Mandiant clocked 5 days in 2023

Mandiant’s tracked mean time-to-exploit dropped from 63 days in 2018-2019 to 32 days in 2021-2022 to 5 days in 2023. Public reporting from CrowdStrike, Rapid7, and Google Project Zero corroborates the compression. Some critical-severity CVEs are now seeing functional public proof-of-concept inside 24 hours of patch release. The window between vendor disclosure and weaponised exploitation is no longer measured in weeks. For internet-facing CVSS 9+ bugs in widely deployed software - Citrix NetScaler, Fortinet SSL-VPN, MOVEit Transfer, Ivanti Connect Secure, Confluence - it is measured in hours.

The mechanism behind the compression is not mystery. It is patch diffing, telemetry from honeypots, and the industrialisation of n-day exploitation.

When a vendor ships a security patch, the binary delta is the specification of the bug. Tools like BinDiff, Diaphora, and Ghidra’s structural diff plugin reduce the work of locating the vulnerable function to minutes. The patched function is the one that changed. The added bounds check, the added null pointer guard, the swapped allocator call - these mark the primitive. From there, a competent vulnerability researcher works backward to the reachable code path. Public write-ups from watchTowr, Assetnote, and Horizon3 have demonstrated this loop at scale. PoC published within hours, weaponised version in n-day exploit kits within days.

Add machine-assisted reverse engineering. Large language models trained on assembly, decompiled C, and CVE prose now accelerate the slow parts of n-day analysis - function summarisation, taint tracking through obfuscated control flow, hypothesis generation about reachability. Vendor product teams are using the same capability defensively. Attackers had it first.

The critical-severity bug class driving the curve is consistent. Pre-authentication remote code execution in network appliances and middleware. CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure, chained for unauthenticated RCE. CVE-2023-3519 in Citrix NetScaler, stack overflow in the gateway handler. CVE-2023-4966 NetScaler memory disclosure, exploited weeks before public PoC. CVE-2023-34362 MOVEit Transfer SQL injection chain, weaponised by CL0P against more than 2,700 organisations. CVE-2024-3400 PAN-OS GlobalProtect command injection. CVE-2024-55956 Cleo file transfer RCE. Each was exploited at scale within days of disclosure. Several were exploited before disclosure.

The primitives are unremarkable. Stack buffer overflow in a request parser. Command injection in a CLI wrapper invoked by a web handler. SQL injection in a session lookup. Path traversal that yields arbitrary file read of the session token store. Deserialisation in a Java middleware component. These are not novel bug classes. The novelty is the surface - appliances sold as security infrastructure, deployed at the network perimeter, running internet-facing services on hardened-by-marketing operating systems with limited EDR coverage.

The exploit path on these targets follows a repeatable shape. Initial access - T1190, exploit public-facing application - against the appliance management interface or the user-facing VPN endpoint. The primitive yields code execution as the web service account, frequently root on the appliance. From there, the attacker enumerates configured tenants, dumps session tokens, exfiltrates the configuration database, and pivots inward using credentials cached on the device. For network appliances, the device is a bridgehead. For file transfer middleware like MOVEit and Cleo, the device is the objective - the data is on disk and the SQL injection reaches it directly.

AI in the loop changes the cadence but not the model. Models accelerate three steps. Patch analysis - summarising the diff and pointing at suspect functions. Reachability analysis - tracing whether attacker-controlled input crosses the boundary into the vulnerable code. Payload adaptation - varying encodings, header shapes, and request structures to evade signature-based WAF rules. None of this is novel capability. All of it was previously gated by skilled-analyst time. That gate is now narrower.

What this is not. It is not artificial intelligence writing zero-day exploits from natural language. The public capability boundary, as of current research output from Google, Anthropic, and academic red-teams, is assistance not autonomy. Bug discovery in novel surfaces still requires fuzzing infrastructure, source access or aggressive reversing, and exploit primitive engineering. The CVE pipeline is still dominated by human researchers, vendor SDLC findings, and bounty submissions. The acceleration is on the n-day side. The zero-day side is moving, but not at the rate the headline number suggests.

Telemetry visibility for this class of intrusion is structurally poor. Network appliances do not run EDR. The vendor agent on the box, if one exists, reports to the vendor’s cloud, not to your SIEM. Syslog forwarding captures authentication events and high-level configuration changes. It does not capture process execution, file integrity changes, or memory anomalies. When an attacker drops a webshell on a NetScaler appliance, the artefact lives on the appliance filesystem. The detection path is filesystem integrity monitoring inside the appliance - which the vendor controls - or anomalous outbound traffic from the appliance management IP, which the defender controls but rarely baselines tightly enough to alert.

What actually fires. Outbound connections from the appliance to non-vendor destinations. New listening sockets on the appliance. Unusual user-agent strings in egress proxies originating from appliance management subnets. Authentication events for service accounts that should never interactively log in. NetFlow showing the appliance initiating SMB or RDP to internal hosts. These signals exist. They are not collected by default on most networks. The Volt Typhoon advisory from CISA in early 2024 - F5, Fortinet, Cisco appliances used as living-off-the-land bridgeheads against US critical infrastructure - is the reference case. The dwell time in those intrusions was measured in years, not days, because the telemetry to detect appliance-resident activity did not exist on the defender side.

For middleware like MOVEit and Cleo, the detection picture is different but not better. The application runs on a standard Windows or Linux host that can carry EDR. The exploitation produces process activity. CL0P’s MOVEit campaign dropped a webshell named LEMURLOOT - process trees showed w3wp.exe spawning cmd.exe and powershell.exe at unusual frequency, file writes to the wwwroot directory, and outbound connections to staging hosts. Sysmon event ID 1 for process creation, event ID 11 for file creation in web directories, event ID 3 for outbound network. The signals were emitted. The detections existed in mature SOCs. The dwell time before exfiltration was short - in many cases under 48 hours - and the volume of compromised tenants overwhelmed the response capacity even for organisations that detected the activity.

MITRE ATT&CK mapping for the dominant pattern. T1190 initial access. T1505.003 web shell for persistence. T1059.001 PowerShell or T1059.004 Unix shell for execution. T1552.001 credentials in files for the configuration database. T1041 exfiltration over C2 channel. The chain is short. The TTPs are not novel. Detection coverage for each technique exists in published rulesets - Sigma, Elastic detection rules, Splunk ES content. The gap is not detection logic. The gap is telemetry collection from the affected surface.

The AI apocalypse framing in the public discourse conflates two effects. The first is real. N-day weaponisation is faster than patch deployment cycles in most organisations. Enterprise change windows of 30 days for non-emergency patches are now slower than the exploitation curve for critical bugs in internet-facing systems. The patch cycle and the exploit cycle have inverted. The second framing - AI generating novel zero-days at scale - is not yet supported by public evidence. It may arrive. It has not arrived.

The technical reality. For CVSS 9+ pre-auth RCE in internet-facing systems, the assumption that patch availability provides meaningful protection time has expired. Monthly patch windows do not survive the curve. Emergency patching processes - defined trigger criteria, pre-authorised maintenance windows, tested rollback paths - are the only deployment model that aligns with the timeline. Compensating controls during the patch gap are network-layer restrictions on management interface exposure, geographic blocking on appliance authentication endpoints, and aggressive baseline monitoring of egress from appliance subnets.

Residual exposure after patching is the question that does not get asked enough. A patch closes the primitive. It does not evict an attacker who exploited the bug before the patch. For Citrix NetScaler CVE-2023-4966, the disclosed exploitation predated the patch by months. Sessions hijacked during the pre-patch window persisted across the patch. The same pattern held for Ivanti and MOVEit. Patch deployment is necessary and insufficient. Post-patch hunt - for webshells, for hijacked sessions, for added administrative accounts, for outbound staging connections from the affected hosts - is the work that closes the actual intrusion. The patch is the beginning of the response, not the end.

The compression of mean time-to-exploit is not the apocalypse. It is the arithmetic of patch diffing meeting the deployment latency of enterprise change control. The variables are known. The window is now narrower than the process that was designed to defend it.

---

#ad Contains an affiliate link.