A new report by the Qualys Threat Research Unit, titled “The Broken Physics of Remediation”, highlights a fundamental shift in the cybersecurity landscape, where attackers are now exploiting vulnerabilities faster than enterprises can respond.
Drawing on more than one billion remediation records across 10,000 organisations, the study reveals that the average time-to-exploit (TTE) has dropped to -1 day, meaning vulnerabilities are often weaponised even before patches are released.
This inversion of timelines is creating a structural imbalance: 88% of critical vulnerabilities are remediated slower than they are exploited, underscoring the growing mismatch between attacker speed and defender response.
The report argues that traditional remediation models, built around manual workflows, ticketing systems, and Mean Time to Remediate (MTTR), are no longer sufficient in an era where adversaries operate at machine speed. Instead, enterprises are facing what the study terms a “human ceiling”, where even increased effort fails to keep pace with the scale and velocity of threats.
A key insight is the emergence of “risk mass”, a metric that measures cumulative exposure over time rather than just remediation speed. By factoring in how long vulnerabilities remain open across systems, the report shows that organisations may significantly underestimate their real risk exposure when relying solely on traditional metrics.
The findings also highlight inefficiencies in current prioritisation approaches. While vulnerability management has evolved beyond basic severity scoring, less than 1% of disclosed vulnerabilities represent actively exploitable risk, suggesting that organisations are often spending resources on theoretical threats while critical exposures persist.
For CIOs and security leaders, the implications are clear that remediation must move beyond reactive patching towards automated, intelligence-driven, and risk-based models. The report advocates for a shift to a Risk Operations Center (ROC) approach, where detection, validation, and remediation are orchestrated in a continuous, machine-speed loop.
As digital infrastructure grows more complex and attack surfaces expand, the study concludes that only autonomous, AI-driven remediation frameworks will be able to close the widening gap between attacker capability and enterprise defence.