"44 Days, Then Zero: How AI Collapsed the Zero-Day Window in 2026"

For most of the 2010s, "patch within a month" was considered good security hygiene. In 2026, that advice is obsolete. According to Mandiant's M-Trends 2026 report, the average time-to-exploit — the gap between a vulnerability being disclosed and being actively exploited in the wild — has collapsed from over 700 days in 2020 to just 44 days in 2025. And 28.3% of CVEs are now exploited within 24 hours of disclosure.

This week, Google's Threat Intelligence Group disclosed it had thwarted a hacker group attempting to use an AI model to plan a mass vulnerability-exploitation operation, including an attempt to use a frontier model to find a zero-day that bypassed two-factor authentication. Groups linked to China and North Korea, Google said, "demonstrated significant interest in capitalizing on AI for vulnerability discovery."

For everyday users — not just enterprises — these numbers redraw the map. The window between "a patch exists" and "you need it installed" is now measured in hours, not weeks.

---

What the Numbers Actually Say

Three shifts hide inside those rows:

1. Exploit development is no longer the bottleneck. It used to take a small, well-resourced team weeks to turn a CVE entry into a working exploit. AI-assisted code analysis has compressed that into days, sometimes hours.
2. The asymmetry has flipped. Defenders need to test, stage, and roll out patches. Attackers don't have to validate anything — they just need it to work once.
3. "Zero-day" is becoming the wrong word. When the exploit arrives before the patch, the user has effectively negative time to react.

---

How AI Accelerates the Attacker

You don't need to imagine the mechanics — Google's disclosure this week reads like a textbook example. The group Google intercepted was using a large language model to:

• Parse CVE entries and patches to infer the underlying vulnerable code path
• Generate proof-of-concept exploit code for further refinement
• Plan multi-stage operations including bypasses for two-factor authentication
• Target at scale by automating reconnaissance across thousands of potential victims

Mandiant's report captures the result at the population level: groups linked to China and North Korea are now the most prolific early adopters of AI-assisted vulnerability discovery, with Iranian and Russian actors not far behind.

AI doesn't invent new categories of vulnerability. It compresses the time between "a flaw exists" and "an attacker is using it against you" — which, for an individual user, is the only window that matters.

---

What This Actually Means for Individual Users

Most of the discussion of these numbers focuses on enterprises. Here's what changes for everyday users:

1. "I'll update next weekend" is no longer safe

When 28.3% of CVEs are exploited within 24 hours, the time between a notification appearing and you tapping "Install Now" is the thing that determines whether you're a target. A weekend's worth of procrastination is no longer a small risk.

2. Old devices are at higher risk than ever

If your phone, router, or laptop is past the manufacturer's support cutoff, you're not just missing new features — you're missing the patches that the AI-accelerated attacker pipeline is built to exploit. Devices without security updates are now actively dangerous to keep online.

3. The supply chain matters more than the brand

A vulnerability in a single component — say, an image library, a Bluetooth stack, a font renderer — ripples through every app that uses it. AI tooling makes it cheap for attackers to scan the global software ecosystem for which apps shipped which version of a vulnerable library. Your favorite mainstream app can become a target through a library you've never heard of.

4. Authentication is the new perimeter

Google's intercepted operation was specifically aiming at bypasses for two-factor authentication. This is the new front line: attackers know your password may already be in a breach corpus, so they're investing in defeating the second factor. Stronger 2FA (hardware keys, app-based codes) matters more in 2026 than it ever did.

5. Network-layer hygiene still buys you time

Even when an exploit exists, the attacker has to deliver it. Reducing the surface area that's reachable from the open internet — through encrypted DNS, VPN tunneling, and not exposing IoT devices directly — buys you margin while a patch propagates.

---

Five Things You Can Do This Week

1. Turn on automatic updates everywhere

Phone, laptop, router, smart-home hubs. Don't rely on yourself to remember. The patch lifecycle is faster than any human's habit of checking.

• iOS: Settings → General → Software Update → Automatic Updates (turn on all options)
• Android: Settings → System → System update + Play Store auto-update
• macOS: System Settings → General → Software Update → Automatic updates
• Windows: Settings → Windows Update → Advanced options → Receive updates for other Microsoft products

2. Retire devices that no longer receive security updates

Check your phone's "End of support" date. If it's past, the device is now a liability — not just for itself, but for any account you sign into on it. Repurpose it as a media player, donate it for parts, but stop using it for email, banking, or messaging.

3. Upgrade your second factor

If you're still using SMS-based 2FA for anything important — banking, email, social — switch to an authenticator app (Authy, Google Authenticator, 1Password) or, ideally, a hardware security key (YubiKey, Google Titan). Bypass attempts against authenticator apps and hardware keys are dramatically harder than against SMS.

4. Use a password manager — and let it generate the passwords

If your password is recyclable, it's already in someone's training set. A password manager that generates 20+ character random passwords per service means a single-site breach doesn't cascade.

5. Tighten your network layer

Encrypted DNS, a reliable VPN, and not exposing home devices directly to the internet (no port forwarding to your NAS unless you understand exactly what you're doing) buy real margin. Most opportunistic attacks die against an opaque network surface.

---

How a VPN Fits Into Defense

A VPN cannot patch a vulnerability that's already on your device. What it can do is reduce how many of the attacks reaching you ever get to the patched, vulnerable code in the first place.

Concretely:

• AES-256 encryption protects your traffic on any network — coffee shops, hotel Wi-Fi, hotel guest networks where you don't know who else is connected
• Low-overhead encrypted tunneling keeps the protection on by default, including for streaming and real-time calls, so you don't reflexively disable it when performance matters
• DNS leak protection keeps the list of which sites and services you use private — that list is exactly what an attacker building a personalized exploit chain wants to know first
• Kill Switch blocks all traffic the instant the tunnel drops, so a brief reconnect never exposes your real address or DNS
• A globally distributed server network lets you choose entry points and avoid hostile networks
• Threat-blocking on known malicious domains intercepts a meaningful share of opportunistic exploit-delivery infrastructure before your device ever fetches the payload

Layer it with the five steps above and the attacker's job gets meaningfully harder — which, given how cheap their job has become, is the point.

---

The Bottom Line

The collapse of the zero-day window isn't a future trend. It happened, quietly, between 2023 and 2025, and the M-Trends 2026 numbers just made it official. 44 days. 28.3% within 24 hours. Those aren't enterprise statistics. They're the new baseline for every device you carry.

The good news: none of the defenses are new. Updates, strong 2FA, password hygiene, a clean network layer. The thing that changed is the cost of letting any one of them slip. Treat security as something you do this week, not something you'll get around to — and you'll be fine.