A sweeping analysis of one billion vulnerability remediation records has revealed a critical gap in organizational defense, with threat actors exploiting the vast majority of critical flaws before patches can be applied. The study, conducted by cybersecurity firm Qualys, found that 80% of the vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog were compromised prior to remediation by defenders.
The research, which spanned 18 months and covered 150 million unique assets, focused specifically on the CISA KEV catalog. This catalog is a definitive list of security flaws that have been confirmed to be under active attack in the wild. Federal agencies are mandated to patch these specific vulnerabilities within strict deadlines, making them a high-priority benchmark for all security teams.
The data highlights the extreme speed at which attackers operate. According to Qualys, approximately 40% of the vulnerabilities added to the KEV list are exploited within just two weeks of their public disclosure. This rapid weaponization of known flaws demonstrates that traditional, human-driven patching cycles are often too slow to prevent initial compromise.
The findings suggest that organizations relying on manual processes are fundamentally outmatched. While security teams struggle with patch fatigue and prioritization, automated attack campaigns can scan for and exploit unpatched systems at a massive scale. The report underscores that the challenge is not a lack of awareness, but a lack of speed and automation in responding to the most imminent threats.
“Human-scale security is failing to keep pace with the speed and scale of cyberattacks,” stated Qualys CEO Sumedh Thakar in a press release accompanying the report. The firm advocates for a shift toward automated, risk-based vulnerability management to close the gap between when a critical vulnerability is disclosed and when it is successfully patched.
