SecurityBrief India - Technology news for CISOs & cybersecurity decision-makers
India
Qualys warns exploitation is outpacing manual patching
Firewalls VPNs Network Infrastructure

Qualys warns exploitation is outpacing manual patching

Wed, 8th Apr 2026
Sean Mitchell
SEAN MITCHELL Publisher

Qualys has published research suggesting exploitation is now outpacing manual vulnerability remediation. The study draws on more than one billion remediation records from more than 10,000 organisations.

The findings come from the company's Threat Research Unit, which examined records linked to the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalogue from 2022 to 2025. The analysis indicates a widening gap between how quickly attackers act and how quickly defenders can close vulnerabilities.

According to the research, the number of closed vulnerability events rose 6.5-fold over four years, from about 73 million in 2022 to 473 million in 2025. That increase points to a structural limit in remediation efforts, even as organisations process more tickets and devote more staff and management attention to patching.

The report argues that one of the clearest signs of this shift is the collapse in average time-to-exploit to negative one day. In practice, that means some vulnerabilities are exploited before they are publicly disclosed and before patches are available.

This pattern weakens the value of traditional patching measures such as mean time to remediate, because those metrics are often measured from disclosure rather than from the start of exploitation. Qualys instead highlights what it calls Average Window of Exposure, which measures the period from exploitation to remediation.

Using that measure, the research found that 85% of vulnerable assets remained unpatched at the point of disclosure. It found that 33% were still open after 21 days and 12% remained exposed after 90 days.

Manual limits

The report also found that manual remediation is failing to keep pace despite a higher volume of tickets being processed. In 2025, teams still had 63% of critical vulnerabilities open after seven days, compared with 56% in 2022.

The study said this reflects worsening outcomes even as remediation activity grows. Qualys argues that the problem is not simply resourcing, but the limits of human-led response as exploitation timelines continue to shrink.

Another part of the analysis focused on 52 actively weaponised vulnerabilities. Of those, half were exploited before public disclosure, while 88% were remediated more slowly than they were exploited. Manual processes also extended average closure times to four to five times the median.

Risk priorities

The research also sought to narrow the pool of vulnerabilities that pose the highest operational risk. Out of 48,172 vulnerabilities disclosed in 2025, it found that 357, or 0.74%, were both remotely exploitable and actively weaponised.

According to the report, that supports a more selective approach to prioritisation rather than broad patching programmes that treat all disclosed flaws as equally urgent. It also identified edge devices such as firewalls, virtual private network systems and gateways as carrying the highest strategic risk per vulnerability.

Sumedh Thakar, President and Chief Executive Officer at Qualys, said the findings point to a deeper architectural issue in security operations.

"In an era where adversaries increasingly operate at machine speed, any architecture that depends on human-speed response carries structural risk," Thakar said.

"The average Time-to-Exploit has collapsed to negative one day, with adversaries weaponising vulnerabilities before patches even exist. The mandate is clear: we must match autonomous offense with autonomous defense. This requires a foundational architectural shift away from reactive human triage and toward a Risk Operations Centre (ROC) that fuses embedded intelligence, deterministic confirmation of actual exploitability, and autonomous remediation into a single operational loop," Thakar added.

The study adds to a broader industry debate over how companies measure cyber exposure and whether common remediation targets still reflect real-world conditions. Security teams have long relied on severity rankings and disclosure-based service-level agreements, but faster exploitation cycles have raised questions about whether those methods capture the period of greatest risk.

For large organisations, the scale of the problem is compounded by the complexity of their estates. The report covered more than 10,000 organisations, suggesting the backlog problem is not limited to a narrow set of companies but is spread across large environments managing high volumes of software, devices and network infrastructure.

Saeed Abbasi, Head of the Qualys Threat Research Unit, said edge systems and trusted enterprise software are becoming more attractive targets. "Adversaries do not innovate; they repeat what works. The path of least resistance has shifted from the endpoint to the edge and from there, deeper into the enterprise software organisations implicitly trust - where the manual tax is highest and exposure windows are longest," Abbasi said.

"What is emerging now is not another platform shift. It is the first time the adversary itself is becoming autonomous. The defensive side must make the same transition - and this report measures the cost of every day the transition is delayed," Abbasi added.

Related stories
Lumen warns of malware-backed proxy networks in APAC
HPE Threat Labs spot industrialised cybercrime surge
ManageEngine adds EDR & zero trust to Endpoint Central
AI-fuelled cyber attacks surge 70%, Check Point warns
Zscaler joins Anthropic Project Glasswing on cyber AI
Top stories
OpenAI & Yubico launch phishing-resistant YubiKeys
Microsoft warns of surge in QR code phishing attacks
Nintex adds on-premises AI to K2 for regulated firms
DigiCert launches content trust manager for AI media
DigiCert launches AI Trust architecture for agents