The average time between a CVE being published and a working exploit appearing in the wild has fallen from 56 days in 2024 to roughly 10 hours in 2026. That figure, surfacing in late-April reporting and corroborated across multiple exploit-intelligence datasets, has reshaped what "patch promptly" actually has to mean for small and mid-sized businesses.

For a long time, SMBs in the United States and Canada could realistically batch software updates into a monthly maintenance window and still stay ahead of most opportunistic attackers. That assumption no longer holds. AI-assisted tooling is now generating working exploits in minutes, and automated scanners are firing on freshly disclosed vulnerabilities within the same business day they appear on the National Vulnerability Database.

This article walks through what the new exploitation timeline actually looks like, why AI has compressed it so fast, and the practical patching and monitoring questions an SMB owner or operations lead should be asking right now.

What Does "10 Hours From CVE to Exploit" Actually Mean?

The 10-hour figure is the median time between public disclosure of a CVE and the first observed working exploit, calculated across thousands of CVE-exploit pairs drawn from the CISA Known Exploited Vulnerabilities (KEV) catalog, the VulnCheck KEV dataset, and ExploitDB. It is not a worst case. It is the middle of the distribution.

The trajectory matters as much as the number:

  • 2018: mean time-to-exploit measured in years (roughly 2.3, according to widely cited industry analyses).
  • 2024: mean dropped to approximately 56 days, the figure being widely shared in security circles this spring.
  • 2025: roughly 23 days, according to year-over-year vulnerability intelligence reports.
  • 2026 (year to date): approximately 10 hours.

Recent individual cases line up with the trend. The Marimo remote-code-execution flaw (CVE-2026-39987) was exploited within 10 hours of disclosure. The LMDeploy flaw (CVE-2026-33626) saw its first observed exploitation attempt approximately 12 hours and 31 minutes after the advisory went live. The Palo Alto Networks Unit 42 2026 Threat Intelligence Report notes that opportunistic scanning for newly disclosed CVEs now begins within roughly 15 minutes of publication.

For SMB owners, the practical translation is straightforward: if your IT provider or internal team is patching on a calendar (the second Tuesday of the month, the first weekend of the quarter), you are operating on a cadence that pre-dates the threat environment you are actually facing.

Why Has the Exploit Window Collapsed?

The short answer is AI, but specifically AI applied to two parts of the attacker workflow that used to be expensive and slow: finding bugs and writing working exploits.

Public research over the past 12 months has documented:

  • AI models generating working exploits from a CVE advisory in roughly 10–15 minutes at a cost of around one US dollar per attempt, with researchers reproducing the result across multiple model vendors.
  • Anthropic's Claude Opus 4.6 surfacing more than 500 previously unknown high-severity vulnerabilities in widely deployed open-source libraries during pre-launch testing.
  • The CrowdStrike 2026 Global Threat Report documenting that average eCrime "breakout time" — the time from initial endpoint compromise to lateral movement — has fallen to approximately 29 minutes, with the fastest observed breakouts well under a minute.
  • Anthropic's September 2025 disclosure of a state-aligned threat actor hijacking Claude Code instances to run autonomous cyber operations against roughly 30 targets, with the model handling an estimated 80–90% of tactical steps without a human in the loop.

Two effects compound. First, AI lowers the skill floor: an attacker who could not previously write a working exploit can now generate one from a vendor advisory. Second, AI raises the ceiling: well-resourced groups are running fleets of model instances against newly disclosed CVEs in parallel, which is what produces the sub-day medians the exploit-intelligence community is now reporting.

We covered the broader picture of how this is reshaping attacker economics in our piece on AI-powered cyber threats and what SMBs should know, and on the defender side in our guide to defending against AI-powered cyberattacks.

Who Is Actually at Risk?

Every business that runs internet-facing software is exposed in some form, but the risk is not evenly distributed. Three SMB profiles are sitting in the sharpest part of the curve right now:

  • Businesses running self-hosted line-of-business applications — accounting platforms, practice-management software, CRM tools, ERP modules, file-share appliances. These are exactly the products that ship CVEs throughout the year and that often sit behind a single overworked IT contact.
  • Businesses with internet-exposed remote access — VPN concentrators, remote-desktop gateways, firewalls with management interfaces reachable from the public internet. Vulnerabilities in these products are weaponized faster than almost any other category, because successful exploitation hands the attacker an interactive foothold inside the network.
  • Businesses that rely on third-party SaaS without a vendor-management process — even when patching is the vendor's responsibility, the SMB still inherits the window between disclosure and the vendor's fix. As we discussed in third-party vendor risk for SMBs, knowing which vendors handle disclosures well is now a procurement question, not just an IT question.

SMBs are also the population least likely to have a 24/7 detection-and-response capability, which is what would otherwise compensate for a slower patch cadence. According to recent industry reporting, businesses with fewer than 1,000 employees account for a disproportionate share of confirmed breaches in the most recent Verizon Data Breach Investigations Report — and the gap between attacker speed and defender response is widening fastest at the small end of the market.

Why This Pattern Is Different From Past "Patch Faster" Warnings

Security advisories have been telling businesses to patch faster for at least two decades. The reason the current shift matters is that the operational assumptions built into most SMB IT environments are now mismatched with reality in a way they were not in 2022 or even 2024.

Three specific assumptions are now broken:

  1. "We have time to test patches before deploying." A two-week QA window used to be conservative. Against a 10-hour median exploit timeline for the highest-risk CVEs, a two-week window is the entire exposure period for an attacker. Testing still matters, but it has to be parallelized and risk-tiered, not serialized.
  2. "Most attackers won't bother with us — we're too small." AI-assisted scanning is indiscriminate. The cost of an exploit attempt against an SMB has dropped close to the cost of an exploit attempt against an enterprise, because the same automation hits both. This is the same trend we examined in why cybercriminals target small businesses in 2026.
  3. "Our antivirus will catch the exploit." Signature-based detection is built around known patterns. AI-generated exploits often have novel structure even when they target known vulnerabilities, which is part of why the Picus Red Report 2026 found that roughly 80% of the top observed adversary techniques are now focused on evasion and stealth rather than disruption.

For context on how the detection side has lagged, the Picus Blue Report from last year found that while approximately 54% of attacker activity is being logged in typical enterprise environments, only about 14% of that activity generates an alert. The visibility gap is real, and SMB environments are typically less instrumented, not more.

What US and Canadian Business Leaders Should Take From This

The honest framing for an executive is that patch management has moved from an IT hygiene topic to an operational risk topic. The right questions to ask your IT lead, MSP, or vCISO are no longer "are we patched?" — they are about how fast you can patch, which systems you patch first, and what you do during the window when a patch does not yet exist.

Specifically:

  • Do we have an inventory of internet-facing assets, and is it refreshed at least weekly?
  • For the top 10 vendors we depend on, do we know how each one issues advisories — and where those advisories land in our workflow?
  • What is our actual time-to-patch for a critical CVE on an internet-facing system? Hours, days, or weeks?
  • Do we have compensating controls (network segmentation, MFA on remote access, EDR, rate-limited admin interfaces) that buy time when a patch is not yet available?
  • If a CVE were exploited against us tonight, would we know by tomorrow morning?

If your team cannot answer these without ambiguity, the gap is not unusual — it is the modal SMB posture in both the US and Canada right now. The relevant Canadian framework here is the CCCS Baseline Cyber Security Controls for Small and Medium Organizations, which now explicitly emphasizes timely patching of internet-facing systems. On the US side, the NIST SP 800-171 and CIS Controls v8 both treat rapid patching as a foundational requirement, and the CISA KEV catalog has become the operational benchmark for which CVEs federal contractors must remediate on a fixed clock.

Practical Asks for the Next 30 Days

None of this requires a wholesale rebuild of your IT environment. The shortest path to closing the most common gaps:

  1. Get an internet-facing asset inventory you trust. Even a spreadsheet is better than nothing. You cannot patch what you do not know exists.
  2. Subscribe to the CISA KEV feed and your top vendors' security advisory lists. KEV in particular is the closest thing to a "patch this now" signal that exists, and it is free.
  3. Define a critical-CVE response SLA. Many SMBs we work with target 24–72 hours for internet-facing systems and seven days for internal systems. The exact numbers matter less than having an internal commitment.
  4. Turn on automatic updates wherever it does not break the business. Browsers, OS security updates, mobile apps, and most SaaS clients should be auto-updating. We covered the fundamentals in our guide to software updates and patch management and managing general software updates.
  5. Put MFA on every remote-access surface. When a vulnerability does land, MFA on VPN, RDP, and admin panels is often the difference between "exploit attempt" and "active intrusion."
  6. Validate your backups against a ransomware scenario. Faster exploits mean faster intrusions, and intrusions still frequently end in extortion. Recovery posture is the floor under all of this.
  7. Get an outside view at least once a year. If you have not had your environment looked at by someone other than the people who built it, our free quick security assessment is a useful starting point.

The Durable Lesson

The headline number — 56 days down to 10 hours in roughly 24 months — is striking, but it is not the point. The durable lesson for US and Canadian SMBs is that the operating assumptions baked into how most businesses think about IT risk were calibrated to a slower threat environment. Those assumptions are now the gap attackers are pricing in.

You do not need a dedicated security team to close that gap. You do need to know what you have, you need to patch the things facing the internet on a timeline measured in hours and days rather than weeks, and you need to have someone other than the attackers watching for what your monitoring missed. The businesses that internalize this in 2026 — quietly, without panic, as a normal part of operations — will be the ones the next wave of AI-accelerated exploitation does not catch flat-footed.

This article is intended for general informational purposes only and does not constitute professional security, legal, or compliance advice. Statistics on time-to-exploit and AI-assisted exploitation are drawn from public reporting and vendor research available as of the date of publication and may evolve as additional data becomes available. Organizations should consult qualified cybersecurity professionals before making operational changes based on this article.