NEWS

Cybercrime Trends: Vulnerabilities Are Up, Time to Compromise Is Down, and AI Will Make It Worse

cybersecurityAIthreat-intelligencevulnerabilities
Huntress Roadshow

The math of cybercrime is breaking in favor of the attackers. More vulnerabilities are being disclosed every year, attackers are weaponizing them faster, and the window defenders have to respond keeps shrinking. Now add AI to that equation.

Vulnerabilities Are Exploding

The CVE program logged more than 40,000 disclosed vulnerabilities in 2024 — a record that 2025 already shattered. A few things are driving the spike:

  • More software, more surface. SaaS sprawl, low-code platforms, and IoT devices all ship with their own bugs.
  • Better disclosure programs. Bug bounties and coordinated disclosure surface issues that used to sit silently in code.
  • Open-source dependency chains. A single vulnerable package can cascade across thousands of downstream products.

The result: defenders are drinking from a fire hose. Even mature security teams can’t patch everything, so prioritization becomes the entire game — and getting it wrong has real consequences.

Mean Time to Compromise Is Collapsing

The bigger problem isn’t the raw count of CVEs — it’s how fast they get weaponized.

  • CrowdStrike’s 2024 Global Threat Report clocked the average eCrime breakout time at 62 minutes, down from 84 minutes the year before. The fastest observed breakout was 2 minutes and 7 seconds.
  • Mandiant’s M-Trends has shown global median dwell time dropping for years, but the front end of the kill chain — initial access to lateral movement — is what’s compressing the most.
  • Time-to-exploit for newly disclosed CVEs has dropped from weeks to days, and in some cases hours. Recent edge-device CVEs (Ivanti, Fortinet, Citrix) were being mass-exploited before most orgs had even read the advisory.

Translation: your 30-day patch SLA is a fantasy. If you can’t detect and respond inside the first hour, you’re already losing.

Why AI Accelerates Everything

AI doesn’t change the playbook — it changes the pace and scale at which it runs.

On the offense side, AI is already being used to:

  • Discover vulnerabilities by feeding source code and binaries into LLMs and fuzzing pipelines. What took a senior researcher a week now takes an agent an afternoon.
  • Generate exploit code from public advisories within hours of disclosure.
  • Industrialize phishing with native-language lures, deepfake voice and video, and per-target personalization at zero marginal cost.
  • Automate reconnaissance — scraping LinkedIn, GitHub, and breach data to build dossiers on every employee at a target org.
  • Adapt malware in flight to evade EDR signatures and behavioral models.

The asymmetry problem: an attacker only needs one path in. AI lets them try thousands of paths in parallel, cheaper than ever. Defenders have to cover all of them.

What Defenders Actually Need to Do

If mean time to compromise is measured in minutes, your strategy has to be built around that reality:

  1. Compress your own detection and response time. MTTD and MTTR are the only metrics that matter now. If you’re measuring in days, you’re losing.
  2. Patch by exploitability, not CVSS. Use CISA’s KEV catalog, EPSS scores, and threat-intel feeds to prioritize what’s actually being exploited in the wild.
  3. Assume identity is the new perimeter. The fastest breaches today route through valid credentials and session tokens — not unpatched servers. MFA, conditional access, and continuous session evaluation are table stakes.
  4. Invest in AI on your side too. Pattern recognition across telemetry, automated triage of alerts, and AI-assisted threat hunting are no longer optional — they’re how you keep up.
  5. Practice the response. Tabletop exercises, purple teaming, and incident response retainers. The first time you run your IR plan should not be during an actual incident.

The Bottom Line

The trend lines aren’t subtle: more vulnerabilities, faster exploitation, lower attacker cost. AI accelerates every step of that chain — for attackers first, defenders second.

The orgs that come out of the next two years intact will be the ones that stopped treating security as a quarterly compliance exercise and started treating it like the operational, AI-vs-AI problem it actually is.

The clock is already running. Sixty-two minutes, and counting.