Zero Day Clock
The Zero Day Clock is a visualization-and-data instrument tracking the gap between CVE disclosure and confirmed exploitation across time — Time-to-Exploit (TTE). Launched at the [[unprompted-conference-march-2026|[un]prompted Conference]] in March 2026 by Sergej Epp (CISO, Sysdig) and collaborators. Published at zerodayclock.com. Built on 3,533 CVE-exploit pairs from trusted sources (CISA KEV, VulnCheck KEV, XDB).
Why It Matters
The Zero Day Clock is the wiki’s load-bearing quantitative anchor for the “window-of-exposure has collapsed” argument across the SDLC-in-the-AI-attacker-era thesis, the Mythos-ready playbook, and the frontier-AI vuln-discovery thesis. It is the strongest sourced empirical instrument the wiki has cited for the “AI Vulnerability Storm” framing.
The Data
Mean TTE (10% trimmed, days) across CVE-exploit pairs:
| Year | Mean TTE | Order-of-magnitude characterization |
|---|---|---|
| 2018 | 2.3 years | Pre-collapse baseline |
| 2019 | 1.9 years | Slow start |
| 2020 | 1.3 years | Accelerating |
| 2021 | 10.8 months | Sub-year |
| 2022 | 9.7 months | Stable sub-year |
| 2023 | 4.9 months | Sub-half-year |
| 2024 | 56 days | Weeks |
| 2025 | 23.2 days | Three weeks |
| 2026 | 9 hours | Same-day, hours |
The 2018→2026 collapse is ~2,300 days → 9 hours = ~6,000× reduction in mean TTE. The 2023→2024 transition (4.9 months → 56 days) and 2025→2026 transition (23.2 days → 9 hours) are the two sharpest year-over-year drops; both correlate with AI-driven discovery and exploitation milestones (DARPA AIxCC + XBOW + Big Sleep mid-2025; Mythos + Glasswing + the commercial-vendor cluster early 2026).
Caveat (Per the Mythos-Ready Briefing)
“It is worth noting that the historical collapse in time-to-exploit has not yet produced a proportional increase in the impact of exploitation. Many of the most consequential incidents of recent years involved credential abuse, social engineering, or supply chain compromise rather than zero-day exploitation. The Zero Day Clock trend is a leading indicator of where attacker capability is heading, not a direct measure of current damage.” — Mythos-ready briefing, Appendix A
This is the honest qualifier. The clock measures attacker-capability-heading, not impact-now. Current damage is still dominated by credential abuse + social engineering + supply-chain compromise. The thesis is that AI-driven capability eventually flows into the impact channel; the clock is the leading indicator of when.
Relationship to Existing Wiki Concepts
- Quantitative anchor for SDLC in the AI-Attacker Era thesis — the “window of exposure has collapsed” claim has historically been argued via CrowdStrike CTO quotes and Mythos disclosure anecdotes. The Zero Day Clock is the empirical anchor.
- Quantitative anchor for the Mythos-ready playbook — Risk #1 (Accelerated Threat Exploitation) and Risk #9 (Continuous Vulnerability Management Maturity Gap) both rest on this curve.
- Operational motivator for VulnOps — if mean TTE is 9 hours, periodic vulnerability management (quarterly pen test + patch-as-CVE-arrives) is structurally outmatched. VulnOps is the continuous response to a continuous-discovery / continuous-exploitation environment.
- Cross-references [[unprompted-conference-march-2026|the [un]prompted Conference]] — Sergej Epp also gave the 8 Minutes to Admin. We Caught it in the Wild talk at [un]prompted (March 3-4, 2026) on a real AWS admin compromise reached in 8 minutes — a real-world instance of the curve manifesting as concrete incident.
Adjacent / Open
- Source-set composition: CISA KEV + VulnCheck KEV + XDB is a defender-bias sample (vulnerabilities that are observed exploited; not vulnerabilities that could be exploited but haven’t been observed yet). The trend curve may underestimate AI-driven discovery if discovery is faster than KEV listing.
- TTE for AI-discovered vulnerabilities specifically — the Mozilla-via-Mythos finding (271 vulns; 3 warranted CVEs) suggests that most AI-discovered vulnerabilities are not assigned CVEs, which would make TTE based on CVE-exploit pairs a lower-bound estimate of true AI-driven discovery-to-exploit pace.
- 2027 projection — neither the briefing nor the clock projects 2027. If the trend continues at the 2025→2026 multiplier (~60×), 2027 TTE would be measured in minutes; if the curve plateaus at 9 hours, it stabilizes as a same-day floor. Both scenarios warrant separate operational responses.