5 May 2026 Security Tips Timothée

What Makes an Asset Hackable?

Vulnerability Management · Threat Intelligence · Patrowl Research · April 2026 · 9 min read

From 771 days in 2018 to zero in 2025: the chart below illustrates the collapse of the median delay between vulnerability disclosure and active exploitation, alongside the rise in weaponized exploits. The black curve (Mean TTE) measures average delay, the gray dotted curve (Median TTE) measures median delay. Pink bars represent the volume of weaponized exploits. At the same time, the zero-day rate increased from 16.1% in 2018 to 72% in 2026.

Attackers did not suddenly become smarter. They automated. AI-assisted exploit development and internet-scale scanning compressed weeks into minutes.

Defender processes, meanwhile, barely changed. Monthly patch cycles and quarterly pentests were designed for a threat landscape that no longer exists.

A vulnerability’s severity score (CVSS) does not change when a public exploit becomes available. An asset’s attractiveness to attackers changes immediately. That gap is where organizations get compromised.

The exploitation window has closed. Your process hasn't caught up.

In 2018, the median time between a CVE's disclosure and confirmed exploitation was 771 days. Security teams had nearly two years to patch before attackers weaponized a vulnerability.

That window is gone.

By 2021, the median had fallen to 84 days. By 2023: 6 days. By 2024: under 4 hours. Since 2025, the median Time-to-Exploit is effectively 0. Exploitation now begins before or on the day of disclosure for most critical vulnerabilities. In 2026, 72% of exploited CVEs fell into this category.

YearMedian Time-to-Exploit2018771 days202184 days20236 days2024< 4 hours2025–20260 — exploitation before or on disclosure day

This is not because attackers got smarter. They automated. AI-driven exploit development and internet-scale scanning compressed weeks into minutes. The defenders' process — monthly patch cycles, quarterly pentests — was built for a threat landscape that no longer exists.

A CVSS score does not change when an exploit goes public. An asset's attractiveness to attackers changes immediately. That gap is where organizations get breached.

Two types of attacker. Two completely different logics.

Most organizations defend against an evolving threat model they rarely fully understand. Understanding who targets you — and why — changes everything about how remediation should be prioritized. This distinction is exactly what CVSS alone cannot capture.

Opportunistic attackers prioritize scale over precision. They scan the internet 24/7, searching for any vulnerable system across millions of targets. They do not know who you are — only that you are exposed and easier to compromise than the next target in the queue.

Advanced attackers prioritize precision over scale. They deliberately select targets for financial gain, espionage, or disruption. They chain multiple attack vectors and adapt to deployed defenses. Among the most feared outcomes is the Distributed Denial-of-Service (DDoS) attack, capable of taking down an entire infrastructure within minutes.

The defensive strategy differs for each.

Against opportunistic attackers:

  • reduce exposure,

  • fix hygiene issues quickly,

  • become harder to compromise than the next target.

Against advanced attackers:

  • specifically protect your most critical assets,

  • because determined attackers will eventually find a path regardless of your overall posture.

The uncomfortable reality: most real-world breaches begin with opportunistic exploitation of exposed and poorly maintained assets — not sophisticated targeted attacks.

Yet most vulnerability management programs are still built for the second scenario.

The four pillars of Asset Attractiveness

These two attacker profiles follow a coherent logic regardless of their level of sophistication. This logic breaks down into four measurable dimensions. Combined, they produce an Asset Attractiveness Score: a dynamic indicator of the probability that a given asset will be targeted first.

Exposure — “Can Attackers See It?”

A non-discoverable asset is rarely targeted. Exposure covers open ports, remotely identifiable technologies, and presence in passive scan databases such as Shodan or Censys: specialized search engines that continuously index services exposed on the internet. An employee connecting from public Wi-Fi networks without a VPN can unintentionally expand this surface far beyond the usual technical perimeter.

Vulnerability Dynamics — “Is It the Right Time?”

This is the temporal dimension, and it is what makes attractiveness dynamic rather than static. A vulnerability classified as low priority on Monday can become urgent as soon as a ready-to-use attack tool is published on Wednesday.

Several signals drive this dimension: the availability of a public exploit, the EPSS score (Exploit Prediction Scoring System, a probability of exploitation within the next 30 days based on real-world activity), and the CISA KEV status (Known Exploited Vulnerabilities, a U.S. catalog of vulnerabilities actively exploited in the wild).

When ransomware campaigns accelerate around a vulnerability, this score rises first — before most teams have even opened the alert.

Criticality — “Is It Worth Targeting?”

Attackers evaluate return on investment. High-value assets — identity providers, financial systems, entry points into the internal network, customer databases — justify more effort and more patience. Business context shapes the motivation of advanced attackers in a way no technical score can capture.

Hygiene — “Does It Look Easy?”

Poor hygiene is a force multiplier. Weak TLS configuration, administration pages accessible by default, expired certificates, outdated software: each one reduces the effort required to gain initial access.

But beyond access, hygiene sends a signal. A messy surface tells opportunistic scanners: “go there first.”

Scoring in practice: the same asset, two readings

Take a single asset — an internet-facing web application running Apache 2.4.49.

CVSS reading: CVSS 9.8 (Critical). Goes to the top of the remediation backlog immediately.

Attractiveness reading:

  • Exposure: high — 443/TCP open, indexed on Shodan, no WAF detected

  • Vulnerability Dynamics: critical — CVE-2021-41773 (path traversal/RCE), EPSS 0.97, Metasploit module published, CISA KEV listed, active mass exploitation campaign confirmed

  • Criticality: medium — external marketing site, no sensitive data, no internal network path

  • Hygiene: poor — directory listing enabled, server version exposed, no security headers

Attractiveness Score: high. But the business impact is medium. Matrix position: Mass Exploitation Zone. This asset will be hit at scale — but the blast radius is limited. It needs to be patched fast, not first. The critical internal ERP with an unpatched RCE and no internet path stays lower priority despite its theoretical severity.

That distinction — which CVSS cannot make — is what prevents your team from spending a week on the wrong server while ransomware groups probe everything else.


From score to action: four quadrants

By crossing Attractiveness and Business Impact, we obtain a prioritization framework that directly maps attacker behavior.

Danger Zone

High attractiveness, high impact. Both attacker profiles are active here. Act immediately. This is where attacks happen.

Mass Exploitation Zone

High attractiveness, lower impact. Automated scanners flood these assets. They often serve as entry points: an attacker deploys a trojan there to maintain persistent access and move laterally toward more sensitive systems. The real risk is lateral movement. Fast patching.

Targeting Zone

Low attractiveness, high impact. Scanners do not find them easily. A patient advanced attacker will. This is where manual pentesting adds what automated tools cannot reproduce.

Noise

Low attractiveness, low impact. Monitor, but do not burn capacity here. Yet this is where most severity-sorted backlogs waste the most time.

This matrix is not static. An exploit published one day can move an asset from Noise to the Mass Exploitation Zone the next day, without any change on the asset itself.


The same week. The same team. Two completely different priorities.

Asset A: Internal ERP Server, RCE Vulnerability

CVSS 9.8. Critical. But inaccessible from the internet, authenticated access required, EPSS 0.03, no public exploit, absent from the KEV list. Attractiveness score: 9/27. Advanced Targeting Zone.

Asset B: Exposed VPN Concentrator, Authentication Bypass

CVSS 7.5. High. Accessible from the internet, indexed on Shodan, without MFA, not updated for 14 days. EPSS 0.94, public exploit available for 3 days, KEV-listed, actively cited in ongoing ransomware campaigns. Attractiveness score: 24/27. Danger Zone.

A backlog sorted by severity sends your team to Asset A first. Attackers are already on Asset B.

Your current risk model is already outdated

The most dangerous moment is not when a vulnerability is published. It is when a ransomware group weaponizes an exploit and launches automated campaigns before most teams have even opened the alert.

In organizations without automated intelligence workflows, the average delay between the addition of a vulnerability to the KEV list and its internal triage is 6 to 11 days.

How to reduce your attack surface — per pillar

Look at your attack surface the way an attacker sees it, not the way your inventory presents it. What Shodan displays about your IPs is your real perimeter. Every open port without a reason to be public is an invitation.

Your priority list must evolve at the pace of exploits, not at the pace of your scan cycles. A low-priority vulnerability today can become urgent as soon as an exploit is released or it joins the KEV list.

Focus effort where the probability of attack is truly high. Not on what has the highest CVSS, but on what is exposed, exploitable now, and critical for your business.

Before your next CVE sprint, perform a hygiene audit. TLS, headers, open directories, visible server versions. A misconfigured service without a known vulnerability remains an easy target.

Between two audits, your surface changes and exploits become public. It is inside this window that most compromises occur.

A vulnerability is a technical flaw in a system. Attractiveness is whether attackers will actually bother to exploit it — right now, in your specific environment. A critical CVE on an internal server with no internet path has very low attractiveness. A medium CVE on a Shodan-indexed appliance with an active Metasploit module and poor hygiene has critical attractiveness. CVSS measures the first. The attractiveness model measures the second.
Ethical hackers — penetration testers and red teamers — simulate attacker behaviour to help organisations find weaknesses before bad actors do. The difference is authorisation and intent, not methodology. Both use the same tools, scan the same exposed assets, and look for the same hygiene failures. The attractiveness model reflects what both groups see: the higher an asset scores, the faster an ethical hacker will find it in a pentest — and the faster a bad actor will find it in the wild.
Opportunistic attackers run automated scans at scale, targeting any exposed system regardless of who owns it. Advanced attackers choose targets deliberately, invest in recon, and chain techniques to maximize impact. Most breaches start opportunistic — a poorly-maintained external asset provides initial access, then lateral movement does the rest. Most VM programmes are built for advanced threats and miss the opportunistic vector entirely.
Yes. Corporate social media accounts, public-facing brand assets, and anything associated with your organisation's digital presence can be used for reconnaissance, phishing infrastructure, or brand impersonation. While traditional EASM focuses on technical assets connected to the internet — web apps, APIs, VPN gateways — a complete external attack surface includes any digital asset an attacker can weaponise to reach your organisation or your users.
The median Time-to-Exploit dropped from 771 days in 2018 to under 4 hours in 2024. Since 2025, the median is effectively 0 — exploitation begins before or on the day of disclosure for most critical CVEs. In 2026, 72% of exploited CVEs fell into this category. Monthly patch cycles cannot keep pace with this. Quarterly pentests cannot either.
CVSS measures theoretical severity — how bad a vulnerability could be in the worst case. EPSS (Exploit Prediction Scoring System) estimates the probability that a specific CVE will be exploited in the next 30 days, based on real-world exploit activity and threat intelligence signals. EPSS v4 (March 2025) significantly improved accuracy. A CVSS 6.5 with EPSS 0.91 is more urgent than a CVSS 9.8 with EPSS 0.02. Use both together — neither alone gives you the full picture.

What does Patrowl do in this framework?

Patrowl applies the Asset Attractiveness model continuously to your external attack surface. When a new CVE drops, the platform cross-references it against your live asset inventory, scores it across all four pillars in real time, and flags which assets are in the Danger Zone before automated scanners reach them.

That is what happened in March 2025 when CVE-2025-53770 was published: Patrowl detected the exposure at 15:57 and had the Blue Team alerted at 16:36 — 39 minutes from disclosure to operational response, with no manual triage in between.

See how it works

Sources

  • zerodayclock.com — TTE historical data (2018–2026)

  • Patrowl — SASIG Webinar, April 22, 2026. Presenter: Nicolas Mattiocco, CEO

  • VulnCheck — State of Exploitation H1-2025

  • Rapid7 — 2026 Global Threat Landscape Report

  • NVD / Security Boulevard — 131 CVEs/day in 2025

  • FIRST — EPSS v4, March 2025 · first.org/epss/model

  • Morphisec — 2025 Ransomware Vulnerability Report

  • Verizon DBIR 2025

Our latest news

See more news