What is Time to Exploit (TTE)?

TTE is the time from when a vulnerability is publicly disclosed until it is actively exploited in attacks.

How quickly are new vulnerabilities exploited?

On average, within three days (72 hours) of disclosure.

What should organizations do when a critical vulnerability is discovered?

Identify affected systems, prioritize actions, and apply security updates as quickly as possible, ideally within 72 hours.

Risk-Based Vulnerability Management, which evaluates severity, system importance, and actual exploitation to prioritize actions.

Why is quarterly patching no longer sufficient?

Because attackers exploit vulnerabilities within three days, while traditional update cycles often take weeks.

How can operational partners help accelerate vulnerability management?

By making security updates a standard part of service, implementing contractual SLAs, and regularly reporting on update and vulnerability status.

Three days to attack: Why vulnerabilities must be closed faster

Attacks start before organizations have time to react

Attackers now exploit new vulnerabilities just 72 hours after they become publicly known. Many organizations, however, take weeks or even months before updates are actually installed. This delay creates a dangerous window of exposure, and it is here that many IT operations providers fail.

A race against the clock

The term Time to Exploit (TTE) describes how long it takes from when a vulnerability is disclosed until it is actively used in attacks. Today, the average is around three days. This means attackers often have working exploit code ready before an organization has even tested a security update.

According to Rapid7’s Attack Intelligence Report 2024, more than 35 percent of all attacks start with known but unpatched vulnerabilities.

Why does it go so wrong?

There are several reasons why many organizations fall behind. First, cybercriminals use increasingly advanced tools that automatically scan the internet for systems with known weaknesses. At the same time, many organizations have complex IT environments, often with multiple service providers, diverse technologies, and poor visibility into what is actually exposed.

Another challenge is slow patch routines. Many IT departments still follow quarterly update cycles, while attackers work continuously. In addition, several service providers offer security updates as an optional service add-on rather than including it as a part of their standard contract offering. The result is that many systems remain open long after a vulnerability has been identified.

When quarterly patching is no longer enough

Traditional, scheduled updates can no longer keep up. When vulnerabilities are exploited within three days, organizations must be able to respond within hours or days, not weeks. This is not just about IT, but about preparedness, trust, and organizational reputation.

Stricter requirements in law and frameworks

The new Digital Security Act, which came into force on October 1, 2025, sets clear requirements for responsibility, governance, and risk management in digital services, both in the public and private sectors. The law places special emphasis on rapid vulnerability management and documented security management.

Norway’s National Security Authority (NSM) also highlights the importance of swift responses in its Fundamental Principles for ICT Security. The principles identify, protect, detect, respond, and recover form the foundation of robust security work. Organizations following these principles will significantly reduce their risk.

The first 72 hours matter

When a new vulnerability becomes known, management must act quickly. The first step is to gain an overview: Are our systems affected? Then comes prioritization. If the vulnerability appears on an international Known Exploited Vulnerabilities list, it should be treated as critical.

If updates cannot be installed immediately, the organization must implement temporary measures. This can include isolating systems, blocking traffic, disabling unnecessary services, and enforcing multi-factor authentication. In parallel, updates should be planned and executed as quickly as possible, ideally within 72 hours.

From hindsight to action

Many organizations still lack a comprehensive system for managing vulnerabilities. Instead of reacting haphazardly, they should adopt Risk-Based Vulnerability Management (RBVM). This approach evaluates not only how severe a weakness is, but also how critical the affected system is to the business, and whether the vulnerability is actually being exploited in the wild.

The goal is to reduce the time from detection to remediation, often referred to as Mean Time to Remediate (MTTR), to under 72 hours for critical vulnerabilities.

Service providers must step up

For many organizations, the responsibility for updating lies with their service providers. But when one provider manages the Windows environment, another the cloud platform, and a third the applications, responsibility and accountability quickly becomes blurred and progress slows.

That is why business leaders should set clear requirements in contracts and agreements. Security updates should not be optional but an integral part of the service. Providers should have contractual obligations (SLAs) for handling critical flaws and must report regularly on patch status and vulnerabilities.

Toward a more resilient organization

In the long term, this is about building resilience. That means automating updates so they happen continuously, segmenting the network so attacks do not spread, and conducting exercises to test whether implemented measures actually work.

Security must also be anchored as a leadership responsibility, not just an IT issue. Organizations that move their services to modern platforms supporting frequent and secure updates will be far better prepared to face the threats of the future.