Zero-Day Clock: AI Cuts Exploit Window From 1 Year to 1 Day

Key Takeaways

• Time-to-exploit has dropped from 84 days in 2021 to 4 hours in 2024, with projections of 1 minute by 2028
• 73.2% of vulnerabilities are now exploited before public disclosure, up from 31% five years ago
• The traditional 90-day vulnerability disclosure window is effectively obsolete

The security industry has talked for years about AI accelerating cyberattacks. Now there's a number to prove it: 4 hours. That's the median time between a vulnerability becoming public and someone exploiting it in the wild. In 2021, that same window was 84 days.

The Zero-Day Clock, a new visualization tool created by Sergej Epp of Sysdig, tracks this collapse in real time. The project counts most major tech and cybersecurity companies as signatories, and its message is blunt: the traditional 90-day vulnerability disclosure window is dead.

From Years to Minutes: The Numbers

The Zero-Day Clock tracks what security researchers call Time-to-Exploit (TTE): the gap between when a vulnerability is publicly disclosed and when attackers first use it in the wild. The trend line is steep and getting steeper.

In 2021, the mean time from disclosure to exploitation was nearly a year. By 2024, that had dropped to 4 hours. The Zero-Day Clock now shows just over a day for 2026, with projections of one hour by 2027 and one minute by 2028.

The percentage of zero-day exploits (attacks that happen before any public disclosure) tells an equally grim story. Five years ago, 31% of vulnerabilities were already being exploited when word got out. Today, that figure stands at 73.2%.

“The industry standard 90-day vulnerability disclosure window is going the way of the dodo.”

— Sergej Epp, CISO at Sysdig

Why This Is Happening

AI-assisted tools can now identify vulnerabilities, perform patch-diffing (analyzing security patches to reverse-engineer the original flaw), and generate working exploits almost immediately. What once required skilled human researchers and weeks of work now happens in hours or minutes.

The data reveals another troubling pattern. Currently, very few vulnerabilities stay unexploited for more than a couple of weeks. After six weeks, zero remain unused. Last year, roughly 24% of vulnerabilities were still unexploited at the six-week mark.

Security researchers call this dynamic "Verifier's Law": offense is now cheaper and faster than defense. AI can find and exploit flaws faster than human teams can patch them.

“We are moving from a detection deficit to a remediation crisis where systems are exposed within minutes of a flaw becoming known to AI.”

— Industry Security Analyst, Sysdig Security Report

The Iceberg Problem

The Zero-Day Clock's dataset only tracks publicly disclosed vulnerabilities with known exploitation. The researchers are explicit about what that means: "We only track publicly visible exploits. Private or nation-state exploits may exist earlier."

In other words, the numbers you're seeing may be optimistic. Government-backed hacking groups and private exploit brokers likely have access to vulnerabilities long before they appear in any public database.

What Can Be Done

The Zero-Day Clock researchers published a call to action with specific recommendations. Some are straightforward: enable all security features by default on every piece of firmware, software, framework, and hardware. Adopt zero-trust architecture wherever possible.

One recommendation is more demanding. Since 70% of vulnerabilities stem from memory safety bugs, the researchers argue that using Rust or another memory-safe language instead of C or C++ is no longer optional. It's a requirement.

• Enable all security features by default across all systems
• Adopt zero-trust architecture for all new deployments
• Migrate critical systems from C/C++ to memory-safe languages like Rust
• Treat the 90-day disclosure window as obsolete. Patch within hours, not weeks

Community Response

Discussion on Hacker News has focused heavily on the implications of Verifier's Law. The consensus emerging from the technical community: traditional software development lifecycles cannot survive this level of automation. Security by design is no longer a best practice. It's a survival requirement.

The debate now centers on whether organizations can adapt fast enough. A 30-day patching cycle, once considered aggressive, is now dangerously slow when exploits emerge in hours.

Frequently Asked Questions

What is the Zero-Day Clock?

The Zero-Day Clock is a visualization tool created by Sergej Epp of Sysdig that tracks the median time between vulnerability disclosure and first exploitation. It shows how AI has collapsed this window from nearly a year in 2021 to just hours today.

How fast are vulnerabilities exploited in 2024?

The median time-to-exploit in 2024 is 4 hours, down from 84 days in 2021. The Zero-Day Clock projects this will shrink to one hour by 2027 and one minute by 2028.

What percentage of vulnerabilities are zero-day exploits?

73.2% of vulnerabilities are now exploited before any official public disclosure, up from 31% five years ago.

Why is the 90-day disclosure window obsolete?

AI-powered tools can now identify vulnerabilities and generate working exploits within hours of disclosure. A 90-day window assumes defenders have weeks to respond. That assumption no longer holds.

What can organizations do to protect themselves?

Enable all security features by default, adopt zero-trust architecture, migrate to memory-safe languages like Rust, and patch within hours rather than weeks.

Source: Latest from Tom's Hardware