patchwindow
Updated

Project patchwindow
vulnerability exploitation analysis

Every CVE in the CISA KEV catalog from 2018 onwards, with enriched disclosure, first exploitation, and first publicly reported exploitation dates. Enables like-for-like comparison of vulnerability exploitation across years, so you know what’s changed, and what to prepare for moving forward.

Browse the database → How this is built
At a glance

Headline numbers

Key insights on how vulnerability exploitation has changed in 2026.

2026 Zero-day rate
Mean TTE 2026
CVEs exploited 2026
Mean TTE Dec 2026 (predictive)
Trends

Seven vulnerability exploitation insights

Hover over any chart for the underlying data points.

Full snapshot tables →

Mean time-to-exploit — Dec 31 (2026 is predictive)

Time between vulnerability disclosure and exploitation (excludes zero-days), as of December 31st each year.

Key insight: the patch window is gradually decreasing and 2026 is predicted to have a mean TTE of 40 days by year’s end.

Zero-day rate — CVE publication year

Percentage of vulnerabilities exploited before CVE publication date, as of May 31st each year.

Key insight: the zero-day rate for 2026 is slightly below the average when compared to previous years.

Mean time-to-exploit — May 31

Time between vulnerability disclosure and exploitation (excludes zero-days), as of May 31st each year.

Key insight: although a useful point-in-time comparison, low sample numbers create high variance in snapshots from month-to-month, especially earlier in the year.

CVEs exploited — May 31

Number of in-scope CVEs that had been both disclosed and exploited by May 31st each year.

Key insight: total vulnerabilities exploited has increased in 2025 and 2026, however the % of overall vulns exploited is at an all-time low of 0.3%.

Mean time-to-exploit — May 31 (zero-days included)

Time between vulnerability disclosure and exploitation including zero-days (counted as 0 days), as of May 31st each year.

Key insight: when zero-days are included in the mean TTE, 2026 is slightly below the average of 3.6 days.

Top vendors in KEV, zero-day breakdown

Twelve vendors with the most KEV-listed CVEs, split by zero-day vs. non-zero-day.

Key insight: most exploited vendors are dominated by widely distributed providers of operating systems, browsers, and edge devices.

Mean time-to-exploit — Elapsed

The elapsed mean TTE across all years. This does not provide a like-to-like comparison between years, and severely biases recent years’ mean TTE downwards due to shorter overall elapsed times.

Key insight: a common graph used to falsely claim the mean TTE is rapidly trending towards zero.

Read next

Going deeper

Search the database

Every in-scope CVE with source-attributed first-exploitation dates. Filter, sort, expand rows for sources, export the full CSV.

Year-by-year snapshots

Features snapshots that include and exclude negative TTE values.

Insights & analysis

Long-form analysis of what the data shows. Updated as new patterns emerge.

Methodology

Scope, definitions, confidence model, and source rules. The honest version.