The timeline that was the muse of vulnerability administration has quietly disappeared. For many years, defenders believed that it might take weeks and even months after a flaw grew to become public for somebody to truly flip it into an efficient assault.
The 2 forces rapidly closed the hole.
The primary one is enormous quantity: New defects are piling up a lot sooner than ever earlier than, with extra CVEs occurring within the first half of 2026 alone than in any full 12 months on report previous to 2024, and roughly 1 each 7.4 minutes.
The second is pace. AI rapidly erased the remainder of the cushionas talked about in a current article. These days, it would not take expert and affected person effort to show recommendation into actual exploits. Zero-day clocks that observe time to exploitation throughout tens of 1000’s of CVEs present that the median time in 2026 is effectively under a day, in comparison with weeks only a few years in the past.
Sadly for safety groups, defenses aren’t transferring that quick, and no staff can break away from a backlog that actually grows by the minute. However amount was solely a part of the issue. Solely % of those CVEs developed into precise assaults.
What occurs is that the time throughout which the attacker is free to behave and the defender is unable to cease him will increase. Growing complexity provesdistinguishes between the few threats that may really be directed at you and the tens of 1000’s that can by no means be directed at you.
There are dangers even the place firing shouldn’t be attainable.
Operating penetration exams repeatedly as an alternative of as soon as 1 / 4 definitely narrows the scope, however it helps a tough ceiling. Stay exploits utilized by automated penetration testing instruments can solely be run in places the place it’s protected to take action and the place a usable exploit already exists. Most firms solely cowl 10-15% of their precise assault floor.
however the remainder shouldn’t be confirmed Conventional automated penetration testing instruments can detect undisclosed flaws, regulated and air-gapped methods are too delicate to face up to real-world assaults, or newly disclosed bugs that attackers are already utilizing whereas defensive instruments have not but caught up.
Nonetheless, to show exploitability, you needn’t publicly exploit it or take a stay shot of a system vital sufficient to take the chance. A series, whether or not bodily or digital, is barely as sturdy as its weakest hyperlink, so there isn’t any have to load the whole chain to see which hyperlink breaks. The Picus platform proves exploitability with or with out exploitation.
This protection hole is why CISOs are shifting their budgets from patch velocity to verification, and our newest information lays out the total case and numbers to defend it in entrance of the board. Get your copy under.

Show the chain, not the exploit
That is the place the reliable balancing of the equation begins. You may show whether or not the exploit works towards you. with out really pulling the set off.
Each exploit consists of a sequence of dependent steps, together with preliminary execution, protection evasion, privilege escalation, credential theft, and lateral motion. attacker Every step required to landthe step will solely land if the setting permits it.
Map vulnerabilities to the steps that their exploitation depends upon, and take a look at every towards your precise deployed defenses. If a required step doesn’t have a viable path via the management, the chain can’t be accomplished and exploits towards that asset will fail, despite the fact that the vulnerability nonetheless exists. The reverse can be true. If all vital steps are profitable, the publicity is really exploitable and the decision could be supported by proof somewhat than hunch.
It is rocket science logic. Engineers examine the engines, gasoline methods, and warmth shields separately, all earlier than any launch try. If a essential part fails the take a look at, we all know the car can not fly with out risking launch.
A brand new CVE is delivered each 7.4 minutes, and our AI converts advisories into working exploits inside a day. No patching program can sustain this tempo.
This information reveals the board why CISOs are shifting their budgets from patch pace to verifying what their defenses really cease, together with the numbers to defend towards.
Obtain free information
Sensible instance: Nightmare-Eclipse
The newly revealed bug case takes form the second an individual runs a Home windows zero-day and the legal ecosystem picks it up. That is precisely what occurred with Nightmare-Eclipse. The exploit code was printed on GitHub lower than every week in the past, however operating actual malware towards your individual area controller to see if it reaches you is not a take a look at everybody ought to join.
Wanting again at how this specific timeline unfolded gives the clearest rationalization of why proving a series, somewhat than launching it, is a extremely efficient methodology when deciding which patches to prioritize.
Nightmare Eclipse (alias chaotic eclipse, lifeless eclipse) shouldn’t be a ransomware staff or state-sponsored group. All out there proof means that this individual is a safety researcher with deep data of Home windows internals and a private grudge towards Microsoft.
Beginning in early April 2026, attackers launched a sequence of Home windows zero-day exploits in uncoordinated disclosures. There was no coordinated timeline, and most often there have been no CVEs or patches at launch.
Three of the releases are mixed into one playbook for self-contained privilege escalation and blinding.
-
Blue Hammer: Native privilege escalation Learn privileged informationexploits a race situation in Home windows Defender. Ann acre The decoy file pushes Defender right into a remediation workflow that creates a quantity shadow copy snapshot and quickly exposes the SAM, SYSTEM, and SECURITY hives. BlueHammer makes use of Cloud Information callbacks and opportunistic locks to win its competitors, studying the hive, dumping the native NTLM hash, and escalating to SYSTEM.
-
Pink Solar: Inverted model of the identical set of primitives Writing privileged information. RedSun redirects SYSTEM degree writes as an alternative of studying SAM hives. C:WindowsSystem32overwrite TieringEngineService.exe Utilizing the attacker’s binaries, Storage tier administration COM Begin as SYSTEM utilizing the item.
-
Take away safety: Defender Destruction Instruments. Lock the Defender signature file (mpavbase.vdm, mpavbase.lkg), blocks definition updates, blocks signature bases from being reloaded when the service restarts, and on the similar time experiences the present wholesome standing to the EDR console.
When chained collectively, the result’s a machine with no partitions of privilege and a safety stack that disguises its personal well being.
Replicating conduct: constructing a TTP chain
Turning a penetration right into a safe take a look at means changing every attacker’s conduct right into a separate motion that Picus can take and measure with out really performing an exploit.

A number of actions make up a series. However three issues carry a lot of the weight.
-
Create a brand new service “Evilsvc” (run). BlueHammer escalation ends by registering a brief Home windows service. Making a service Subsequently, its payload runs as SYSTEM. The emulated motion installs a benign take a look at service and takes the place of the ultimate execution step with out launching something malicious.
-
Dump a SAM hive by way of Quantity Shadow Copy (credential entry). It is a core primitive of BlueHammer. Slightly than touching a locked stay registry, an attacker can Sam, systemand security Hive the shadow copies created by Defender and decrypt the NTLM hashes offline. The emulated motion reproduces that VSS primarily based hive entry, the precise conduct that credential theft controls ought to seize.
-
Disable the Home windows Defender service (Protection Evasion). In the true chain, UnDefend blocks Defender updates and stops its signature-based reloads, whereas falsely reporting a wholesome standing to the console. Picus doesn’t require its malware to confirm the steps. emulate this method undefendera risk library motion that safely stops the Home windows Defender service, exams whether or not tamper safety is maintained irrespective of which instruments try to avoid it.
If you happen to comply with these steps in sequence towards stay management, you will notice whether or not a full chain, system entry, credential theft, and blinded Defender really succeeds in your setting, or whether or not one in every of your defenses breaks via it first.
This lets you prioritize patching and hardening that truly completes the chain, and attain that call with out operating a single exploit, comparable to on methods that can’t be examined stay. TTP Chain’s two-page ebook walks you thru this actual course of step-by-step, from CVE ID to defensible selections, with a second real-world instance. Get your copy under.

Cowl all areas and proceed to show
Stay exploits and TTP chains have been by no means competing strategies. They’re symbiotically appropriate.
Essentially the most highly effective applications do each and do it once more every time the setting modifications. It is because the management that broke the chain final month could not survive the subsequent configuration change. Exploitability shouldn’t be a field you examine as soon as, however a query you retain asking.
That is the loop that Picus closes. If an exploit exists and it’s protected to run, autonomous penetration testing detonates the true chain to acquire the strongest proof out there. Even when it is not a restricted, air-gapped, or business-critical asset, and even the not-yet-weaponized CVE dropped this morning, the TTP chain proves exploitability by inference.
Compromise and assault simulations then recheck all verdicts, so final quarter’s “approval” would not quietly flip into this quarter’s breach.
The result’s one platform, one reply on demand.Now, what might really be exploited right here?”
We’ll choose up circumstances which might be nonetheless within the backlog. The subsequent Nightmare-Eclipse launch with out a patch but, an air-gapped field that can by no means boot, and an advisory that arrived just a few hours in the past.
Schedule a demo to look at Picus take a look at your individual setting towards stay exploits and TTP chains.
Sponsored and written by Picus Software program.
