"Only 9% remediate high-severity flaws in production within 24 hours." That stark number — drawn from a survey of more than 900 cybersecurity practitioners and leaders — frames a gap between detection and action that the respondents say is driving real-world incidents.
Patch timelines and incident rates
The survey found only 9% of organizations remediate high-severity production flaws within 24 hours; 74% do so in one to seven days. The difference in patch cadence maps to markedly different incident rates. Organizations in the 4-to-7-day patch capability were breached by a known vulnerability at a 97% rate, while those patching within 24 hours reported a 77% breach rate.
Nearly half of respondents who experienced a production incident said it involved a vulnerability the security team had identified prior to release — a finding the authors summarized as incidents being "driven by known vulnerabilities and the patch gap."
Shift-left investment hasn’t closed the runtime gap
Investment in pre-deployment risk identification has not prevented escapes into production. In the past year, 92% of organizations prioritizing risk identification prior to deployment still faced a known-vulnerability event. Similarly, 91% of respondents who reported being "very confident" in their organization’s application-security strategy experienced a production incident that evaded pre-production controls.
Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck, warned about the limits of relying solely on developers: "Placing all the responsibility for cybersecurity decisions onto developers turns them into compliance, regulatory, red-team, and legal experts — but they're rarely if ever any of those things." He argued defenders must think about how software is deployed and configured, not just individual patches.
AI in production — wide deployment, limited runtime visibility
AI-powered components are in play at a majority of respondents’ organizations: 70% say they utilize AI-powered components in production. Yet 82% are unable to see those AI systems' runtime behavior in real time. The report frames that visibility gap as a growing blind spot at a moment when attackers are accelerating timelines.
Justin Fier, Senior Vice President, Offensive Security at Darktrace, described AI runtime behavior as "what they are doing, what they can access, and whether that behavior aligns with their intended purpose," and said the visibility problem becomes "harder to manage and more consequential" as AI agents embed in business workflows.
Crystal Morin, Senior Cybersecurity Strategist at Sysdig, underscored the velocity of attacker activity: the Sysdig Threat Research Team observed attackers exploiting a critical Langflow AI vulnerability just 20 hours after disclosure, and in another case attackers used an AI-driven agent to move from initial access to exfiltration in under an hour. Those examples illustrate the compression from disclosure to exploitation and the consequential need for runtime insight.
Practical mitigations and architecture changes recommended by experts
- Automation and diverse model review: Saumitra Das, Vice President of Engineering at Qualys, recommended using "AI models that are diverse in their training datasets to review the generated code" and automating security review and patching workflows so agentic systems can remediate issues with minimal human intervention.
- Runtime-first defenses: Crystal Morin advised that the future of vulnerability management is not "patching everything faster" but understanding exposure with runtime insight, detecting exploitation in real time, and reducing exposure before attackers can capitalize on it.
- Developer-facing controls and pre-commit checks: Randolph Barr, Chief Information Security Officer at Cequence Security, urged "automation-first validation using technologies such as SAST/SCA scans prior to merge," plus "AI-assisted code review" and compensating restrictions like runtime API protection and pre-commit hooks (Semgrep, Gitleaks).
- Incentives and governance: Ronald Lewis, Head of Cybersecurity Governance at Black Duck, said outcomes follow incentives: "Organizations say they value 'shift left,' but what actually gets rewarded is shipping on time," producing a normalization where known vulnerabilities are "routinely accepted, deferred, or reclassified as 'manageable.'"
What this means for developers, enterprise procurement, and security operations
- Developers and security teams: Developers are being asked to shoulder deployment and legal risk beyond typical development roles, per Tim Mackey, creating friction where deployment requirements are not fed back to suppliers. Several experts point to automation, AI-assisted review, and runtime visibility as ways to relieve that burden.
- Enterprise procurement and vendor governance: Randolph Barr urged prioritizing vendor risk governance and secure integrations to avoid cascade risks. Saumitra Das highlighted licensing and provenance concerns for AI-generated code, calling for better guarantees from AI model providers about training data.
- Security operations and incident responders: The compressed timelines cited by Crystal Morin — exploitation within 20 hours or lateral exfiltration under an hour — force operations toward real-time detection and response. The survey indicates 42% of organizations plan to invest more in runtime security in the next two years, signaling a shift of budget toward that capability.
Taken together, the survey paints a picture of a system where detection outpaces remediation, pre-production confidence fails to prevent production escapes, and AI both accelerates attacker tradecraft and creates new blind spots. Experts propose a mix of automation, runtime visibility, governance, and incentive realignment as practical responses. The remaining question the data leaves for organizations is concrete: can they move from measuring findings to rewarding rapid, risk-reducing remediation — and fund the runtime visibility that may be the only realistic defense against exploitation compressed to hours?




