2. July 2026 | Print article | |

When Attackers Are Faster Than the Patch

4 min read

Whereas vulnerabilities used to take weeks to be weaponised after disclosure, the gap is now often measured in days. Attackers are using AI to shrink that window even further as the total number of published CVEs climbs. The State of Vulnerabilities Report 2026 analyses more than 11,000 findings from live customer environments. Its headline: risk is no longer driven by the sheer volume of gaps, but by the speed at which the critical ones are closed.

Key Takeaways

  • More vulnerabilities: Industry-wide CVE disclosures rose 20 % in 2025 to more than 48,000.
  • Harder findings: High-severity reports climbed 10 %, remote-code execution 39 %, brute-force attempts 17.4 %.
  • Speed wins: Continuous testing slashes average remediation time by 47 %.
  • New attack surface: Security reviews of AI and LLM environments jumped 120 %.

Related:Adaptive MFA as a Zero-Trust lever  /  When the reporting-clock starts ticking

The window between disclosure and attack keeps shrinking

The threat landscape tightened in 2025. Attackers are using AI to compress the interval between vulnerability disclosure and active exploitation. Last year alone, industry-wide CVE disclosures rose 20 % to more than 48,000. The State of Vulnerabilities Report 2026 drilled into more than 11,000 vulnerabilities from live customer environments in 2025.

The report comes from Synack, a provider of AI-powered penetration testing. Its focus is less on the raw volume of findings and more on their accelerating dynamics.

CTO Statement

“Rules changed in 2025. Time is now the biggest vulnerability. Attackers will always find new gaps; what has changed is the speed at which they discover and weaponise them.”
– Dr. Mark Kuhr, Co-founder & CTO, Synack

The risk structure is shifting

The total number of vulnerabilities identified remained largely stable year-over-year. What changed was their composition. High-severity findings increased by 10 percent. The most pronounced rise came from remote code execution, which surged by 39 percent. Brute-force attacks climbed 17.4 percent, while content injection grew by 8 percent.

The report interprets this pattern as a shift toward identity-based attacks. It aligns with the observation that attackers are leveraging AI to probe access controls at scale. For security teams, the sheer volume of findings matters less. What counts is which gaps create real attack paths-and which should be closed first.

47 percent

Reduction in remediation time with continuous testing

Organizations running continuous tests resolved high-severity gaps 42 days faster than in 2024, and critical gaps 38 days faster. At the same time, 37 percent of all findings were either critical or high-severity.

What is MTTR? Mean Time To Remediate measures the average time from vulnerability discovery to resolution. The shorter this window, the smaller the window of opportunity for exploitation. The report highlights this metric as a key lever against accelerating attack speeds.

Where the critical findings are concentrated

The share of critical and high-severity vulnerabilities in 2025 reached 37 percent. Manufacturing led with 43.1 percent, followed by the technology sector at 40.0 percent.

Among findings mapped to the OWASP Top 10:2025, two classes dominated. Injection flaws accounted for 40.6 percent, while broken access controls made up 32.8 percent. Together, they represented the bulk of OWASP-mapped findings.

AI environments become targets in their own right

AI and LLM systems also drew more scrutiny from assessors. Security assessments in this area on the evaluated platform jumped 120 percent. The report reads this as a signal that AI infrastructures are increasingly treated as standalone attack surfaces-not merely as tools used by attackers.

What security teams should prioritize now

Clear priorities for vulnerability management emerge from the data.

1

Tackle critical issues firstConsistently remediate critical and high-severity findings before addressing anything else.
2

Watch attack pathsMonitor remote code execution, brute force, content injection, injections, and flawed access controls with targeted vigilance.
3

Audit AI systemsIntegrate AI and LLM environments directly into your security review process.
4

Test continuouslyShift from periodic audits to ongoing testing. This measurably reduces remediation time.

The key takeaway remains: the number of vulnerabilities found doesn’t determine risk-it’s how quickly the critical ones are neutralized.

Frequently Asked Questions

What is the State of Vulnerabilities Report 2026?

The report analyzes more than 11,000 vulnerabilities discovered in 2025 across live customer environments. It is published by Synack, a provider of AI-driven penetration testing. The findings are categorized by severity, type, and industry.

Why are CVE counts rising even as fixes get faster?

Both trends are happening simultaneously. In 2025, over 48,000 CVEs were published industry-wide-20 percent more than the previous year. At the same time, continuous testing is cutting remediation times. More known gaps don’t automatically translate into greater risk as long as critical flaws are closed quickly.

What does MTTR stand for and why is the decline important?

MTTR stands for Mean Time To Remediate, the average time to resolution. Across all categories, the report shows a 47 percent drop. The shorter this window, the smaller the opportunity for attackers to exploit a known gap.

Which industries are most affected?

The manufacturing sector recorded the highest share of critical and high-severity findings at 43.1 percent, followed by the technology sector at 40.0 percent. Across all industries, the average share was 37 percent.

Why do AI environments appear in the report?

Security assessments of AI and LLM systems surged by 120 percent. This signals that these systems are not only used as attack tools but are themselves becoming attack surfaces that require dedicated testing.

Editor’s Reading Picks

More from the MBF Media Network

cloudmagazin

Critical Infrastructure in the Cloud: What Secures the Migration

MyBusinessFuture

Germany’s AI Oversight Now Has a Physical Address

Digital Chiefs

The AI Wrote the Code-Who’s Liable for It?

Image source: AI-generated (July 2026)

Alec Chizhik

About the author: Alec Chizhik

More articles by

Also available in

FrançaisEspañolDeutsch
A magazine by Evernine Media GmbH