Blog
Zafran Team
Google Confirms AI Built a Zero-Day for Mass Exploitation
May 14, 2026
Patches take weeks. Exploits take hours. The 2026 DBIR makes the math brutal.
When Anthropic's Mythos demonstration in April showed a frontier model developing working exploits at machine speed, it crystallized a shift the security industry had been bracing for. The 2026 Verizon Data Breach Investigations Report, released yesterday, confirms the shift is already here in the data: exploitation velocity is rising, defender capacity is not, and the gap between the two is widening every quarter.
This year's DBIR is built on more than 22,000 confirmed breaches across 145 countries, the largest dataset Verizon has ever published. Buried in those records is a single story line that should reshape every vulnerability management roadmap in 2026: exploitation of vulnerabilities is now the most common way attackers get in, the gap between how fast they exploit and how fast we patch is widening, and AI is pouring fuel on both sides of that imbalance.
Exploitation is now the #1 initial access vector
For years, credential abuse held the top spot. This year it collapsed.
Exploitation of vulnerabilities now accounts for 31% of breaches, up from 20% last year. That's a 55% year-over-year jump. Credential abuse fell to 13%. Phishing sits at 16%. Pretexting trails at 6%. That's a regime shift in a single reporting cycle.
The longer trend line makes it even clearer. Verizon has tracked initial access vectors for years, and 2026 is the year exploitation crossed over and pulled away.
The patching gap got worse, not better
If exploitation is winning, the obvious response is to patch faster. The 2026 data shows the opposite happening at scale. Verizon analyzed CISA KEV remediation across more than 13,000 organizations, covering over a billion vulnerability detection records.
The median organization had 16 KEV vulnerabilities to patch in 2025, up from 11 in 2024, a 50% increase in workload in a single year. The time math is even worse.'
Verizon's own conclusion is that the first-week rate "barely moved despite three years of additional process development, tooling investment and mandate pressure." They suggest this may be an initial measurement of the "speed of light" for traditional vulnerability remediation, a theoretical ceiling. At their very best, organizations only fix 30% to 40% of KEV instances in the first week.
Meanwhile attackers are moving the other direction. Verizon's resurgent vulnerability analysis found that nearly half of KEV vulnerabilities are under active exploitation 96% of the time.
The named CVEs that defined 2025 read like a who's-who of edge infrastructure under siege:
That last one, a December RCE in React Server Components, was deployed by China-nexus groups across 39% of cloud environments before patches were widely available.
The exploitation window has collapsed
The strategic implication is uncomfortable. If the median patch cycle is 43 days, and an increasing share of KEV vulnerabilities are being exploited continuously, then patch cadence as a defensive strategy is structurally insufficient. You cannot patch your way out of a window that never closes.
Verizon's resurgent vulnerability analysis adds another wrinkle. Of the Persistent-category KEVs, only 20% were registered in the CVE database in 2024 or 2025. The other 80% are older vulnerabilities still being actively worked. Old vulnerabilities don't go away. They just get re-weaponized when an opportunity reopens.
And AI is accelerating the exploitation side
The Mythos demo wasn't a one-off. It was the first public proof of something Verizon's data now shows at scale. According to Anthropic data shared with the DBIR team, 32% of AI-assisted initial-access techniques observed in the wild relate to exploitation of vulnerabilities, second only to phishing.
Verizon spends significant ink on this dynamic and the recommendation is blunt: prepare for a wave of patches coming from coordinated disclosures of AI-augmented vulnerability discovery. Frontier models are now demonstrably capable of finding bugs, writing exploits, and adapting techniques faster than humans can. Every variable that already made the patching math impossible, volume, velocity, pre-disclosure exploitation, is about to compound.
Mythos was the floor, not the ceiling.
What this means for security programs
The traditional vulnerability management operating model was designed for a slower threat environment. Scanners produce findings. Analysts triage. Tickets route to IT. Patches deploy on a window. Reports go to leadership. Every step in that chain assumes time exists between disclosure and exploitation. That assumption no longer holds.
The teams that survive this shift will be the ones that stop trying to patch everything and start proving which exposures actually matter, then mitigating those exposures using the controls they already own while patches run in parallel.
A Practical Guide: Evolving from VM to CTEM
Traditional vulnerability management must change. So many are drowning in detections, and still lack insights. The time-to-exploit window sits at 5 days. Implementing a Continuous Threat Exposure Management (CTEM) program is the path forward. Moving from vulnerability management to CTEM doesn't have to be complicated. This guide outlines steps you can take to begin, continue, or refine your CTEM journey.
Threat exposure management built for AI-speed attacks.
Zafran is the Threat Exposure Management platform built for the speed, scale, and sophistication of AI-powered attacks. We don't replace your existing security stack; we make it work harder by aggregating signals from your scanners, EDR, CNAPP, and firewalls, then enriching every finding with runtime presence, internet exposure, KEV status, and active threat actor activity. The Exposure Graph maps it all together to prove which vulnerabilities are actually exploitable in your environment.
When a zero-day breaks, the Zero-Day Agent identifies impacted assets by correlating threat intel against SBOM data from any source, including threats without a named CVE. Validated exposures get neutralized through compensating controls in the tools you already own, while remediation runs through your existing ticketing workflows. For most customers, this reduces critical vulnerabilities by 90%.Patches take weeks. Exploits take hours. Zafran takes minutes.
