In this blog learn why the time-to-exploit a vulnerability is beating time-to-remediate and what you can do about it.
Closing the vulnerability gap
Every security team faces the same question when a new vulnerability is disclosed: is it exploitable in our environment? What follows is often a scramble. Security Operations pulls CVE details, vulnerability management teams update software, new detection signatures are created and tested, and engineering teams support all of the above and more.

While this happens, attackers are already automating scans, testing exploit code, and targeting unpatched infrastructure.

The time between disclosure and exploitation is shrinking, but the time between exposure and remediation is often not. This gap, known as the vulnerability intelligence gap, is where many incidents begin. It is not caused by a lack of data; it is caused by delays in translating vulnerability information into actionable decisions.

Closing that gap requires more than patching. It requires a system that connects original research to real-time discovery and exposure validation that happens before attackers reach your infrastructure, and a process that turns research into risk reduction without waiting for threat intelligence feeds or vendor bulletins.

Attack Surface Management (ASM), when supported by embedded research and proactive validation, can close this gap. It moves detection closer to discovery and reduces the time between knowing about a threat and protecting against it.

This blog ties into the release of our brand new eBook “ASM in the Age of CTEM.” To learn more about building a mature ASM program download the eBook.

Time-to-Exploit vs. Time-to-Remediate
Vulnerability disclosure and proof-of-concept release often occur within hours of each other. In some cases, proof-of-concept code is published before the official disclosure is made. Exploitation attempts follow soon after, frequently automated and indiscriminate.

Organizations that rely on traditional patch cycles or signature-based scanning struggle to keep pace. Vulnerability scanning windows can range from several days to several weeks. Patching may require testing, scheduling, and coordination across teams. Any publicly exposed system matching the affected configuration remains vulnerable during this time.

Attackers do not wait for remediation to catch up. They move as soon as opportunity is visible.

Security programs that recognize this pattern have shifted focus. Instead of asking when a patch will be applied, they ask whether a system is currently exposed and exploitable. That question requires validation before remediation. And it requires intelligence that arrives at the point of discovery, not days later.

Embedded Research as Early Warning
The best source of vulnerability intelligence is not a third-party feed. It is direct research embedded into the detection engine itself.
Modern ASM platforms supported by security research teams can incorporate findings before official advisories are released. This includes detection of:

Misconfigurations observed in the wild
Exploitable behaviors in known software components
Vulnerable endpoints tied to emerging CVEs
Publicly exposed assets using software with known insecure defaults
Because this research is conducted in-house, detection signatures can be developed parallel to the vulnerability’s emergence. In some cases, they are deployed before threat actors begin exploitation campaigns. This allows ASM systems to flag exposure early, sometimes even before public knowledge of the issue is widespread.

Early warning is only valuable if it applies to the actual infrastructure of the organization. Embedded research becomes operational when it is tied to live discovery. This connection transforms emerging vulnerabilities from background awareness into actionable detection.

Vulnerability Intelligence Pipelines
ASM systems with research capabilities operate on a continuous intake and correlation model. As new vulnerabilities are discovered or published, the following process unfolds:

The research team identifies and tests the vulnerability.
A detection mechanism is created and validated.
The ASM platform deploys the detection method across the observed attack surface.
Findings are correlated to live infrastructure and validated for exploitability.
Alerts are enriched with proof, context, and ownership data.
Remediation is assigned to the responsible teams.
This process reduces the delay between disclosure and action. Instead of waiting for a scanner update or a vendor alert, exposure is evaluated in real time. The result is faster awareness, better prioritization, and a shorter path to resolution.

Organizations benefit most when this pipeline is integrated into their broader security workflow. CTEM programs that depend on verified exposure data gain early insight into high-impact vulnerabilities. Risk scores reflect real-world exploitability, not theoretical severity. And remediation timelines should align with actual threat windows.

Automation That Turns Research into Defense
Manual processes cannot scale to meet the speed of modern exploitation. Security teams do not have the capacity to assess every new vulnerability against every asset. Automation is required, but only when it is backed by validation.

ASM platforms that automate detection using researcher-developed signatures remove guesswork. Instead of flagging every system that might be affected, they confirm whether the exposure exists in practice. This reduces noise, eliminates unnecessary escalations, and allows security teams to focus on systems that actually require attention.

Automation also extends to tracking changes over time. ASM continuously reevaluates assets as infrastructure shifts. A system that was not vulnerable last week may become exposed through a configuration change or software update. The system must detect this change without requiring a new scan.

This approach creates a feedback loop between infrastructure behavior and vulnerability exposure. Every change is evaluated using current threat intelligence, and every alert is supported by evidence.

MOVEit Transfer: A Case Study in Velocity
The MOVEit Transfer vulnerability (CVE-2023-34362) demonstrated the velocity with which attackers can operationalize new information. The vulnerability, a SQL injection flaw in a widely used file transfer application, was exploited in the wild before many organizations knew it existed.

Exploitation began in May 2023. Detection signatures were published soon after, but many environments lacked the tools to apply them at scale. Some organizations relied on monthly scanning schedules, and others did not track external vendor applications with the same rigor as internally managed systems.

ASM systems with embedded MOVEit detection capabilities identified vulnerable systems within hours. These systems included internally hosted MOVEit instances and third-party applications using the same component. Because the detection was based on behavior, not just version number, it could identify exposure even when the affected software was deployed in custom configurations.

Organizations using this level of visibility could respond before exploitation attempts reached them. Those without it learned about the issue only after it was already in use.

This case illustrates more than the value of speed. It shows the importance of correlation. Knowing about the vulnerability is not enough. Organizations need to know whether it affects them and whether it is accessible from the outside.

Proactive Exposure Management
The concept of proactive exposure management is built on the ability to detect and validate vulnerabilities before they are used in attacks. This requires a shift from reactive scanning to continuous monitoring and validation.

ASM platforms that support proactive detection deliver the following:

Continuous evaluation of exposed assets for new vulnerabilities
Early access to detection based on embedded research
Exploit validation to confirm practical risk
Immediate enrichment and routing for resolution
These capabilities allow organizations to shrink the window between public disclosure and private action. The benefit is measurable. Fewer successful intrusions. Faster patch cycles. Lower operational disruption. And better alignment between threat awareness and security investment.
When exposure is validated, remediation becomes precise. When detection is early, impact is minimized.

Measuring Improvement
Closing the vulnerability intelligence gap requires investment in visibility, automation, and research. But it also provides measurable improvements across several operational metrics:

Time to detect. Reduced by early access to embedded research and automated scanning.
Time to verify. Reduced by exploit-based validation and real-time asset correlation.
Time to remediate. Reduced by enriched alerts, ownership tagging, and prioritized routing.
Time exposed. Reduced by continuous monitoring and automated revalidation after change.
These metrics support better planning and justify resource allocation. They also demonstrate the return on investment in ASM as a proactive, not passive, capability.

Security teams that report on actual exposure instead of theoretical vulnerability show progress that matters to both technical and executive stakeholders.

Building an Intelligence-Ready ASM Program
ASM is not a fixed solution. It is a capability that grows in effectiveness when combined with other security functions. Embedded research is one of those functions. Together, they produce a system that is faster, more accurate, and more aligned with modern threat behavior.

To build an intelligence-ready ASM program, organizations should evaluate:

Whether their ASM platform incorporates original research
How quickly new detections are added after vulnerability discovery
Whether exploit validation is part of the detection process
How alerts are enriched and routed for action
Whether CTEM and vulnerability management teams can access verified findings in real time
These questions determine whether the program is reactive or preventive. Whether it is structured around generic alerts or actual risk. And whether it can reduce the gap between knowing and doing.

Attackers do not wait. They act the moment exposure becomes possible. Organizations must do the same. ASM, powered by research and verification, allows them to meet that challenge not with more alerts, but with better decisions.