Qualys report flags critical gap between threat speed and enterprise remediation

A new report by the Qualys Threat Research Unit, titled “The Broken Physics of Remediation”, highlights a fundamental shift in the cybersecurity landscape, where attackers are now exploiting vulnerabilities faster than enterprises can respond.

Drawing on more than one billion remediation records across 10,000 organisations, the study reveals that the average time-to-exploit (TTE) has dropped to -1 day, meaning vulnerabilities are often weaponised even before patches are released.

This inversion of timelines is creating a structural imbalance: 88% of critical vulnerabilities are remediated slower than they are exploited, underscoring the growing mismatch between attacker speed and defender response.

The report argues that traditional remediation models, built around manual workflows, ticketing systems, and Mean Time to Remediate (MTTR), are no longer sufficient in an era where adversaries operate at machine speed. Instead, enterprises are facing what the study terms a “human ceiling”, where even increased effort fails ...