Mandiant clocked exploit window at 21 days

1. Opening Claim

Mean time-to-exploit is 21 days. That is the operating window. Every vulnerability management program calibrated to a slower clock is now misaligned with the threat surface it was built to defend.

21 days is not a metric to monitor. It is a boundary condition. It defines how long a critical vulnerability sits in your environment before a working exploit reaches the people who want to use it against you. If your patch cadence, your asset inventory accuracy, and your compensating control deployment cannot collectively close exposure inside that window, the program is not functioning. It is reporting.

The question of whether AI is driving this compression is not confirmed. What is confirmed is the number. Treat the cause as secondary. The defender’s position does not improve by attributing the shift to a specific actor or tooling class. It improves by accepting the window and rebuilding the response model around it.

2. The Original Assumption

Vulnerability management as a discipline was structured around an assumed gap between public disclosure and weaponisation. That gap funded the entire risk-based prioritisation model. Triage, ticketing, change windows, maintenance freezes, quarterly patch cycles. Every one of those processes assumes time exists between a CVE landing and an exploit reaching operational use against your assets.

The assumption produced specific behaviours. Critical vulnerabilities were routed into 30-day SLAs. High severity into 60 or 90. Exceptions were granted on the basis that exploitation was unlikely within the review period. Compensating controls were deferred because the patch was scheduled. Asset owners were given time to coordinate. None of these decisions were unreasonable under the assumed timeline. They are unreasonable now.

The deeper assumption beneath the SLA structure was that defenders and attackers operate on different clocks, with the defender’s clock being the slower of the two by design, and that the difference could be absorbed through prioritisation. That is the assumption that has failed. The clocks are converging. In some classes of vulnerability they have already crossed.

3. What Changed

The observable change is the number. 21 days. That is the externally measurable behaviour of the ecosystem: from disclosure to exploit availability, the mean has compressed to a value that does not fit inside the response architecture most organisations have deployed. Whether the compression is uniform across vulnerability classes, vendor types, or attacker tiers is not confirmed by the stated fact. The mean is the mean.

What the compression exposes is the dependency chain inside vulnerability management. Detection of the vulnerability in your environment. Identification of affected assets. Validation of the patch. Coordination of the change window. Verification of remediation. Each of those steps was tolerable when the exploit clock ran slower than the defender clock. At 21 days, the cumulative latency of that chain consumes the entire window before the patch reaches production. The chain itself is now the failure mode.

Attribution to AI is the framing. It is not the mechanism. Whether large language models, automated exploit generation, or scaled vulnerability research are responsible for the compression is not confirmed by the metric alone. The metric is agnostic to cause. What the metric defines is the new ceiling on defender response time. Programs that continue to operate on 30, 60, or 90 day patch SLAs for critical vulnerabilities are not slow. They are out of scope. The control is not enforced inside the window in which the threat exists. A control that is not enforced is not a control.

4. Mechanism of Failure or Drift

The mechanism of failure is not located in any single control. It sits in the composition of controls across a sequence that was engineered to run inside a gap that no longer exists. Vulnerability detection latency, asset inventory accuracy, patch validation, change approval, deployment scheduling, post-deployment verification. Each step performs to its own internal target. The internal performance has not degraded. The external pace has compressed past it. The aggregate response time, measured against 21 days, exceeds the window. The window is the constraint. The composition is the failure surface.

This is the drift pattern. Individual control owners report green against the metric assigned to them. Patch deployment teams meet their SLA. Asset management reports inventory completeness inside tolerance. Detection engineering reports mean time to detect inside target. None of these owners are failing against their stated objective. The aggregate is failing. Local accountability does not produce global enforcement when the threat clock changes faster than the SLA structure that decomposes the work. Decomposition without recomposition against the actual threat window is how programs report success while the boundary remains breached.

The identity boundary inside this drift is the asset owner. Vulnerability management as currently structured treats the asset owner as the enforcement point for remediation. The model assumes the owner has time to coordinate, test, and deploy inside the window. At 21 days, the owner is no longer the enforcement point. The enforcement point must move to the platform layer, the network segmentation boundary, the workload identity, or the compensating control surface that can change state without owner negotiation. If remediation requires negotiation, the window closes before consent is granted. Negotiation is latency. Latency is the failure. The control was not absent. The control was not enforced inside the window in which the threat existed. That distinction is the failure mode.

5. Expansion into Parallel Pattern

The same mechanism appears anywhere a control is calibrated to a clock the adversary does not respect. Credential rotation policies set on quarterly cycles, against credential theft and reuse that operates in hours. Certificate renewal cadences set on annual or biennial schedules, against issuance abuse and short-lived attacker infrastructure. Access review cycles built around 90 or 180 day attestation, against entitlement accumulation that proceeds continuously between reviews. The discipline differs. The mechanism is identical. Periodic enforcement applied to continuous exposure produces an enforcement gap defined by the interval.

In each case the control exists. It is documented, audited, and reported. It is not enforced inside the window in which the threat operates. The enforcement gap is the gap between the policy cadence and the attacker cadence. Vulnerability management at 30 days against a 21 day mean time to exploit is one instance of this pattern. Quarterly access review against credentials that are stolen and used within a week is another. The pattern is general. The mechanism is calibration drift between control frequency and threat frequency. Any program that reports control health on the basis of completed cycles, rather than enforcement state inside the current threat window, exhibits this drift.

The implication for defenders is that the vulnerability management compression is not an isolated condition. It is the visible edge of a structural pattern. Any program whose enforcement model is built on periodic intervention rather than continuous validation is exposed to the same compression mechanism. The question is not whether 30 days is the right SLA for patching. The question is whether enforcement is event-driven or interval-driven. Interval-driven enforcement is exposed wherever the threat operates faster than the interval. Whether the broader compression across attacker tooling is driven by AI is not confirmed. The pattern of exposure does not require that attribution to be true. The mechanism stands on the metric alone.

6. Hard Closing Truth

The 21 day mean defines the operating window. Inside that window, controls must be enforced or they are not controls. Programs reporting compliance against 30, 60, or 90 day SLAs are reporting against a clock that no longer maps to the threat. The reporting may be accurate. The reporting is also irrelevant to the boundary. Accuracy against an obsolete benchmark does not produce enforcement. A control that is not enforced inside the threat window is not a control. It is documentation.

What must now be true. Detection of in-scope vulnerabilities and identification of affected assets must complete in days, not weeks. Compensating controls must be capable of deploying independently of patch coordination. Patch deployment must move to the platform layer where the architecture permits, removing asset owner negotiation from the critical path. Network segmentation, workload identity boundaries, and execution context controls must be treated as the primary containment surface, with patching as a secondary action rather than the primary one. If the primary action takes longer than the window, it is not primary. Trust must be validated against current state, not against the state recorded at the last review cycle.

Attribution to AI changes nothing about what must be true. Whether the compression is caused by automated exploit generation, scaled vulnerability research, commodity tooling, or a shift in attacker economics is not confirmed by the metric. The metric is the boundary. The boundary is 21 days. The defender position is to accept the boundary as a condition and rebuild the enforcement model so that controls operate inside it. Programs that continue to operate outside the window are not behind. They are out of scope. Reporting is not defence. Enforcement is.

See also: NordVPN for tunneled traffic when operating outside controlled networks.

---

#ad Contains an affiliate link.