live detonation.
- The day‑one window: weaponizing a fresh exploit and wiring it into tooling takes time while attackers are already moving.
Because of those limits, a typical enterprise can safely exploit only roughly 10–15% of its total exposure picture; for the remaining 85–90%, live execution “has no answer to give.”
TTP‑chain validation: ground‑testing the rocket you can't launch
When you cannot safely launch a live exploit, the source proposes a different proof technique modeled on aerospace ground tests: decompose an exploit into the chain of techniques (TTPs) required, then validate each link against the actual deployed controls. If any required link fails under your controls, the exploit cannot succeed there — and you have an evidence trail without detonating an exploit.
Four properties distinguish that verdict from a static score (CVSS or EPSS), as described in the reporting: it validates by inference not detonation; it is control‑aware (testing against EDR, GPO, LSASS protections, allow‑listing, NGFWs, etc.); it weighs reachability so contained exposures aren't over‑counted; and it ships evidence — the chain, controls tested, and result for audit and board review.
What CVE‑2025‑29824 shows in practice
The article uses CVE‑2025‑29824 — a Windows CLFS use‑after‑free that escalates to SYSTEM and was observed in Storm‑2460 → RansomEXX activity — to demonstrate TTP decomposition. The chain given includes:
- certutil & MSBuild execution – T1105 / T1127
- KASLR bypass / SysInfo – T1082
- CLFS UAF exploit → kernel execution – T1068
- token modification & dllhost injection – T1134 / T1055
- LSASS dump via masked dllhost – T1003
Each technique can be tested against an environment’s EDR policy, GPO/hardening, LSASS protection, application allow‑listing and NGFW. If allow‑listing blocks MSBuild execution, or LSASS protection blocks credential dumping, the chain breaks and the CVE is not exploitable on that asset — verifiable without a certified exploit and applicable to air‑gapped systems you would never point a live exploit at.
What this means for security teams, procurement leaders, and boards
- Security teams: face disclosure‑to‑exploit windows measured in hours and a small slice of assets you can safely test live. The piece argues for combining live exploit chains where safe with TTP‑chain validation for the rest, and for continuous re‑testing so an earlier “accept” decision is not assumed to remain valid.
- Procurement leaders and affected enterprises: must recognize patching capacity limits and volume pressures — 48,185 CVEs in 2025 with under 0.6% patched — and evaluate tools and services that offer defensible evidence about what is actually exploitable in their environments.
- Boards and risk reviewers: will receive evidence that is control‑aware and auditable rather than counts of high‑severity CVEs, enabling more defensible decisions about patch, mitigate, monitor, or accept.
The piece — written by Sıla Özeren Hacıoğlu, a Security Research Engineer at Picus Security and published as sponsored content — concludes that live launches and TTP‑chain “ground tests” are complementary: use the launch where safe; use the ground test where you cannot, and keep both in continuous loop so decisions made on day one are re‑validated as environments change.
