Greetings,
Our team has been spending a lot of time lately managing security updates. Our impression is that the number of security updates for libraries and software we use has gone up significantly. So I started to do some digging to try to understand how big the effect is and how prevalent.
Looking at the number of found vulnerabilities, as measured by CVEs, shows only a modest bump. Looking at fixes issued for major companies like Apple and Microsoft actually shows fewer this year so far than last.
But I went down a rabbit hole going through the latest reports from Verizon, Google/Mandiant, and others, and wow, there's some alarming stuff in there. Here are some of the numbers that I think are significant:
- Vulnerabilities YTD vs. 2025: +35%
- Critical Vulnerabilities: +50%
- Days to Exploit: 7x worse (from -1 to -7)
- Days to Patch: +34%
But it's really that average days from a vulnerability being made public to it getting exploited number that gets me. -7 means that on average, the vulnerabilities are being exploited a week before a patch is even available.
Here's the thing: there's absolutely nothing you can do to stop someone from exploiting a vulnerability in your stack before you know about it or have a fix. It's an impossible problem to solve. And it makes application-layer encryption and HYOK more important than ever. There's no more effective approach to de-risk a breach in the face of an initial exploit.
I wrote about this with sources cited, graphs, and the whole works in my latest blog, "The AI Vulnerability Tidal Wave." I hope you find it as interesting as I did.
..Patrick
