Mandiant M-Trends 2026: Time to Exploit Collapses to 44 Days as AI-Assisted Attacks Reshape Threat Landscape

The time between a vulnerability being publicly disclosed and a working exploit appearing in the wild has collapsed from over 700 days in 2020 to 44 days in 2025, according to Mandiant’s M-Trends 2026 report. The annual threat intelligence publication, analyzed by The Hacker News, shows the compression is accelerating: 28.3% of CVEs are now exploited within 24 hours of disclosure, meaning patches routinely arrive after attacks have already started.

The Capability Jump

Frontier AI models are a primary driver. Performance on SWE-bench, a benchmark measuring ability to resolve real GitHub software engineering issues, climbed from 33% accuracy in August 2024 to just under 81% by December 2025. That same capability that helps developers ship faster is supercharging offensive operations: discovering zero-days, generating reliable exploits, and orchestrating multi-target campaigns.

The practical effect is visible in the attacker profiles. In February 2025, three Japanese teenagers aged 14 to 16 with no coding background used ChatGPT to build an automated tool that hit Rakuten Mobile’s systems approximately 220,000 times, spending proceeds on gaming consoles and online gambling. In July 2025, a single actor using Claude Code conducted an extortion campaign targeting 17 organizations over one month, using agentic AI to develop malicious code, organize stolen files, analyze financial records to calibrate ransom demands, and draft extortion emails. In December 2025, another individual used Claude Code and ChatGPT to breach the Mexican government, targeting more than 10 agencies and stealing over 195 million taxpayer records.

Supply Chain Contamination

The software supply chain is deteriorating in parallel. Malicious packages in public repositories grew from 55,000 in 2022 to 454,600 in 2025, according to Sonatype. Notable surges occurred in 2023, the year GPT-4 launched, and again in 2025 as agentic coding tools matured. The September 2025 Shai-Hulud attack on the npm ecosystem alone compromised over 500 packages.

Defenders Losing the Race

The data suggests defenders are falling behind. The average time to remediate a known high or critical-severity CVE is now 74 days, according to the Edgescan 2025 Vulnerability Statistics Report cited in The Hacker News analysis. With attackers developing exploits in 44 days, the window between exploit availability and patch deployment is consistently negative. Forty-five percent of vulnerabilities in systems maintained by large companies with over 1,000 employees never get remediated at all.

The Asymmetry Problem

AI-powered code generation speeds up both offense and defense, but the numbers favor attackers. Defenders must secure every surface. Attackers need one opening. The M-Trends data shows that capability parity between sophisticated teams and lone actors with AI tools is collapsing the traditional threat model. Single operators are now conducting campaigns that would have required organized teams in the pre-AI era, and non-technical individuals are executing attacks that previously demanded years of expertise.

The 44-day figure is an average. For the most critical vulnerabilities, the timeline is measured in hours. Organizations that still plan patch cycles in quarterly windows are operating on assumptions that expired in 2024.