AI-Driven Exploitation Displaces Risk Management. Here’s How To Handle It.

AI-driven exploitation times are shrinking fast, and they won’t stop shrinking. Vulnerabilities are being discovered, reproduced, and remediated faster than ever before in the history of enterprise security. As a result, the window between a vulnerability being exposed and the indiscriminate exploitation seen across the Internet is now measured in hours, not days.

The industry’s main response has been: fix it fast.

Regulators say it, boards expect it, and management wants it. But for most businesses, it’s not a button defenders can push. Patching is a controlled process tailored to the needs of overtime, stability testing, change windows, business approvals, compliance obligations, and the fact that production plans cannot be broken in the name of urgency.

While patching is still important, patching alone or patching quickly is no longer the perfect answer to this “new normal” and the influx of exposed vulnerabilities. Anthropic’s Project Glasswing update in May 2026 made the imbalance hard to ignore. The company said it, along with nearly 50 partners, used Claude Mythos Preview to identify more than 10,000 high or critical vulnerabilities in all critical software programs in one month, while many other organizations report similar results through internal, AI-driven efforts.

AI is industrializing vulnerability research, but not just for defenders or software vendors. Attackers use the same tools, with the same advantage of speed, to identify and reproduce the vulnerabilities used against the organizations they target.

So, what does this mean for the timelines of exploitation and defense?

The Bottle Is Gone

It’s no secret that exploit timelines have been shrinking for years, and in recent years, it’s been common for vulnerability disclosures to follow internal exploits in single-digit hours. With AI, the window that a large organization may have from being told there is a problem to seeing someone trying to use it against them will continue to shrink.

On the other hand, repairs and amendments did not keep pace. The Verizon 2026 DBIR is clear on this point: the average time for an organization to fix a critical vulnerability has increased year over year, from 32 days to 43 days.

The reality is brutal: while attackers work on timelines measured in hours, defenders work on timelines measured in weeks. That gap is where the abuse really happens.

Yes, there are more disabilities. Yes, the attackers are moving fast. But the hardest part for defenders is that the fix isn’t getting, and probably won’t happen, quickly. Telling organizations to “fix fast” is like telling someone to “be tall.” It sounds useful and well-intentioned, but it’s not something most teams would just decide to do.

Then there is pressure from regulators. India’s CERT-IN has recently issued a guideline that outlines the minimum day-to-day patching expectations for some key risks. The intention is clear, but this ignores the practical reality.

The realistic view is that some risks will be addressed before they are fully addressed. Security teams need to plan around that reality without creating new operational risks. That means answering a few quick questions:

• Are we using this technology?
• Is the risk theoretical?
• Is vulnerability useful in our environment?
• What does bullying look like?
• What temporary controls can reduce the risk while the normal repair cycle is running?

The operating model needs to shift to initiate, validate and mitigate. And here’s how to do it.

Step 1: Analyze What Attackers May Exploit

All exposed risks do not carry the same urgency. Some disabilities will never be used in the real world. Some have the features attackers are looking for: broad deployment, Internet accessibility, repeatable exploits, and a clear path to meaningful access to a target.

In the near future where we see hundreds, if not thousands of vulnerabilities exposed every day, flexibility means identifying which vulnerabilities are likely to be detected by wild exploits to perform a filtering level, and teams don’t spend critical time investigating everything. Resilience is still important, but it’s never the whole picture.

In an AI-driven cycle, that filtering should happen in the first hours after the reveal, before teams use the full list. Limiting the field early is what keeps organizations in front of the window of exploitation rather than reacting to it after the fact.

Step 2: Respond Quickly to Emerging Threats and Ensure Exposure

Once wild exploitation of an emerging threat is determined to be possible or confirmed, defenders need the ability to react quickly and ensure their organization’s direct exposure before attackers can move.

That means turning the disclosure of a new vulnerability or exploit campaign into an environment-specific response: are we being exposed? Where are we exposed? Who owns the systems involved? Is exploitation proven? A rapid real-world response to emerging threats must identify cyber-facing systems across business units, departments, and subsidiaries, and contextualize vulnerabilities with critical threat intelligence.

Validation then verifies whether the vulnerable component is accessible to an attacker and usable in the real world. A potential vulnerability prompts an investigation. But a proven, exploitable vulnerability, given the pace of external exploitation, now requires immediate, independent action.

The faster teams make that difference, the faster they can decide what to reduce, what to monitor, and what can pass for routine maintenance.

Speed ​​without accuracy is fear, and accuracy without speed is irrelevant. Both must be combined when responding to an emerging threat, before exploitation begins.

Step 3: Reduce to Buy Time for Effective Repair

Once exposure is confirmed, remediation may still require testing, change control, and coordinated release.

Decreasing reduces usability within that window. For Internet-facing systems, this may include access restrictions, disabling vulnerable functionality, WAF or API rules, IDS or IPS updates, isolation, configuration changes, monitoring, or temporary controls that block exploit patterns. Effective mitigation must also be consistent with how exploitation works. A general rule based on the CVE acronym is weaker than a control built around exploits, payloads, prerequisites, and known bad behavior. These controls don’t have to be permanent. They need to make exploits slower, less reliable, and harder to scale while the organization holds them securely.

Automatic deceleration closes the gap between the speed of the attacker and the speed of the patch. It is the only control that works at the same time as exploitation.

This is what watchTowr is built for

The watchTowr Platform compresses the background timeline to match AI-driven attack timelines. By taking an attacker-led approach, the platform identifies exploitable weaknesses and vulnerabilities, and in the face of an endless number of emerging threats, continuously empowers organizations to react quickly and reduce their exposure.

By using AI to integrate Proactive Threat Intelligence, External Attack Control, and Automated Mitigation, the watchTowr Platform provides clarity: showing teams what attackers can see, what they can exploit, and what can be done to mitigate it before retreating.

Attachment is still necessary, and very important. But in the world of AI-driven exploitation, patching alone cannot be done at the required speed while ensuring availability and preventing disruptions. The watchTowr Platform, an AI-Powered Preemptive Exposure Management solution, helps organizations warn attackers, ensure exposure to emerging threats, and automatically mitigate the one thing attackers can’t eliminate: response time.

To schedule a demo and learn more about Preemptive Exposure Management, visit watchtowr.com.