Vulnerability Management , Patch/Configuration Management , AI/ML 5 ways to close the ‘exploitability gap’ May 1, 2026 Share By Steve Carter (Adobe Stock) COMMENTARY: Vulnerability management teams don’t just struggle with overwhelming volume: they now struggle with exploitation windows that continue to shorten. By the time many organizations decide to act, the window for effective remediation has already closed. It’s what we call the exploitability gap: the period during which meaningful signals indicate that a vulnerability becomes exploitable, or even actively exploited, before formal confirmation catches up. As attacker timelines continue to shrink, that gap has become the defining challenge in vulnerability prioritization . [ SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here . ] Recent research shows that attacker timelines have compressed dramatically. In the AI era , exploitation that in the past took weeks or months now often happens in days, and in some cases, within 24 hours of disclosure. Despite this shift, many organizations still rely on downstream signals, such as inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog or changes in exploit prediction scoring system (EPSS) scores, to trigger action. While these signals are valuable, they often arrive much later and fail to guide the earliest response. Analysis of recent KEV additions makes this clear. In one dataset, 18% of vulnerabilities showed evidence of exploitability before being added to the KEV, with lead times ranging from a single day to more than one month. Out of these, 36% were already clearly exploited before KEV inclusion, as indicated by public proof-of-concept (PoC) code, remote exploitability, or signs of weaponization. Why “known exploited” can’t replace an early warning system KEV plays a critical role by confirming that a vulnerability has been exploited in the wild. But that’s also its limitation: it’s a confirmation mechanism, not an early warning system. When KEV becomes the starting point for prioritization, organizations anchor their response to a moment when exploitation has already occurred. In a threat landscape defined by speed, that creates a costly delay. A similar pattern applies to EPSS. While EPSS estimates the likelihood of exploitation, it often becomes most actionable after risk is already visible. In practice, it reinforces prioritization decisions rather than driving the earliest ones. Both KEV and EPSS are inherently fine. We just tend to rely on them too much as primary triggers. Used in isolation, they reinforce reactive decision-making. The signals that matter earlier If downstream confirmation comes too late, what should teams rely on instead? The answer isn’t a single signal, but a combination of earlier indicators that, together, support faster and more confident decision-making. Public proof-of-concept (PoC) availability represents one of the clearest examples. Once exploit code becomes public, exploitability is no longer theoretical. In the dataset analyzed, PoC often appeared days before KEV, and in every case, a patch was already available. The challenge wasn’t the ability to remediate, but recognizing the urgency. Other early indicators include: Remote exploitability or low attack complexity. Evidence of weaponization or integration into exploit frameworks. Links to malware or ransomware activity. Rapid increases in researcher or attacker attention. Individually, none of these are definitive signals. But together, they offer enough evidence to justify earlier action. This introduces an important shift: security teams must stop waiting for vulnerabilities to become confirmation-ready and start acting when they are decision-ready. Why teams need a layered model The core challenge in vulnerability management isn’t a lack of data: it’s fragmentation. Signals are scattered across advisories, threat research, exploit databases, vendor updates, and public PoC sources making early exploitability evidence hard to see in one place and even harder to operationalize quickly. KEV confirms exploitation. EPSS estimates probability. PoC demonstrates feasibility. Internal context defines exposure and business impact. Each signal answers a different question, and none arrives at the same time. No single input can close the exploitability gap. Instead, organizations need a layered, exploitation-informed decision model that brings these signals together. In practice, that means: Use early exploitability indicators to flag high-risk vulnerabilities. Treat PoC availability as a trigger for accelerated remediation. Leverage KEV as confirmation, not a starting point. Combine external threat intelligence with internal asset and business context to prioritize what matters to the organization. This approach reflects a broader reality: both attackers and defenders are now operating with AI-assisted intelligence at machine speed. Signals surface faster. Analysis happens faster. Exploitation follows faster. The cost of waiting continues to rise. What security teams should do next Vulnerability management programs must shift from reactive prioritization to earlier, evidence-based decision-making. A few practical steps can help: Move trigger points upstream, don’t wait for KEV or EPSS thresholds Operationalize PoC monitoring and treat public exploit code as a high-confidence risk. Define clear decision thresholds for when exploitability evidence is sufficient to act. Combine external threat signals with internal business context. Automate signal aggregation to reduce the time between detection and response. The exploitability gap is not theoretical: it’s measurable, and it has real operational consequences. As exploitation timelines shrink, organizations that rely on downstream confirmation will increasingly find themselves reacting too late. Those who act on earlier signals can reduce exposure before exploitation fully materializes. We’re not just identifying risk anymore. We need to decide when to act – and act early enough to make a difference. Steve Carter, co-founder and CEO, Nucleus Security SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial. An In-Depth Guide to AI Get essential knowledge and practical strategies to use AI to better your security program. Learn More Steve Carter Related Vulnerability Management Decade-old vulnerabilities continue to fuel millions of cyberattacks in the UK SC Staff May 1, 2026 Cybercriminals are leveraging outdated and unpatched systems, with a single vulnerability in Hikvision IP cameras reportedly accounting for 67 million attack attempts in the UK during 2025, according to SonicWall. Vulnerability Management Hackers exploit Qinglong vulnerabilities to deploy cryptominers SC Staff May 1, 2026 The vulnerabilities, identified as CVE-2026-3965 and CVE-2026-4047, affect Qinglong versions 2.20.1 and older. Security Operations Practice by Numbers fixes patient data exposure bug SC Staff May 1, 2026 A patient, Joseph R. Cox, discovered the vulnerability, which allowed any user with portal access to view other patients' documents, including personal information, medical histories, and photo identification. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds