The patch window went negative. Now what?

Mandiant’s 2026 M-Trends puts the mean time-to-exploit at negative seven days. Not seven days after disclosure. Seven days before. For a growing share of the catalog, the exploit lands before the advisory does, which means “how fast can we deploy” stops being the right question.

The obvious read

Most coverage of AI in security right now is a tidy good-news/bad-news split. Good news: Google’s Big Sleep is finding bugs in SQLite, ANGLE, and V8 before anyone exploits them. CodeMender has upstreamed 72 fixes since October 2025, some into codebases of 4.5 million lines. DARPA’s AIxCC finalists patched 61% of injected vulnerabilities autonomously and turned up 18 real zero-days as a side effect. Bad news: Anthropic disclosed GTG-1002 in November 2025, a Chinese state-sponsored cluster that allegedly drove Claude Code through 80-90% of a kill chain against thirty global targets. Caveat that figure (Anthropic is both discloser and vendor; it’s self-reported), but even halved it’s meaningful.

The implied conclusion is that the two sides are running a race, and as long as defensive AI keeps up, we’ll be fine. That framing is wrong. The race isn’t between offensive AI and defensive AI. It’s between disclosure speed and deployment speed, and only one of those is getting faster.

The pattern

Disclosure is accelerating from both directions. CVE volume rose from 40,009 in 2024 to 48,185 in 2025 (+20.6% YoY), with Q1 2026 tracking 33% above Q1 2025 and the year on pace for 60K-65K. AI-assisted research is finding bugs at a rate the human-review queue can’t process: NIST conceded the point on April 15, 2026, moving roughly 29,000 backlog CVEs to “Not Scheduled” and committing to enrich only 15-20% of incoming CVEs going forward, prioritized by CISA KEV and federal-critical software. The other 80-plus percent will exist as IDs and not much else.

Deployment is not accelerating. Edgescan’s 2025 report puts median MTTR for critical application/API vulnerabilities at 74.3 days, statistically flat against 2023 and 2024. Adaptiva’s 2025 survey found 87% of organizations carrying third-party patch backlogs and 77% needing more than a week to deploy a single patch. Verizon’s 2026 DBIR has vulnerability exploitation as the initial access vector in 20% of breaches, up 34% year-over-year; edge devices and VPNs as exploit targets jumped from 3% to 22% in a single year.

AI doesn’t close this gap. AI shrinks the time from “bug exists” to “bug is public.” It doesn’t shrink the time from “patch is available” to “patch is on the box.” That second number depends on change windows, regression risk, compliance review, and the fact that the human approving the change still wants to see what changed. YouGov’s 2025 polling has only 18% of respondents willing to let AI act “even somewhat” without approval, and 68% wanting explicit approval per action. That’s the ceiling on agentic patch deployment for the next several years, and it has nothing to do with model capability.

The upstream side of patch management is becoming an AI vs AI problem on hour timescales, while the downstream side remains a human-trust problem on multi-week timescales. Everything below is downstream of that decoupling.

Next six months (through November 2026)

The rhythm shifts almost immediately. Microsoft’s hotpatch goes default on Autopatch with the May 11, 2026 security update, meaning eligible Windows 11 24H2 fleets absorb eight reboot-free monthly updates per year. The headline is good; the footnotes are where the work is. Four quarterly baselines still require restart, the feature excludes .NET, drivers, firmware, and third-party, and Microsoft has not published enrollment data. Expect a wave of “why didn’t this server hotpatch” tickets in July and August, most of which will trace back to baseline-eligibility drift.

September brings the harder deadline. EU CRA Article 14 reporting obligations apply from September 11, 2026: manufacturers selling into the EU must notify ENISA and the designated CSIRT within 24 hours of awareness of an actively exploited vulnerability, with 72-hour full notification and a 14-day final report after corrective measure. Most US vendors do not have a 24/72/14 process today. The first publicly missed deadline becomes the reference case the rest of the industry plans against.

In the same window, NVD’s reduced-enrichment posture starts to bite. Scanners that depend on NVD CPE matching will visibly degrade against the 80% of CVEs that ship without it. Vulnrichment and vendor-side enrichment feeds will carry more weight than they should.

What probably won’t happen: Microsoft’s Vulnerability Remediation Agent shipping GA. It was announced March 24, 2025 and remains in limited public preview eight months on, which usually means another year.

Next twelve months (through May 2027)

The middle horizon is where vendor consolidation becomes the dominant story. Tenable is rebranding around “exposure for the AI era”; Qualys (TotalAppSec) and Rapid7 (Exposure Command) are pushing the same direction. By mid-2027 the standalone “vulnerability management” SKU survives mainly in the mid-market; large-enterprise spend moves into exposure-management platforms that fold patching, configuration, identity exposure, and attack-surface management into one pane. The category name changes, the work doesn’t.

DARPA AIxCC outputs are open-source by design, and the finalist stacks (Team Atlanta, Trail of Bits Buttercup, Theori) will show up inside commercial AppSec by year-end. Expect Snyk, Sonar, and Veracode features that look a lot like AIxCC’s cyber-reasoning systems with different logos. The functional ceiling becomes “draft a PR that passes tests and human review,” not autonomous merge. Snyk Agent Fix markets 80% autofix accuracy; an independent 2026 field test found 76% effective accuracy and a 5.3% regression rate, which is the right number to plan against and too high for unattended merge.

CISA BOD 26-02 hits its first major milestone in February 2027: federal civilian agencies must complete inventory of EOL edge devices and begin replacement. Budgets are the actual constraint. Some agencies will miss the August 5, 2027 full-removal deadline; the resulting CISA posture will set the tone for private-sector adoption.

AI-assisted exploit development becomes the assumed default for opportunistic actors. The Fang et al. result (GPT-4 plus an agent scaffold exploiting 87% of 15 one-day CVEs given the description, at $3.52 per run) is two years old; CVE-Genie reportedly reproduced 51% of 2024-2025 CVEs at about $1 per attempt. Treat both as floors. Median TTE stays negative.

Next twenty-four months (through May 2028)

Two regulatory deadlines and one capability shift dominate this horizon.

EU CRA full obligations land December 11, 2027. Products on the EU market need documented vulnerability handling and lifecycle security updates. The “ship and hope” model ends for EU-sold devices, and the SBOM stops being a marketing artifact. Expect cheaper IoT and edge-device products delisted from EU markets rather than re-engineered.

CISA BOD 26-02’s mature-program deadline lands February 5, 2028. Federal agencies must operate a lifecycle program for edge-device patchability, not a one-time cleanup. This is the first federal directive that treats device patchability as the compliance object rather than patches as compliance events. The pattern will export to state and local government, then into regulated industries.

The capability shift is limited-scope agentic deployment. By 2028, autofix PRs with auto-merge gated on test passage are realistic in mature engineering orgs. Agents that stage and deploy non-critical OS updates inside narrow change windows are realistic in the largest enterprises. Mid-market stays human-in-the-loop, because the YouGov trust numbers won’t move that fast and because the regression cost is borne by the operator, not the vendor.

Median operator MTTR for critical CVEs may move from 75 days into the 40-50 day range, driven mostly by exposure-management workflow rather than AI agents. CVE volume likely crosses 80,000 in 2028. The NVD enrichment ceiling holds at 15-20%; scanner accuracy depends on whoever built independent enrichment.

What to build toward

The throughline across all three horizons is that the work that compounds is triage capacity, not deployment capacity. The constraint stopped being “can we install the patch” and became “can we tell which of the 60,000 CVEs this year matter enough to interrupt the change calendar.” Exposure-management platforms are betting their roadmaps on this. The operators who win in 2027 are the ones who built a defensible answer to the triage question first, then layered AI-assisted PR generation and hotpatching on top of it.

The thing to watch, and the thing that would change this read, is whether trust in agentic action moves. If the YouGov 18% becomes 40% by 2027, autonomous patch deployment is real and the timeline above is conservative. If it stays at 18%, the gap between disclosure and deployment widens for the rest of the decade, and the only sustainable defense is being early on triage. The base case is that it doesn’t move much, and that curl’s decision to end its bounty program at the end of January 2026, after 95% of 2025 reports turned out to be AI slop, is a better predictor of the next two years than any of the agent demos.

PatchDay Alert exists for the triage half of the problem. The deployment half is on you.