AI Compressed Time-to-Exploit to 24 Hours: Why CISOs Are Switching to BAS

For three decades, vulnerability management depended on a buffer: the months between disclosure and weaponization. Triage by severity, schedule remediation, validate, and move on. That buffer no longer exists. AI has compressed the discovery-to-exploit window from months to hours, and defenders running a process designed for breathing room are being outpaced. The industry's reflex answer—patch faster—is unrealistic when patches must clear regression testing, await change windows, and survive approval chains that weren't built for same-day turnaround.

The data is stark. In its May 2026 update, Anthropic reported that Claude Mythos Preview, used with roughly 50 partners, identified more than 10,000 high- or critical-severity vulnerabilities in systemically important software within a single month. Pointed at Firefox, the gated Mythos model produced 181 working exploits versus just 2 from the previous frontier model. It surfaced flaws across every major OS and browser, including an OpenBSD bug that had sat undetected for 27 years; at the time of writing, over 99% of what it found remained unpatched. The other side is equally alarming: an AWS threat-intelligence report from February 2026 confirmed 600+ compromised devices across 55+ countries, industrialized through a custom MCP server running offensive tools autonomously—no zero-days required, just weak credentials. Organizations can quickly audit exposed credentials using an online password strength and breach checker before attackers do.

Time-to-exploit (TTE) has collapsed in parallel. Zero Day Clock puts the 2026 average at roughly 24 hours, down from approximately 53 days in 2024. Verizon's 2026 DBIR ties 32% of initial-access techniques to vulnerability exploitation and expects that figure to climb as generative AI assistants put exploit-building, porting, and fresh flaw discovery within reach of attackers who previously lacked the expertise. Even defenders running continuous scanning with tools like an online port scanner now face a reality where exposure can be weaponized before the scan report is reviewed.

That is why CISOs are reallocating budget away from traditional vulnerability management toward Breach and Attack Simulation (BAS). BAS platforms continuously emulate the techniques AI-augmented adversaries use, validating whether existing controls—not just patches—actually stop attacks in the window defenders still have. Combined with broader hygiene checks such as a full privacy and exposure checkup, BAS gives security teams continuous assurance instead of quarterly snapshots. The buffer is gone. Defenders need validation that runs at attacker speed.