Patch or Perish: Exploit-Driven Intrusions Are Now the Default, and Fast Remediation Is the Only Defense

Patch or Perish: Faster Remediation with InfoSight Mitigator

Security teams have been repeating the same guidance for years. Patch quickly. Reduce exposure. Enforce MFA. Centralize logs. The difference in 2026 is that the “why” is no longer theoretical. It is measurable, consistent, and showing up across real incident response engagements.

Cisco Talos Incident Response trends for Q4 2025 show exploitation of public-facing applications as the top initial access method for the second quarter in a row, appearing in nearly 40 percent of engagements, with phishing in second place at 32 percent. Those numbers align with The Register’s summary of the same dataset and its warning that attacker speed is forcing defenders into a narrower decision window.

The implication is straightforward. If your remediation cycle is measured in weeks or months, you are operating in a timeline attackers no longer respect.

Exploits are winning because weaponization is fast and exposure is everywhere

Two themes keep repeating in modern intrusions.

First, exploitation happens as soon as the vulnerability becomes public. Talos points to Oracle E-Business Suite and React2Shell as examples where exploitation activity occurred around the time the vulnerability became public, highlighting how quickly actors capitalize on new opportunities and how dangerous internet-facing enterprise apps and default deployments can be. The Register noted proof-of-concept activity for React2Shell circulating within roughly 30 hours of disclosure.

Second, the attack surface is dominated by public-facing applications and frameworks. This is not limited to niche products. It includes widely used frameworks and common enterprise stacks, where one vulnerable endpoint can become a reliable entry point. Talos describes successful exploitation leading to shells, cryptomining, web shells, and follow-on activity, with public reporting showing diverse adversaries targeting the same fresh weaknesses.

This compresses the defender’s “safe window” from weeks to hours or days, especially for internet-facing systems.

The real remediation gap: organizations still patch on a months-long cadence

Even when defenders know a bug is exploited in the wild, the operational reality is often slow.

A BitSight analysis summarized by The Register found that vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog were remediated in under 175 days on average, compared to 621 days for vulnerabilities not in the catalog. Even “critical” KEVs averaged roughly 137 days to fix, and deadlines were missed frequently.

Those timelines are structurally incompatible with Talos’ observation that exploitation can begin around disclosure time, and with reporting that state-backed actors may move within hours or days after disclosure for high-impact bugs.

The problem is not a lack of awareness. It is an operating model problem.

Source

Shift from patch management to exposure management

Patching is a control. Exposure is the risk. The organizations that close the gap treat remediation as an exposure-reduction system with clear prioritization logic, strict service levels, and executive reporting.

1) Inventory what matters, starting with what is reachable

Fast patching is impossible without accurate scope.

Identify internet-facing applications, VPNs, remote access services, web apps, and management interfaces

Maintain ownership mapping by system, business service, and environment

Track where default deployments or “framework embedded” components exist, because those are commonly exploited at scale

2) Prioritize by exploitability and business impact, not by volume

CVSS alone does not run your backlog. Exploitability and exposure do.

Elevate KEV-listed items and vulnerabilities tied to active exploitation campaigns

Prioritize any vulnerability on an internet-facing system higher than the same vulnerability on an internal-only asset

Separate “must patch now” from “must mitigate now”

3) Standardize compensating controls for the period before patching

When patching cannot occur immediately, the goal is to reduce exploitability and reachable paths.

Remove public exposure temporarily when feasible

Apply segmentation to limit lateral movement from the compromised point of entry

Add detection and monitoring around the vulnerable service

Use configuration hardening, feature disablement, and access restrictions as interim risk reduction

4) Make remediation measurable with deadlines that leadership can enforce

BitSight recommended internal deadlines such as seven days for critical bugs and KEVs, expanding with severity for lower-risk issues. That approach only works when it is measurable and reported.

Define and publish:

Remediation SLOs by severity and exposure class

Exception handling rules and compensating control requirements

A single remediation queue with clear ownership and due dates

Where InfoSight Mitigator fits: turning vulnerability data into faster risk reduction

Most organizations do not fail because they lack scan results. They fail because they cannot consistently translate vulnerability findings into a prioritized, enforced remediation motion that reduces exposure before attackers arrive.

InfoSight’s Mitigator Vulnerability & Threat Manager platform is built around that translation layer: consolidate vulnerability and threat context, prioritize the work that reduces risk fastest, and track remediation performance over time.

Risk-based prioritization aligned to today’s intrusion reality

Exploit-driven intrusions demand prioritization that emphasizes:

Public-facing exposure

Active exploitation signals such as KEV alignment and observed exploitation patterns

Time sensitivity when exploitation begins near disclosure

Mitigator’s value in this step is reducing “backlog noise” and forcing a smaller, higher-fidelity remediation queue that maps to attacker behavior.

Remediation tracking that drives MTTR down

Talos and The Register both reinforce that response outcomes improve with speed, and that defenders need reliable logging and operational readiness to act. Mitigator supports the operational side by keeping remediation work visible, owned, time-bound, and reportable, which is the practical lever for reducing mean time to remediate.

Executive-ready reporting that supports governance

Boards and executives do not need another list of CVEs. They need:

Exposure trends

SLA compliance

Time-to-fix performance

Evidence that the highest-risk, most exploitable weaknesses are being addressed first

That reporting layer is what turns vulnerability management into governance, and governance into faster decisions.

Metrics that actually correlate with reduced breach likelihood

Use metrics that reflect attacker timelines and your true exposure.

Time-to-mitigate for KEVs and actively exploited vulnerabilities
Benchmark against internal deadlines and track exceptions.

Exposure-weighted backlog
Count vulnerabilities on public-facing systems separately from internal-only assets.

MTTR by severity and by business service
Measure how quickly risk is reduced where downtime costs and operational impact are highest.

Percentage remediated within SLO
A single number leadership can enforce.

Compensating control coverage
For anything not patched on time, measure whether exposure was reduced through segmentation, access restriction, or temporary removal from the internet, reflecting the mitigation guidance highlighted by practitioners.

Bottom line

Exploit-driven intrusion is no longer an edge case. Talos’ Q4 2025 incident response trends place exploitation at the top of initial access again, with attackers moving quickly once vulnerabilities become public. The organizations that reduce breach probability are the ones that can consistently compress remediation from months to days by treating vulnerability management as exposure management, enforced by deadlines and measured by MTTR.