Picus Security Methodology Validates Exploitability Before Public Exploits Exist
Picus Security details a methodology for security teams to validate exploitability of newly disclosed vulnerabilities before public exploits exist, addressing the widening gap between disclosure and weaponization.
For thirty years, vulnerability management has run on what now looks like an impossible luxury: a buffer of months between when a vulnerability was found and when someone could figure out how to weaponize it. Triage by severity, schedule the fix, validate, move on. That generous buffer is what made the entire system work.
AI has stripped out the manual drag that kept weaponization slow. Reading the advisory, finding the path, shaping the chain, testing what works: none of it can afford to move at human speed anymore. Today, the disclosure-to-exploit timeframes run in hours, not months. The Zero Day Clock, which tracks this in real time, currently averages around 8 hours for 2026, down from roughly 53 days just two years ago.
The reflex is usually to just patch faster. But remediation isn't simply a switch you flip. Patches wait on a number of contingencies: regression testing, change windows, and uptime commitments. Verizon's 2026 Data Breach Investigations Report found that the median fix time for known-exploited vulnerabilities is now 43 days, up from 32 last year, and the share of organizations fully patching them is down from 38% to 26%. When offense runs in hours and remediation runs in weeks, the breach lands in between.
The volume guarantees it: 48,185 CVEs in 2025, fewer than 0.6% ever patched. Even worse, these are pre-Mythos numbers. Mythos is the threshold at which AI models became able to find and weaponize vulnerabilities on their own, and it isn't theoretical: Anthropic's Mythos-class model found a flaw that had been hiding in OpenBSD for 27 years.
The question is no longer "what's vulnerable?" because in a list where everything scores a 9 or a 10, this effectively prioritizes nothing. The real question has become "What's actually exploitable against us, right now, with the controls we're already running?" Finding the exposure was never the hard part. Proving the right call—patch, mitigate, monitor, or accept—is the critical gap.
Picus Security's approach, called TTP-chain validation, maps a CVE to the chain of techniques its exploitation requires, then validates each technique against your existing controls. If your environment breaks any required link, the exploit can't succeed there, and you know it without having to fire a live exploit. If every link would hold, the exposure is genuinely exploitable, with evidence. This methodology addresses the three gaps no pentest tool can close: CVEs with no public exploit, assets you can't risk live exploitation on, and the day-one window before a weaponized exploit is available.
In a typical enterprise, the slice you can safely exploit live is usually only 10 to 15% of your total exposure picture. For the other 85 to 90%, execution has no answer to give. Picus's methodology provides a way to ground-test the rocket you can't launch, proving exploitability without detonating a live exploit.