Qualys Threat Research Unit has published a report titled “The Broken Physics of Remediation: The Future of Risk Management is Autonomous.” It draws on the analysis of over one billion remediation records tied to CISA Known Exploited Vulnerabilities (KEVs), covering more than 10,000 organizations from 2022 to 2025—making it one of the most extensive studies of its kind.
The report looks closely at how long it takes to fix vulnerabilities, how many exist at any given time, and how they are exploited. It also introduces new metrics like Average Window of Exposure (AWE) and Risk Mass to better understand how risk builds and persists over time. Overall, the findings reveal clear gaps in current remediation strategies and emphasize the increasing importance of AI-powered and automated solutions to effectively manage cyber risk at scale.
The report states that vulnerability exploitation is no longer bound by disclosure timelines, with attackers increasingly able to exploit vulnerabilities before patches are available or even before public disclosure. It highlights that Time-to-Exploit (TTE) has shifted into negative territory, reflecting a change in how quickly threats materialize in real-world environments.
It further analyses remediation performance across time intervals, including Day 7 and Day 30 benchmarks, showing that a significant portion of vulnerabilities remains unresolved within these timeframes. The report emphasizes that these delays contribute to extended exposure periods across enterprise environments.
The findings also include an analysis of vulnerability distribution and exploitability, noting that only a small fraction of disclosed vulnerabilities is confirmed as remotely exploitable and actively weaponized, reinforcing the importance of validation in remediation strategies. The report also highlights that edge devices such as firewalls, VPNs and gateways carry a disproportionately higher strategic risk per vulnerability due to their external exposure and critical role in enterprise infrastructure.
This report comprises six key points that collectively define the current realities of remediation and the structural challenges organizations face:
1. The End of Human-Scale Remediation: Manual remediation was designed for a slower threat environment, which no longer exists. Analysis of over one billion KEV remediation records across 10,000+ organizations shows that while closed vulnerabilities increased from 73 million in 2022 to 473 million in 2025, outcomes worsened. The percentage of critical vulnerabilities open at Day 7 rose from 56% to 63%. This reflects a “human ceiling,” where the speed and volume of incoming risks outpace remediation capacity, indicating a structural limitation in the current remediation model.
2. Broken Physics of Remediation: MTTR measures how quickly teams respond to vulnerabilities, but it does not capture total risk exposure. It focuses on response speed; not how long systems remain vulnerable before and during remediation. To address this gap, the report introduces Average Window of Exposure (AWE), which measures the full duration from when a vulnerability becomes exploitable to when it is fully remediated. This highlights exposure that MTTR averages often hide.
The report shows that Time-to-Exploit has dropped to -1 day, meaning vulnerabilities are often exploited before patches are available. At disclosure, 85% of assets remain unpatched, 63% after one week, and even after around 21 days, 33% are still exposed. Nearly 12% remain open after 90 days. This demonstrates that while MTTR reflects process efficiency, AWE provides a clearer view of actual risk exposure across the environment.
3. The Physics Gap – Attacker Speed vs. Defender Speed: Analysis of 52 KEV vulnerabilities shows a clear gap between attacker and defender speed. Half were exploited before public disclosure and 88% were remediated slower than they were exploited. Even after patches, remediation often took much longer, extending exposure into months or years. A “Manual Tax” further increases delays, especially for infrastructure systems, creating a long tail of risk. The report highlights the need for mitigation alongside patching to reduce exposure during these delays.
4. Risk Mass – From Counting Vulnerabilities to Measuring Exposure: Traditional remediation metrics focus on whether vulnerabilities are closed and how quickly, but they do not capture the total exposure during the time they remain open. The report introduces Risk Mass to measure this cumulative exposure, calculated as the number of vulnerable assets multiplied by the number of days they remain exposed. This reflects the total window available for exploitation, expressed as exposure-days. For example, a vulnerability affecting 400 assets closed in one day results in 400 exposure-days, while the same vulnerability left open for 100 days results in 40,000 exposure-days, showing a significantly higher risk. The report demonstrates this through the Follina vulnerability, where exposure evolved across phases – from early targeted exploitation before disclosure to broader adoption by multiple threat actors over time – highlighting how risk expands as exposure persists.
5. The Filter – From Prioritization to Confirmation: The report highlights that while vulnerability management has improved through risk-based prioritization, a gap still remains between identifying high-risk vulnerabilities and confirming actual exploitability. In 2025, out of 48,172 disclosed vulnerabilities, only 357 (0.74%) were confirmed as remotely exploitable and actively weaponized. This shows that the most critical risks represent a very small fraction of total vulnerabilities. However, prioritization alone is not sufficient. A vulnerability may be high-risk in theory but not exploitable in a specific environment due to existing controls. This creates a “confirmation gap” between theoretical risk and actual exposure. The report emphasizes the need to validate exploitability in real environments before triggering remediation, shifting from probability-based prioritization to evidence-based confirmation.
6. Operationalize or Fail: The report makes one thing clear: the issue is not speed, but the operational model itself. With vulnerability volume growing 6.5x, a Time-to-Exploit of -1 day, and a long remediation tail absorbing most risk, the traditional approach no longer works. The scan-and-report model – built for slower threats and lower volumes – has become outdated. In its place, the report introduces the Risk Operations Center (ROC): an end-to-end, automated pipeline that manages the full remediation lifecycle at machine speed. A ROC is built on three core capabilities.
First is embedded intelligence, where threat data is automatically processed into decision-making logic. Instead of waiting for manual analysis, vulnerabilities are instantly evaluated against asset inventory, exposure, threat activity, and relevance – enabling prioritization in seconds.
Second is active confirmation, which filters out false risk. Using multiple verification methods, including exploit-based validation, the system identifies which vulnerabilities are actually exploitable. This reduces thousands of potential risks to a much smaller set of confirmed threats.
Third is autonomous action. For confirmed risks, remediation is executed based on policies and system intelligence. This can include automated patching, deploying compensating controls, or isolating assets – reducing reliance on manual processes while keeping human oversight at the policy level.
The report concludes that reactive, case-by-case response is no longer sustainable. Instead of chasing individual vulnerabilities, organizations must adopt a repeatable, automated process that scales with volume and matches the speed of modern threats.
Sumedh Thakar, President and CEO, Qualys said that “As I meet with customers and hear first-hand about the challenges they’re facing, the threats I see are quieter and more structural: attack surfaces expanded beyond what teams can govern, identity sprawl that outpaces policy, and remediation workflows still built on manual execution. The findings in this report reflect that organizations are not just facing more vulnerabilities, but are dealing with an environment where the scale and speed of risk creation have fundamentally outgrown traditional approaches to remediation.”
Saeed Abbasi, Head of Threat Research Unit, Qualys stated that “The attacker’s timeline is the only one that matters – and that timeline is predictable. Adversaries do not innovate; they repeat what works. Our research shows that exploitation frequently occurs before organizations can respond, and often even before vulnerabilities are publicly disclosed. This reinforces the need to rethink remediation not as a linear process, but as an operational capability that can keep pace with how threats actually evolve.”
