Zero Day Clock
The Zero Day Clock is a data-and-visualization instrument that tracks Time-to-Exploit (TTE) — the gap between CVE disclosure and first observed exploitation — across time. It was launched at the Unprompted Conference in March 2026 by Sergej Epp (CISO, Sysdig) and collaborators, and is published at zerodayclock.com. The underlying dataset is a live, growing set of CVE-exploit pairs drawn from CISA KEV, VulnCheck KEV, and XDB.1
The Data
The Zero Day Clock reports the median time-to-exploit by year. The series begins in 2018 and shows a near-exponential collapse:2
| Year | Median TTE | Note |
|---|---|---|
| 2018 | 771 days | Series begins; over two years from disclosure to first observed exploit |
| 2021 | 84 days | ~9× compression in three years; Log4Shell exploited within hours of disclosure |
| 2023 | 6.36 days | ~40% of exploited flaws were zero-days; over 44% exploited within 24 hours |
| 2024 | 4 hours | — |
| 2025 | zero-day | Median exploitation now occurs on or before disclosure |
| 2026 | zero-day | Sustained |
From 771 days in 2018 to a median of zero days by 2025, the window of exposure has effectively closed. For the median exploited vulnerability, the exploit now arrives on or before the public advisory.2
Correction (2026-05-25): the prior figures did not match the primary source
An earlier version of this page carried a year-by-year table labelled “Mean TTE (10% trimmed)” running 2.3 years (2018) → 56 days (2024) → 23.2 days (2025) → 9 hours (2026). Those values are not found in the primary Zero Day Clock or in the Mythos-ready briefing the wiki cited for them. The briefing states only that time-to-exploit is “now under one day in 2026” and reproduces a clock diagram; it contains no year-by-year figures and no “9 hours.” The live Zero Day Clock reports a median (not a trimmed mean): 771 days in 2018, 4 hours in 2024, zero-day in 2025–2026. The fabricated mean table and the “9 hours” figure have been removed here and on the dependent pages (VulnOps, SDLC in the AI-Attacker Era, Mythos-ready briefing, Mythos-ready playbook, Sergej Epp, and the homepage), which now follow zerodayclock.com/collapse.
The Exposure Arithmetic
The clock frames the current state as a structural inversion. An exploit is created within an hour of a patch or advisory; attacks begin within 24 hours; the median organization needs about 20 days to test and deploy the same patch. By that arithmetic an organization is exposed for roughly 99.9% of the vulnerability lifecycle, and monthly patch cycles offer little protection.3 The act of fixing a vulnerability accelerates its exploitation: AI can reverse-engineer a patch into a working exploit in minutes, a restatement of the decades-old observation that the patch is the advisory.2
What the Curve Does and Does Not Measure
Caveat, per the Mythos-ready briefing
“It is worth noting that the historical collapse in time-to-exploit has not yet produced a proportional increase in the impact of exploitation. Many of the most consequential incidents of recent years involved credential abuse, social engineering, or supply chain compromise rather than zero-day exploitation. The Zero Day Clock trend is a leading indicator of where attacker capability is heading, not a direct measure of current damage.” — Mythos-ready briefing, Appendix A
The clock measures where attacker capability is heading, not present-day damage. Current losses are still dominated by credential abuse, social engineering, and supply chain compromise. The argument is that AI-driven capability eventually flows into the impact channel; the clock is the leading indicator of when.
Two further caveats bound the reading:
- Defender-biased sample. CISA KEV + VulnCheck KEV + XDB captures vulnerabilities observed exploited, not vulnerabilities that could be exploited but have not been seen yet. If AI-driven discovery outruns KEV listing, the curve understates the true pace.
- CVE-exploit pairs miss un-cataloged AI findings. The Mozilla-via-Mythos finding (271 vulnerabilities, 3 warranted CVEs) indicates that most AI-discovered vulnerabilities are never assigned CVEs, which makes any CVE-based TTE a lower bound on AI-driven discovery-to-exploit pace. Anthropic’s Glasswing update confirms the 271 figure directly (Firefox 150, more than ten times the Firefox 148 count under Opus 4.6).
Why the Collapse Matters Operationally
- It is the empirical basis for the window-of-exposure argument in the SDLC in the AI-Attacker Era thesis and Risk #1 / Risk #9 of the Mythos-ready playbook. The same claim was previously argued through vendor executive quotes; the clock supplies measured figures.
- It is the motivation for VulnOps. When the median exploit arrives on or before disclosure, periodic vulnerability management — a quarterly pen test plus patch-as-CVE-arrives — is structurally outmatched. VulnOps is the continuous response to a continuous-discovery, continuous-exploitation environment.
- It pairs with the remediation-side lag. The clock measures attacker-side TTE; the Glasswing funnel (6,202 estimated high/critical found, 75 patched) measures defender-side discovery-to-patch lag. The two curves define the window of exposure, and they are diverging — the operational case for VulnOps. As Glasswing puts it, the constraint has moved from finding vulnerabilities to verifying, disclosing, and patching them.
- MOAK supplies the mechanism. MOAK’s five-agent pipeline autonomously exploits 174 of 178 CISA KEVs (97.8%) within hours of disclosure, with Claude Opus 4.6 reaching 98% on post-knowledge-cutoff KEVs. The clock documents that exploitation now precedes or coincides with disclosure; MOAK demonstrates how — no human bottleneck in the exploit-derivation loop.
Corroborating the trend from outside the clock’s own dataset: VulnCheck reported that, of 159 vulnerabilities first observed exploited in Q1 2025, 28.3% had exploitation evidence within a day of disclosure — nearly one in three.4 Rapid7’s 2026 Cyber Threat Landscape Report, on a separate dataset, found confirmed exploitation of newly disclosed high/critical vulnerabilities up 105% year over year (to 146 in 2025) and mean time-to-exploit down from 61.0 to 28.5 days.5 The Rapid7 figure is a mean and the clock’s is a median; the gap is expected, because a near-zero median with a multi-week mean describes a right-skewed distribution — most exploited flaws are weaponized at or before disclosure, while a slow-exploited tail lifts the mean.
On the remediation side, the Qualys 2026 benchmark puts the mean time to remediation for the most-delayed complex applications (Java, .NET, Citrix) at 5 months and 10 days, even as roughly 40 million of 150 million deployed patches now ship autonomously.6 The attacker-side and defender-side curves are moving in opposite directions.
Call to Action — Ten Demands
The Zero Day Clock pairs its data with a ten-point policy agenda, each attributed to a named proponent:7
- Hold the makers accountable — software-vendor liability for shipping insecure products (Jen Easterly; Bruce Schneier).
- Build security into the platform — “shift down,” so applications inherit secure defaults from frameworks and infrastructure (Phil Venables).
- Stop patching, start rebuilding — distributed, immutable, ephemeral systems, the DIE triad (Sounil Yu; Heather Adkins).
- Eliminate the root cause — memory-safe languages for new critical code; approximately 70% of critical flaws in large C/C++ codebases are memory-safety bugs (Mark Russinovich).8
- Open-source the defense — make AI defensive tooling free to every defender, not only those who can afford six-figure contracts (Daniel Miessler; Loris Degioanni).
- Regulation for machine speed — safe harbors and pre-authorized response for autonomous defense, instead of quarterly-audit assumptions (Rob T. Lee).
- Bridge the gap between hackers and policy (Jeff Moss).
- Zero trust everywhere (John Kindervag).
- Treat cyber as statecraft.
- Fund the defense.
Notes
Sources
Footnotes
-
Zero Day Clock — Explorer, Sysdig and collaborators, 2026. Live dataset of CVE-exploit pairs sourced from CISA KEV, VulnCheck KEV, and XDB. The explorer is a JavaScript-rendered live counter; the exact pair count is not readable from a static fetch (early-2026 secondary analyses cite figures around 3,500). ↩
-
The Collapse — Zero Day Clock, 2026. Median TTE by year: 771 days (2018), 84 days (2021), 6.36 days (2023), 4 hours (2024), zero-day (2025–2026); ~40% of 2023 exploited flaws were zero-days and over 44% exploited within 24 hours. Local copy:
.raw/articles/zero-day-clock-the-collapse-2026-05-25.md. ↩ ↩2 ↩3 -
The Collapse — Zero Day Clock, 2026, “The Math” section. Exploit created in under one hour; attacks begin within 24 hours; median patch time approximately 20 days; organizations exposed for roughly 99.9% of the vulnerability lifecycle. ↩
-
VulnCheck — 2025 Q1 Trends in Vulnerability Exploitation, Patrick Garrity, April 2025. Of 159 vulnerabilities first reported exploited in the wild in Q1 2025, 28.3% had exploitation evidence within one day of CVE publication. See VulnCheck Q1 2025 exploitation trends. ↩
-
Rapid7 — 2026 Cyber Threat Landscape Report, 2026, as reported by CSO Online. Confirmed exploitation of newly disclosed high/critical vulnerabilities rose to 146 in 2025 from 71 in 2024 (+105%); mean time-to-exploit fell from 61.0 to 28.5 days. ↩
-
Qualys — Enterprise Patch & Remediation Benchmark 2026, April 2026. Mean time to remediation for the most-delayed complex applications (Java, .NET, Citrix) of 5 months 10 days; about 40 million of roughly 150 million deployed patches were autonomous (no human in the loop). See Qualys Patch & Remediation Benchmark 2026. ↩
-
Call to Action — Zero Day Clock, 2026. Ten demands with named proponents (Easterly, Schneier, Venables, Yu, Adkins, Russinovich, Miessler, Degioanni, Lee, Moss, Kindervag). Local copy:
.raw/articles/zero-day-clock-call-to-action-2026-05-25.md. ↩ -
Call to Action — Zero Day Clock, 2026, citing the 2024 White House ONCD report “Back to the Building Blocks.” Approximately 70% of critical vulnerabilities in large C/C++ codebases are memory-safety bugs. ↩