From 745 days to 44: the collapse of the patching grace period

There was a time when ‘patch Tuesday’ bought you some breathing room. A vendor disclosed a bug, you triaged it, tested it, scheduled a change window, and hoped nobody noticed your exposed edge box in the meantime.

New analysis from Flashpoint suggests that time is long gone. 

In 2020, Flashpoint puts the average Time to Exploit (TTE) – the time between disclosure and first observed exploitation – at 745 days. By 2025, it says that average has dropped to 44 days.

And the year-by-year data shows it tightening fast: 

• 518 days (2021)
• 405 days (2022)
• 296 days (2023)
• 115 days (2024)
• 44 days (2025)

N-days are doing the heavy lifting

The other shift is that attackers no longer need rare zero-days to cause outsized damage. They’re increasingly relying on N-days – vulnerabilities that are publicly known, with patches available, but still sitting unaddressed in real environments.

Flashpoint says N-days represent over 80% of Known Exploited Vulnerabilities (KEVs) it has tracked over the past four years.

So if your exposure management programme is still built around the idea that vulnerabilities can be patched in the next sprint (instead of right now), your organisation is at risk. 

Turn-key exploitation is making everyone faster (including amateurs)

So why the speed-up? Flashpoint points to the rapid weaponisation of proof-of-concept (PoC) code published by researchers. When usable exploit code lands alongside a disclosure, exploitation becomes ‘turn-key’ – less engineering, more copy/paste.

Pair that with internet-wide scanning (Flashpoint namechecks Shodan and FOFA) and you can go from disclosure to mass exploitation in hours, even without an elite operator behind the keyboard.

The analysis also cites leaked chat logs from the BlackBasta ransomware group: of 65 CVEs discussed, 54 were already known KEVs.

In short, your adversary is often taking the easiest path. 

Why defenders are stuck: asset blindness and the CVE trap

This is fixable. 

Flashpoint’s researchers argue the biggest blocker isn’t effort – it’s visibility. It claims many large organisations may have an accurate inventory of only around 25% of their assets. 

If you don’t know what you own, you can’t know what’s exposed – and you can’t prioritise what to patch first.

Then there’s the tooling problem: CVE dependency. The analysis notes that thousands of vulnerabilities disclosed each year never receive a CVE ID, and that creates blind spots for standard scanners.

Cybersecurity teams need to: 

• Assume exploitation is measured in weeks, not quarters. Remember – that new average TTE is just 44 days.
• Prioritise by exploitability, not severity theatre. Focus on remotely exploitable issues with observed attacker interest.
• Fix asset inventory before you buy another dashboard. If visibility is 25%, your exposure programme is guesswork.

The patching grace period is collapsing – and attackers are treating disclosure like a starting pistol. If we want the window back, we need to operate at adversary tempo.