Patching is the fundamental way to protect systems, but the sheer scale of modern infrastructure has broken traditional remediation models. Qualys TRU research reveals a 6.5x growth in closed events, yet the “readiness gap” is widening: critical vulnerabilities remaining open at Day 7 rose to 63% in 2025.

In the Google Threat Intelligence M Trends research for 2026, the average time to exploit issues is now minus seven days. Most exploits now occur before a vulnerability is even discovered. For defenders, the choice is binary: find a way to travel through time, or pivot to a risk-based remediation strategy that prioritizes business impact over technical severity.

Why Mean Time To Remediation is not useful as a metric

The traditional measure for patching is Mean Time To Remediation, or MTTR. This is defined as the time between initial disclosure for any security vulnerability and when that issue is removed by applying the patch. MTTR is well understood, and provides a simple measure for traditional patching performance.

However, it is not as effective when dealing with zero day issues. When your metric is specifically designed to track patch deployment, it can struggle to capture how much risk your business faces from those issues. It ignores compensating controls like network segmentation, host isolation, or virtual patching. These actions effectively reduce risk and maintain business continuity, yet they are invisible in an MTTR report. These compensating controls might stop a potential attack before exploitation can take place, while patching is carried out, but the MTTR metric does not capture that essential work.

A new metric is therefore needed to measure the time between any potential exploit being announced and security teams closing the door on attackers. This is the Average Window of Exposure, or AWE. By looking at what teams can proactively do to prevent attacks alongside patching processes, security teams can distinguish around how they manage critical vulnerabilities or misconfigurations against the overall approach for less serious issues.

This also helps defenders understand their work in context. In the Qualys Threat Research Unit’s work, 85 percent of vulnerable assets were unpatched at the point when exploits were initially released. At the average remediation mark of approximately 21 days, 33 percent of CISA KEV assets are still unpatched. At 90 days, nearly 12 percent of those assets were still vulnerable as patches had not been deployed. When the rules call for critical vulnerabilities to be patched in 15 days, and other issues fixed in 25 days, we can see that performance is well behind where it should be.

Rather than looking at the speed of response, AWE defines how long a company was exposed. This captures more insight into how fast the team goes from potential exploit through to remediation closure at scale. The other benefit of this metric is that it shows how exposure can take place in the long tail of security issues that looking at the average rating MTTR can conceal.

Planning ahead around risk

In 2025, 48,172 new vulnerabilities were discovered and assigned CVE values. While this is a huge number of issues to track, only 357 were remotely exploitable, actively weaponized in the wild, and supported by working proof-of-concept code. This critical subset, roughly 0.7% of the annual total, represents the true risk.

A Risk Operations Center (ROC) focuses on moving away from indiscriminate patching toward a model based on active weaponization and asset criticality. Vulnerability management has therefore evolved from indiscriminate patching based on CVSS scores alone, to focus on those issues that represent the most risk to organisations based on what threat actors are doing, what assets are deployed, and how critical those assets are to the business.

Risk-based prioritisation puts the focus on vulnerabilities that represent the highest theoretical threat to an organisation. However, it is possible to narrow this focus down even further. Using your organisation’s existing compensating controls, is that high-priority vulnerability actually exploitable right now? Is it as critical to your organisation as it might be for another company?

By putting the focus on risk rather than severity scores, you can concentrate on what issues are the most pressing and most likely to be exploited. By planning ahead and spotting trends around threat intelligence patterns, you can get ahead of threat actor groups and lock down their systems before they can be targeted. ROC centralizes data analysis to stop threats before they are exploited. By using a Remediation Cockpit and Patch Reliability Scoring, teams can predict if a patch will cause a system crash before deployment, finally aligning Security urgency with IT operational stability. The overall goal here is to reduce the time taken around patching through automation where possible, but also to concentrate efforts on those risks that are more likely to be exploited.

Getting ahead on patching and remediation is one way to reduce risk. Understanding security controls and how these can stop potential risk levels is also important for risk reduction, given how stretched teams are. Putting these processes together alongside tracking AWE is an even more effective way to reduce risk ahead of any potential exploit.  It is not time travel, but this approach allows organisations to close the AWE before attackers get through it.

By Ivan Milenkovic, Vice President Cyber Risk Technology EMEA at Qualys

Related post

View all