Picus Security — CVE Weaponization Time Collapses to 24 Hours in 2026

AI relevance: Picus Security's analysis of 3,500+ CVE-exploit pairs shows mean weaponization time dropping to ~24 hours in 2026, with AI-powered attack chains like the February 2026 FortiGate campaign demonstrating autonomous end-to-end exploitation across 2,516 devices in 106 countries.

• Picus Security analyzed over 3,500 CVE-exploit pairs across CISA KEV, VulnCheck KEV, and ExploitDB to chart the collapse of time-to-exploit (TTE) — the window from vulnerability disclosure to weaponized exploit.
• TTE has compressed dramatically: 2.3 years in 2018, 8.6 months in 2022, 53 days in 2024, 22 days in 2025, and roughly 24 hours in 2026.
• By 2025, most exploits were already weaponized before public disclosure. In 2026, ready-to-use exploit options appear in adversary toolkits almost immediately after any vulnerability goes public.
• The February 2026 FortiGate campaign provides a real-world example: an AI-powered attack chain compromised 2,516 devices across 106 countries simultaneously, running autonomously from initial access through credential dumping to data exfiltration.
• That attacker deployed a custom MCP server hosting an LLM that handled backdoor creation, internal infrastructure mapping, autonomous vulnerability assessment, and prioritized execution toward domain admin — with zero human involvement during the chain.
• Anthropic's Mythos model (Project Glasswing) further demonstrates the offensive capability, finding vulnerabilities across every major OS and browser, including one that survived 27 years in OpenBSD, and chaining independent bugs into working exploit sequences.
• Less than 1% of vulnerabilities discovered by Mythos have been patched, exposing a widening gap between AI-speed discovery and human-speed remediation.

Why it matters

The defensive cycle — gather intelligence, build campaigns, simulate, mitigate — takes roughly four days. When weaponization happens in hours, a quarterly or monthly pentest is testing a threat landscape that no longer exists. The entire concept of scheduled validation assumes a stable threat environment, which is now dead on arrival.

What to do

• Move from periodic to continuous exposure visibility — know your attack surface in real time.
• Prioritize hardening to shrink the exploitable surface and buy response time.
• Validate controls continuously rather than at point-in-time assessments.
• Plan for AI-speed adversary capability: assume exploits are available within hours of disclosure, not weeks.

Sources

• Picus Security — What Are AI-Powered Cyberattacks? Inside Machine-Speed Threats
• Microsoft Security Blog — Defense at AI Speed: Multi-Model Agentic Security System
• InfoQ — Anthropic Claude Mythos and Project Glasswing