Hackers Now Exploit Public Vulnerabilities in Under 2 Hours, Zero Day Clock Shows
The window between a vulnerability going public and attackers actively exploiting it has shrunk from weeks to hours. A new visualization project called Zero Day Clock is putting hard numbers on just how fast the threat landscape is accelerating.
The project, created by Sysdig CISO Sergej Epp and unveiled at this year’s [un]prompted 2026 conference, draws on data from CISA’s Known Exploited Vulnerabilities catalog, VulnCheck, and other threat intelligence sources. It tracks over 3,500 real-world exploit events to calculate a single metric: Time-to-Exploit (TTE) — the gap between a vulnerability’s public disclosure and its first observed use in an attack.
The trend is stark. In 2025, the average TTE was roughly 21.5 days. As of July 5, 2026, that figure has dropped to under two hours. Organizations that once had weeks to assess and patch now find their defense window measured in hours.

Epp said the project aims to surface the accelerating exploit timeline for audiences beyond the security operations teams already feeling the pressure — corporate boards and executive leaders who may not realize how dramatically the rules have changed.

The implications are sobering. Traditional patch management cycles — monthly security updates followed by slower quarterly assessments — were designed for a world where attackers took days or weeks to weaponize a disclosed flaw. That world no longer exists. Security teams must rethink how they detect and patch vulnerabilities — shifting from human-paced schedules to machine-speed response.
Epp’s message is direct: the shrinking TTE is not a future projection. It is happening now, and it demands a fundamental re-evaluation of how organizations defend themselves.