Mandiant: 28% of CVEs Exploited Within 24 Hours of Disclosure

Mandiant's annual M-Trends report delivers a sobering assessment of the threat landscape: attackers are now exploiting vulnerabilities faster than organizations can patch them, with AI tools accelerating every phase of the attack chain.

Drawing on more than 500,000 hours of incident response work conducted in 2025, the M-Trends 2026 report documents what researchers call a fundamental shift in attacker-defender dynamics. The headline finding: 28.3% of CVEs are now exploited within 24 hours of public disclosure.

"Time-to-exploit has effectively gone negative," Mandiant analysts wrote. "Exploits are now routinely arriving before patches."

The 22-Second Handoff

Perhaps the most alarming metric in this year's report concerns ransomware operations. Mandiant documented what they term the "22-Second Handoff" — the average time elapsed between an initial access broker gaining network entry and a ransomware affiliate beginning encryption.

Twenty-two seconds. Not hours, not days. Seconds.

This acceleration reflects the industrialization of cybercrime. Initial access brokers specialize in breaching networks and immediately auction that access to ransomware operators. The handoff has become so automated that encryption can begin before security teams even detect the initial compromise.

For organizations still running legacy incident response playbooks designed around hours or days of attacker dwell time, this represents a fundamental capability gap. By the time traditional detection and response processes engage, the damage may already be done. Our ransomware defense guide covers prevention strategies that don't rely on detecting attackers mid-breach.

The Patch Gap

While attackers accelerate, defenders haven't kept pace. According to supplemental data from the Edgescan 2025 Vulnerability Statistics Report cited in the analysis, organizations take an average of 74 days to remediate known high- or critical-severity vulnerabilities.

Seventy-four days to fix critical bugs. Attackers need twenty-four hours to exploit them.

The math is brutal. And it gets worse: 45% of vulnerabilities in systems maintained by large enterprises (1,000+ employees) never get remediated at all. These aren't obscure edge cases — they're known, exploitable weaknesses that simply fall through the cracks of patch management programs overwhelmed by volume.

We've seen this dynamic play out repeatedly in recent CISA KEV additions, where federal agencies receive mandatory patching deadlines measured in weeks for vulnerabilities already under active exploitation.

AI's Role in the Attack Chain

The M-Trends report documents threat actors incorporating AI tools across multiple attack phases. This isn't theoretical — Mandiant investigated specific incidents where AI capabilities proved decisive.

One case involved a supply chain compromise deploying the QUIETVAULT credential stealer. The malware checks compromised systems for AI command-line tools and, if found, executes prompts designed to locate configuration files and harvest developer tokens. Attackers are literally using victims' own AI tools against them.

Other malware families, including variants Mandiant tracks as PROMPTFLUX and PROMPTSTEAL, actively query large language models during execution to support evasion. The malware uses AI to modify its behavior in response to the environment it encounters.

Beyond technical exploitation, state-sponsored and financially motivated actors are using LLMs to shift from mass email campaigns toward personalized, rapport-building social engineering. The pig butchering scam operations dismantled in Operation First Light demonstrate how effective patient, personalized manipulation can be — AI makes those techniques scalable.

Exploits Remain the Top Entry Point

For the sixth consecutive year, exploits remain the leading initial access vector for attackers. This finding reinforces a difficult truth: perimeter security still matters, and organizations continue to struggle with vulnerability management fundamentals.

The concentration of successful attacks through known vulnerabilities suggests that despite years of industry investment in detection and response capabilities, basic security hygiene remains the primary failure point for most organizations.

Recent critical vulnerabilities like MOVEit Automation CVE-2026-4670 and the cPanel authentication bypass that enabled the Sorry ransomware campaign demonstrate how quickly adversaries weaponize public disclosures.

What This Means for Defenders

The M-Trends findings don't suggest defenders should abandon current approaches — they suggest those approaches need to execute faster and with better prioritization.

Practical implications include:

1. Rethink patching timelines — Critical and high-severity vulnerabilities need remediation measured in hours, not weeks
2. Assume compromise — Design detection strategies around finding attackers already inside, not just preventing initial access
3. Automate response — Twenty-two seconds doesn't leave time for human decision-making; automated containment must be part of the response chain
4. Focus on AI tool security — Development environments with AI tooling are now attack targets themselves
5. Track the KEV — CISA's Known Exploited Vulnerabilities catalog represents the minimum priority list for patching

Frequently Asked Questions

Does this mean patching is pointless?

No. Patching still eliminates risk for vulnerabilities that haven't been exploited yet. The data shows attackers prioritize — not every CVE gets weaponized within 24 hours. But the most critical flaws do, which means patch prioritization and speed matter more than ever.

How are threat actors using AI in attacks?

Mandiant documented AI use in malware evasion (adjusting behavior based on environment), credential harvesting (finding API keys and tokens), and social engineering (generating personalized phishing content at scale). The QUIETVAULT malware explicitly searches for AI tooling on compromised systems.

What's an initial access broker?

Initial access brokers (IABs) are cybercriminals who specialize in breaching networks and selling that access to other threat actors, typically ransomware operators. This specialization has made the attack ecosystem more efficient — and the 22-second handoff metric shows just how efficient.