Why defenders must act faster than ever to outpace vulnerability exploitation

Traditional vulnerability management has been designed for a world of steady streams - patch cycles, database updates, and predictable timelines. Processes are built to handle a steady stream of new CVEs to patch.

But every day now brings more than a hundred new CVEs, and legacy VM can’t keep up. Worse, attackers are racing downstream to exploit them before defenders can react. In the first half of 2025, nearly a third of exploited vulnerabilities were exploited on or even before the date they were publicly disclosed.

Legacy approaches to vulnerability management are not built to withstand this torrent. To survive, organisations must reinforce their defences with enriched intelligence, risk-based prioritisation, and a rapid, coordinated response.

Why the exploitation window is closing fast

The numbers show just how powerful this flood has become. VulnCheck’s mid-year analysis found that 432 vulnerabilities were actively exploited in the first half of 2025, with 32% targeted on or before public disclosure. Last year, the figure was 23%, showing a clear trend towards faster, more organised threat actors.

Attackers are also widening their reach. Vulnerabilities are being actively exploited across every kind of software, from content management systems like WordPress plugins to edge devices like routers and firewalls.

In this environment, waiting for traditional databases to process and enrich CVEs is like sandbagging against a tsunami. At the time VulnCheck published its research, more than a quarter of exploited CVEs were still awaiting analysis in the NVD. Enterprises waiting on the backlog are likely to find themselves under attack long before the enriched data is ready.

Building resilience with richer intelligence

For decades, organisations have relied on sources like the NVD and MITRE’s CVE programme as their early warning systems. But those systems are showing cracks. Both NIST and CISA, which runs MITRE’s CVE programme, have had issues with funding and leadership, and have yet to clear out vulnerability backlogs.

We have seen encouraging developments with the addition of the EU Vulnerability Database, maintained by ENISA. An additional stream of data is always valuable, and despite being based in Europe the vulnerability information will be useful worldwide. Still, firms should not simply take the EUVD on in place of the NVD – anyone relying on single feeds of vulnerability data will leave themselves exposed.

The solution is to build upstream visibility. By drawing on enriched intelligence from multiple sources, defenders can spot the swell before it becomes a surge. Real resilience comes from treating enrichment as a network of information, not a single lifeline.

How this data is used matters just as much. Combining CVSS scores with evidence of real-world exploitation, such as proof-of-concept code, ransomware campaigns, and chatter in criminal forums, turns static lists into dynamic and adaptable maps. Centralising this intelligence in a Vulnerability Operations Centre (VOC) equips analysts with a dashboard that lets them see the big picture and plan activity accordingly. This enables a risk-based approach essential to keeping ahead of the most urgent threats.

Turning prioritisation into rapid action

There are now far too many incoming CVEs for even the largest and most efficient VM teams to handle them all immediately. Yet many organisations still treat every CVE as urgent, with a “patch everything now” mindset, which is the equivalent of trying to stop a flood with buckets. It’s overwhelming for teams and ultimately ineffective. The endless scramble to keep systems patched means VM teams are more likely to miss the most serious vulnerabilities, and with cybercriminals exploiting them at increasing speeds, this is more dangerous than ever.

Risk-based prioritisation provides the focus to channel that energy where it will make the greatest difference. Instead of chasing CVSS scores or headlines, teams should ask three simple questions: which asset is at risk, how exposed is it, and is there evidence of active exploitation? A mid-severity flaw on a public-facing payments server deserves urgent attention; a higher-scoring vulnerability buried on an isolated test system does not.

The centralised approach of the VOC is critical here, consolidating intelligence feeds, orchestrating remediation campaigns, and assigning ownership with deadlines. Progress can be tracked in real time, with blockers escalated before they become breaches. This structure transforms vulnerability management from a frantic scramble into a coordinated response.

Equally important is bridging the human divide. Security and operations teams must work together, not against each other. That means framing vulnerabilities in business

terms: downtime for customers, disruption to payroll, and regulatory fines. Clear, collaborative communication turns patching from a painful chore into a shared mission to protect the organisation from rising waters.

Keeping above water

The flood of vulnerabilities is not slowing, and the waters are rising faster than ever. Legacy approaches built on manual processes, siloed tools, and dependence on a handful of external databases is like trying to shore up defences when the tide is already overtopping the walls.

To keep their heads above the water, organisations must modernise: build upstream visibility with enriched intelligence, install floodgates with risk-based prioritisation, and coordinate response through centralised operations. With the right defences in place, teams can stop bailing water and start steering the organisation safely through the storm.