Zero Day Clock

The Zero Day Clock is a data-and-visualization instrument that tracks Time-to-Exploit (TTE) — the gap between CVE disclosure and first observed exploitation — across time. It was launched at the Unprompted Conference in March 2026 by Sergej Epp (CISO, Sysdig) and collaborators, and is published at zerodayclock.com. The underlying dataset is a live, growing set of CVE-exploit pairs drawn from CISA KEV, VulnCheck KEV, and XDB.1

The Data

The Zero Day Clock reports the median time-to-exploit by year. The series begins in 2018 and shows a near-exponential collapse:2

YearMedian TTENote
2018771 daysSeries begins; over two years from disclosure to first observed exploit
202184 days~9× compression in three years; Log4Shell exploited within hours of disclosure
20236.36 days~40% of exploited flaws were zero-days; over 44% exploited within 24 hours
20244 hours
2025zero-dayMedian exploitation now occurs on or before disclosure
2026zero-daySustained

From 771 days in 2018 to a median of zero days by 2025, the window of exposure has effectively closed. For the median exploited vulnerability, the exploit now arrives on or before the public advisory.2

Correction (2026-05-25): the prior figures did not match the primary source

An earlier version of this page carried a year-by-year table labelled “Mean TTE (10% trimmed)” running 2.3 years (2018) → 56 days (2024) → 23.2 days (2025) → 9 hours (2026). Those values are not found in the primary Zero Day Clock or in the Mythos-ready briefing the wiki cited for them. The briefing states only that time-to-exploit is “now under one day in 2026” and reproduces a clock diagram; it contains no year-by-year figures and no “9 hours.” The live Zero Day Clock reports a median (not a trimmed mean): 771 days in 2018, 4 hours in 2024, zero-day in 2025–2026. The fabricated mean table and the “9 hours” figure have been removed here and on the dependent pages (VulnOps, SDLC in the AI-Attacker Era, Mythos-ready briefing, Mythos-ready playbook, Sergej Epp, and the homepage), which now follow zerodayclock.com/collapse.

The Exposure Arithmetic

The clock frames the current state as a structural inversion. An exploit is created within an hour of a patch or advisory; attacks begin within 24 hours; the median organization needs about 20 days to test and deploy the same patch. By that arithmetic an organization is exposed for roughly 99.9% of the vulnerability lifecycle, and monthly patch cycles offer little protection.3 The act of fixing a vulnerability accelerates its exploitation: AI can reverse-engineer a patch into a working exploit in minutes, a restatement of the decades-old observation that the patch is the advisory.2

What the Curve Does and Does Not Measure

Caveat, per the Mythos-ready briefing

“It is worth noting that the historical collapse in time-to-exploit has not yet produced a proportional increase in the impact of exploitation. Many of the most consequential incidents of recent years involved credential abuse, social engineering, or supply chain compromise rather than zero-day exploitation. The Zero Day Clock trend is a leading indicator of where attacker capability is heading, not a direct measure of current damage.” — Mythos-ready briefing, Appendix A

The clock measures where attacker capability is heading, not present-day damage. Current losses are still dominated by credential abuse, social engineering, and supply chain compromise. The argument is that AI-driven capability eventually flows into the impact channel; the clock is the leading indicator of when.

Two further caveats bound the reading:

  • Defender-biased sample. CISA KEV + VulnCheck KEV + XDB captures vulnerabilities observed exploited, not vulnerabilities that could be exploited but have not been seen yet. If AI-driven discovery outruns KEV listing, the curve understates the true pace.
  • CVE-exploit pairs miss un-cataloged AI findings. The Mozilla-via-Mythos finding (271 vulnerabilities, 3 warranted CVEs) indicates that most AI-discovered vulnerabilities are never assigned CVEs, which makes any CVE-based TTE a lower bound on AI-driven discovery-to-exploit pace. Anthropic’s Glasswing update confirms the 271 figure directly (Firefox 150, more than ten times the Firefox 148 count under Opus 4.6).

Why the Collapse Matters Operationally

  • It is the empirical basis for the window-of-exposure argument in the SDLC in the AI-Attacker Era thesis and Risk #1 / Risk #9 of the Mythos-ready playbook. The same claim was previously argued through vendor executive quotes; the clock supplies measured figures.
  • It is the motivation for VulnOps. When the median exploit arrives on or before disclosure, periodic vulnerability management — a quarterly pen test plus patch-as-CVE-arrives — is structurally outmatched. VulnOps is the continuous response to a continuous-discovery, continuous-exploitation environment.
  • It pairs with the remediation-side lag. The clock measures attacker-side TTE; the Glasswing funnel (6,202 estimated high/critical found, 75 patched) measures defender-side discovery-to-patch lag. The two curves define the window of exposure, and they are diverging — the operational case for VulnOps. As Glasswing puts it, the constraint has moved from finding vulnerabilities to verifying, disclosing, and patching them.
  • MOAK supplies the mechanism. MOAK’s five-agent pipeline autonomously exploits 174 of 178 CISA KEVs (97.8%) within hours of disclosure, with Claude Opus 4.6 reaching 98% on post-knowledge-cutoff KEVs. The clock documents that exploitation now precedes or coincides with disclosure; MOAK demonstrates how — no human bottleneck in the exploit-derivation loop.

Corroborating the trend from outside the clock’s own dataset: VulnCheck reported that, of 159 vulnerabilities first observed exploited in Q1 2025, 28.3% had exploitation evidence within a day of disclosure — nearly one in three.4 Rapid7’s 2026 Cyber Threat Landscape Report, on a separate dataset, found confirmed exploitation of newly disclosed high/critical vulnerabilities up 105% year over year (to 146 in 2025) and mean time-to-exploit down from 61.0 to 28.5 days.5 The Rapid7 figure is a mean and the clock’s is a median; the gap is expected, because a near-zero median with a multi-week mean describes a right-skewed distribution — most exploited flaws are weaponized at or before disclosure, while a slow-exploited tail lifts the mean.

On the remediation side, the Qualys 2026 benchmark puts the mean time to remediation for the most-delayed complex applications (Java, .NET, Citrix) at 5 months and 10 days, even as roughly 40 million of 150 million deployed patches now ship autonomously.6 The attacker-side and defender-side curves are moving in opposite directions.

Call to Action — Ten Demands

The Zero Day Clock pairs its data with a ten-point policy agenda, each attributed to a named proponent:7

  1. Hold the makers accountable — software-vendor liability for shipping insecure products (Jen Easterly; Bruce Schneier).
  2. Build security into the platform — “shift down,” so applications inherit secure defaults from frameworks and infrastructure (Phil Venables).
  3. Stop patching, start rebuilding — distributed, immutable, ephemeral systems, the DIE triad (Sounil Yu; Heather Adkins).
  4. Eliminate the root cause — memory-safe languages for new critical code; approximately 70% of critical flaws in large C/C++ codebases are memory-safety bugs (Mark Russinovich).8
  5. Open-source the defense — make AI defensive tooling free to every defender, not only those who can afford six-figure contracts (Daniel Miessler; Loris Degioanni).
  6. Regulation for machine speed — safe harbors and pre-authorized response for autonomous defense, instead of quarterly-audit assumptions (Rob T. Lee).
  7. Bridge the gap between hackers and policy (Jeff Moss).
  8. Zero trust everywhere (John Kindervag).
  9. Treat cyber as statecraft.
  10. Fund the defense.

Notes

Sources

Footnotes

  1. Zero Day Clock — Explorer, Sysdig and collaborators, 2026. Live dataset of CVE-exploit pairs sourced from CISA KEV, VulnCheck KEV, and XDB. The explorer is a JavaScript-rendered live counter; the exact pair count is not readable from a static fetch (early-2026 secondary analyses cite figures around 3,500).

  2. The Collapse — Zero Day Clock, 2026. Median TTE by year: 771 days (2018), 84 days (2021), 6.36 days (2023), 4 hours (2024), zero-day (2025–2026); ~40% of 2023 exploited flaws were zero-days and over 44% exploited within 24 hours. Local copy: .raw/articles/zero-day-clock-the-collapse-2026-05-25.md. 2 3

  3. The Collapse — Zero Day Clock, 2026, “The Math” section. Exploit created in under one hour; attacks begin within 24 hours; median patch time approximately 20 days; organizations exposed for roughly 99.9% of the vulnerability lifecycle.

  4. VulnCheck — 2025 Q1 Trends in Vulnerability Exploitation, Patrick Garrity, April 2025. Of 159 vulnerabilities first reported exploited in the wild in Q1 2025, 28.3% had exploitation evidence within one day of CVE publication. See VulnCheck Q1 2025 exploitation trends.

  5. Rapid7 — 2026 Cyber Threat Landscape Report, 2026, as reported by CSO Online. Confirmed exploitation of newly disclosed high/critical vulnerabilities rose to 146 in 2025 from 71 in 2024 (+105%); mean time-to-exploit fell from 61.0 to 28.5 days.

  6. Qualys — Enterprise Patch & Remediation Benchmark 2026, April 2026. Mean time to remediation for the most-delayed complex applications (Java, .NET, Citrix) of 5 months 10 days; about 40 million of roughly 150 million deployed patches were autonomous (no human in the loop). See Qualys Patch & Remediation Benchmark 2026.

  7. Call to Action — Zero Day Clock, 2026. Ten demands with named proponents (Easterly, Schneier, Venables, Yu, Adkins, Russinovich, Miessler, Degioanni, Lee, Moss, Kindervag). Local copy: .raw/articles/zero-day-clock-call-to-action-2026-05-25.md.

  8. Call to Action — Zero Day Clock, 2026, citing the 2024 White House ONCD report “Back to the Building Blocks.” Approximately 70% of critical vulnerabilities in large C/C++ codebases are memory-safety bugs.