The Evolution of Cybersecurity: Adapting to Autonomous AI Threats

Author: Saeed Abbasi, Senior Manager, Threat Research Unit, Qualys

Embracing Change in Cybersecurity Defense

As Time-to-Exploit plunges to negative seven days and autonomous AI agents heighten security threats, the traditional incremental approach to cybersecurity is no longer effective. It is imperative to revolutionize the defense architecture.

Key Insights for Leaders

An analysis of CISA’s Known Exploited Vulnerabilities spanning four years reveals a concerning trend: despite a 6.5x increase in resolved vulnerabilities, critical vulnerabilities left unpatched at Day 7 have risen from 56% to 63%. The solution does not lie in increased staffing.

Out of the 52 weaponized vulnerabilities studied, 88% were patched at a slower rate than they were exploited, with half being weaponized before any patch was available.

The core issue lies in the operational model itself, not just in the speed of patch implementation.

Identifying the Flaws in the Current Model

Recent research conducted by the Qualys Threat Research Unit, analyzing over one billion CISA KEV remediation records from 10,000 organizations over four years, exposes a fundamental flaw in the existing enterprise security model.

Vulnerability volumes have surged by 6.5 times since 2022, with the average Time-to-Exploit plummeting to negative seven days. The percentage of critical vulnerabilities left unpatched at seven days has also increased from 56% to 63%.

Despite organizations closing 400 million more vulnerability events annually compared to the baseline, there is a structural limit termed the “human ceiling,” which no amount of resources or process enhancements can overcome. The bottleneck lies within the operational model itself.

Of the 52 weaponized vulnerabilities tracked, 88% were remediated at a slower pace than they were exploited. For instance, Spring4Shell was exploited two days before disclosure, yet organizations took an average of 266 days to patch it.

Similarly, the Cisco IOS XE flaw was weaponized a month prior, with an average closure time of 263 days.

The disparity in time frames between attackers and defenders highlights an operationalization failure rather than an intelligence deficit.

Unveiling the Manual Tax and Risk Mass

The report introduces the concept of a “Manual Tax,” where legacy processes struggle to address long-tail assets, extending exposure from weeks to months. For Spring4Shell, the average remediation duration was 5.4 times the median.

Infrastructure systems face a harsher reality, with the median remediation time for Cisco IOS XE reaching 232 days compared to endpoint averages under 14 days. When the best-case scenario spans eight months, the Manual Tax becomes the norm rather than a multiplier.

Rather than relying on average figures, the focus shifts to Risk Mass, which considers vulnerable assets multiplied by days exposed to reveal the cumulative exposure obscured by CVE counts. Another vital metric, Average Window of Exposure (AWE), tracks the duration from weaponization to remediation across the environment.

For instance, Follina was weaponized 30 days pre-disclosure, with an average closure at Day 55. However, the AWE extended to 85 days, indicating that the majority of exposure occurs before disclosure, emphasizing the importance of swift remediation.

Out of the 48,172 vulnerabilities disclosed in 2025, only 357 were remotely exploitable and actively weaponized, underscoring the misallocation of remediation efforts towards theoretical rather than imminent threats.

The Impending Widening Gap

The cybersecurity landscape is undergoing a paradigm shift with the integration of AI, challenging traditional defense mechanisms. Offensive agents equipped with AI capabilities can outpace human responses in discovering, weaponizing, and executing attacks. The existing reactive model struggles to keep pace, and autonomous AI will only exacerbate this gap.

The industry faces a critical juncture during the transition phase, where AI-powered attackers confront human defenders. This period poses the highest risk, compounded by structural vulnerabilities such as expanding attack surfaces, identity sprawl, and manual remediation workflows.

The future demands a shift from the scan-and-report model to a comprehensive Risk Operations Center that integrates intelligence, validation of exploitability, and autonomous response mechanisms. The objective is to elevate human judgment by directing autonomous systems through policy governance.

Successful organizations are not triumphing due to expanded teams but by eliminating human latency from critical security processes.

Navigating the Risk Gap

The traditional scan-and-report model is outdated in the face of escalating vulnerabilities and shrinking exploit timelines.

The solution lies in establishing a Risk Operations Center that incorporates embedded intelligence, exploit validation, and autonomous response mechanisms. The goal is not to replace human decision-making but to enhance it, empowering practitioners to govern policies guiding autonomous systems.

Time-to-Exploit will continue its downward trajectory, and vulnerability volumes will persist in their upward trend. Adapting to this mathematical reality necessitates a proactive shift in architecture to bridge the gap between human-scale defense and autonomous-scale offense.

Provided by Qualys.