By Preston Wright
“Patch Now” Is No Longer Just a Catchphrase.
For years, vulnerability management has been treated as a prioritization problem: identify the critical issues, rank them, assign them, and work the queue. That model still matters, but it’s no longer enough. The time available to safely address known exploited vulnerabilities (KEVs) is shrinking, and attackers are moving faster than many organizational patching models were built to handle.
Recent reporting on patching timelines reinforces what many security teams have already been seeing in the trenches: missing patch windows creates measurable breach exposure. The Cloud Security Alliance reported that only a small percentage of organizations remediate critical or high-severity vulnerabilities in production within 24 hours, while organizations that take four to seven days to patch reported a significantly higher rate of incidents involving KEVs.
That is a statistic that should get the attention of vulnerability managers, CISOs, IT operations teams, and executive risk leaders. A vulnerability finding now needs context almost immediately. Teams have to know whether attackers are using the vulnerability, whether the affected system is exposed, what it connects to, what could break during remediation, and what can be done right away to reduce the risk.
Attackers Are Exploiting the Gap Between Disclosure and Remediation.
The strategic picture is clear across multiple recent reports. Verizon’s 2026 Data Breach Investigations Report found that software vulnerability exploitation has become the top breach entry point, surpassing stolen credentials for the first time in the report’s history. Similarly, Mandiant’s M-trends 2026 found that exploits remained the most common initial infection vector for the sixth consecutive year. Together, these findings show that the time between disclosure, exposure, and remediation is now part of the attack window. When organizations cannot quickly determine whether an affected system is exposed, reachable, or already being targeted, attackers can use that delay to gain initial access.
Those findings point to the same operational reality: exploited vulnerabilities are no longer a background IT hygiene issue but, instead, a primary path into organizations. At Gate 15, we’ve been discussing this reality extensively in 2026, as we travel around the country delivering presentations, in exercises with security teams and senior executives, and in recent podcasts.
This is critical for internet-facing systems, edge devices, remote access infrastructure, cloud services, identity systems, and widely deployed enterprise applications. These assets often provide attackers with the access they need to move quickly from initial exploitation to persistence, credential access, lateral movement, data theft, or extortion.
Mandiant’s 2026 reporting shows how quickly some intrusions can move once access is established. In 2025, the median time between an initial access event and handoff to a secondary threat group fell to 22 seconds, a sign that parts of the cybercriminal ecosystem are built for near-immediate activity. A vulnerability that sits open while teams wait for the next change window can give attackers far more time than defenders may realize.
Prioritize What Can Be Exploited Against the Organization Now.
Severity scores are useful, but they don’t tell the whole story. What matters just as much is where the vulnerability exists, how exposed the affected system is, and whether attackers are actively targeting it. A high-severity vulnerability on an internet-facing system may require immediate attention, while a critical vulnerability on an isolated test environment could present far less risk. Understanding that difference allows organizations to prioritize remediation based on exposure, exploitability, and business impact.
CISA’s recent BOD 26-04 reflects this shift. The directive moves toward risk-based prioritization that considers whether an asset is publicly exposed, whether the vulnerability is in the KEV catalog, whether exploitation can be automated, and what level of control exploitation gives an attacker.
That model is useful beyond the federal civilian agencies directly bound by the directive. It gives private sector security leaders a practical way to separate urgent, incident-likely exposures from lower-risk findings that can be handled through normal patching lifecycle processes.
Patching everything with equal urgency is unrealistic, and delaying the wrong vulnerability is dangerous. Mature programs need to know which vulnerabilities are exploitable, reachable, business-critical, and likely to be used by adversaries.
Patching Faster Still Requires Patching Safely.
When a KEV affects an exposed or critical system, teams need to move quickly. The challenge is doing that without creating follow-on consequences. Some fixes can break production apps, disrupt identity workflows, impact services, or leave teams without a clean rollback path. Before pushing a fix, teams should understand what is exposed, what can be mitigated immediately, what needs testing, and how they will confirm the risk has been reduced.
In practice, the goal is to close the exposure as quickly and safely as the organization can.
Sometimes that answer is immediate patching. Other times, the fastest safe step is taking a system off the public internet, restricting access, deploying compensating controls, increasing monitoring, isolating the asset, or staging a fix with a rollback plan. Temporary containment can be a valid risk reduction step when it is documented, monitored, owned, and time-bound.
This is where vulnerability management, IT operations, incident response, and business leadership can work together. Security teams may understand the exploit risk. System owners may understand the production risk. Executives need to understand both.
Known Exploited Vulnerabilities Require an Incident Mindset.
A KEV on an exposed or critical system should move differently than a routine backlog item. Teams may not need to declare every KEV as an incident, but they should be ready to triage it with incident-like discipline and answer these questions quickly:
- Is the affected asset present in the environment?
- Is it exposed to the internet or reachable from high-risk networks?
- Is there evidence of exploitation or suspicious activity?
- Can the exposure be reduced immediately through mitigation?
- Who owns the system, the fix, the rollback, and the validation?
- How will leadership know when the exposure has been safely reduced?
These questions sit at the center of the response. The strongest organizations will be the ones that can move quickly from awareness to action: identifying the affected assets, understanding what is exposed, assigning ownership, applying the fix or mitigation, and validating that the risk has been reduced quickly without creating avoidable disruption.
Analysis from CSO makes the same point from the incident preparedness angle. If vulnerability exploitation is now a leading path into breaches, organizations need to practice the response before the incident. That means testing how teams identify affected systems, determining the blast radius, constraining exposure, coordinating remediation, and communicating decisions effectively under pressure.
What Organizations Can Do Now.
Organizations can use the current threat environment as a forcing function to move from basic vulnerability management toward exposure management. That means building a clear picture of which assets are reachable, which vulnerabilities are exploitable, which systems matter most to the business, and which exposures need action first.
First, prioritize KEVs on internet-facing and business-critical assets. CISA KEV status, public exposure, exploit automation, and technical impact should all influence urgency.
Second, establish rapid mitigation options before the next emergency. If patching takes days or weeks, teams need pre-approved options for segmentation, access restriction, web application firewall rules, endpoint controls, configuration changes, and monitoring.
Third, treat high-risk remediation as a production change. Fixes can include ownership, testing expectations, rollback criteria, validation steps, and business impact awareness.
Fourth, build a leadership metric around safely reduced exposures instead of closed tickets. Remediation is complete when the exposure is closed, the fix is validated, and the business remains operational.
Finally, practice the workflow. Tabletop exercises or drills test how quickly teams can move from alert to asset identification, decision-making, mitigation, patching, and validation.
Gate 15 works across Critical Infrastructure sectors to help organizations protect their people, places, data, and dollars. The threat environment is constantly shifting, and we are here to boost your resilience with plans, exercises, threat analysis, and operational support against both emerging and enduring threats. Contact our team at Gate15@gate15.global to see how we can assist you in delivering on your mission. Join Gate 15’s Resilience and Intelligence Portal (the GRIP)! Sign up today to stay informed of what’s new in all-hazards homeland security and join us in securing America’s people, places, data, and dollars.
Gate 15: Technology-enhanced, human-driven, homeland security risk management.
Understand the Threats.
Assess the Risks.
Take Action.