One billion KEV records show patching teams are working harder, but falling behind

Security teams are closing far more vulnerability tickets than they did a few years ago, but the risk gap is still getting worse. That is the central message from a new Qualys Threat Research Unit report, which analyzed more than one billion remediation records tied to CISA’s Known Exploited Vulnerabilities catalog across 10,000 organizations over four years.

The report says the share of critical vulnerabilities still open seven days after disclosure rose from 56% to 63%, even as organizations handled 6.5 times more vulnerability volume than in 2022. In plain terms, defenders are doing more work, but that extra work is not shrinking the window that attackers exploit.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Qualys argues that this is no longer a staffing problem or a prioritization problem alone. It says the current scan, score, ticket, and manually remediate model has hit what it calls a human ceiling, where people simply cannot move fast enough to match the pace of exploitation.

Why this matters now

The timing matters because Google’s M-Trends 2026 report says the mean time to exploit vulnerabilities has dropped to negative seven days. That means attackers often start exploiting serious flaws before a patch is even available, which leaves defenders with almost no traditional patch window at all.

CISA’s KEV catalog tracks vulnerabilities that the agency says have seen active exploitation in the wild. Security teams already use that list as a high-priority remediation guide, so if organizations still struggle to close KEV-linked gaps quickly, the broader remediation problem likely runs even deeper.

Qualys says 88% of 52 weaponized vulnerabilities it tracked were remediated more slowly than they were exploited, and about half were weaponized before a patch existed. The company points to examples like Spring4Shell and Cisco IOS XE, where the exploitation timeline moved in days while average enterprise remediation stretched into months.

The tail is where defenders lose

One of the stronger ideas in the report is that average patch speed can hide the real risk. Qualys says long-tail exposure on harder-to-reach systems keeps vulnerabilities open far longer than headline patch metrics suggest, especially in infrastructure environments where even the median remediation time can stretch for months.

That is why the company pushes a metric it calls Risk Mass, which looks at vulnerable assets multiplied by days exposed, instead of just counting CVEs or closed tickets. The argument is that breaches do not happen because a dashboard looks messy. They happen because exploitable weaknesses remain exposed for too long across too many assets.

Qualys also says teams waste time on issues that look urgent on paper but carry less real-world risk. The report notes that out of 48,172 vulnerabilities disclosed in 2025, only 357 were both remotely exploitable and actively weaponized. That gap between total disclosure volume and practical exploitation helps explain why many security teams feel busy without feeling safer.

Key numbers from the report

Sources: Qualys Threat Research Unit report and blog.

What Qualys says needs to change

Qualys says incremental improvement will not be enough because the threat model has changed faster than enterprise operations. Its proposed answer is a Risk Operations Center model that combines machine-readable threat intelligence, exploit validation in the actual environment, and automated remediation steps that remove human delay from the critical path.

That pitch clearly supports Qualys’ broader automation strategy, so it should be read with that context in mind. Still, the underlying pressure is real. If attackers can weaponize flaws before patches arrive, then organizations that rely only on manual triage and ticket queues will struggle to close the gap. That conclusion also lines up with Google’s latest threat data on shrinking exploit timelines.

The bigger takeaway for security leaders is less about one vendor’s framework and more about operating model risk. Teams may need to stop measuring success mainly through ticket volume and start measuring how much exploitable exposure remains over time, especially on assets that sit outside fast, routine patch cycles. This is an inference based on the data and recommendations in the cited reports.

What security teams can do now

• Prioritize KEV-listed flaws first, because CISA treats them as actively exploited in the wild.
• Track exposure duration, not just patch counts, so long-tail systems do not disappear behind healthy-looking dashboards.
• Separate theoretical vulnerability noise from flaws that are both remotely exploitable and actively weaponized.
• Use automation where patching, validation, and rollback workflows repeatedly stall on the same classes of assets.

FAQ