The Attack Window Is Gone

Forget "patch Tuesday." You now have roughly 48 hours after a vulnerability goes public before criminals are actively exploiting it at scale.

That's according to Google Cloud Security's March 2026 Cloud Threat Horizons Report, which states that "the window between vulnerability disclosure and mass exploitation collapsed by an order of magnitude, from weeks to days." In some cases it's worse — a critical flaw in React Server Components (CVE-2025-55182) was weaponized within 48 hours of public disclosure.

Every business running software connected to the internet faces this risk. Which is all of them.

The 22-Second Problem

Mandiant — the breach investigation firm now owned by Google Cloud — put hard numbers on how fast attacks are moving. In 2022, cybercriminal groups took more than eight hours to hand off a compromised network from initial-access teams to operators who dig in and do damage. By 2025, that hand-off time dropped to 22 seconds.

The time between "we're in" and "we own this network" is now shorter than it takes to read this paragraph.

Mandiant also reported the mean time to exploit zero-day vulnerabilities has dropped to seven days — before most vendors have even issued a patch.

AI Wrote the Exploit

Google's Threat Intelligence Group (GTIG) published findings in May 2026 stating that they identified a threat actor using a zero-day exploit believed to have been developed with AI. A criminal group was planning a mass exploitation event with it. GTIG says their counter-discovery may have stopped it.

Beyond that single case, GTIG confirmed that threat actors linked to China (PRC) and North Korea (DPRK) have demonstrated "significant interest" in using AI for vulnerability discovery. Russia-linked actors are using AI to build "polymorphic malware" — code that constantly rewrites itself to dodge detection. GTIG has identified a specific piece of autonomous malware called PROMPTSPY that uses AI models to interpret system states and dynamically generate attack commands on the fly.

These tools exist and are being used now.

The Weak Link Is Still You

For all the machine-speed threats, Mandiant's 2026 enterprise security survey is blunt: humans remain the weakest point. Cybercriminals gain initial access through malicious ads, fake browser updates, and social engineering — not by cracking military-grade encryption.

MIT Sloan's Cybersecurity researchers echo this. They warn that AI-generated phishing campaigns and deepfake-driven social engineering have fundamentally changed the threat landscape. The days of spotting a scam email by its broken English are over. AI writes convincing, targeted, grammatically perfect bait now.

North Korean-linked operators are specifically pushing a technique called ClickFix — a social engineering trick to get users to run malicious commands themselves — according to a November 2025 Darktrace report on Asia-Pacific threats.

China, North Korea, Russia — This Is a National Security Issue

Mainstream coverage keeps framing this as a "business cybersecurity" story. It's bigger than that.

Darktrace's APJ Threat Landscape report identified Lazarus (North Korea), APT40 (China), Earth Lamia, and SilverFox as persistent threats targeting critical infrastructure, financial services, and government agencies across the Asia-Pacific region. GTIG confirms PRC and DPRK actors are specifically investing in AI-powered attack capabilities.

This is state-sponsored activity with direct consequences for American infrastructure and economic security. The conversation should extend beyond corporate cybersecurity guidance.

What Mainstream Coverage Is Getting Wrong

Tech media is giving you the "how to protect yourself" listicle when the real story is a geopolitical arms race with direct consequences for American infrastructure and economic security.

Also buried: 84% of Asia-Pacific organizations believe AI will play a major role in future cyber threats, but only 42% have any formal policies governing its secure use, per Darktrace. That gap represents significant vulnerability.

Third-party software isn't getting enough attention either. Google's Cloud Threat report is explicit — attackers are NOT targeting AWS, Azure, or Google Cloud's core infrastructure directly. Those are hardened targets. They're going through third-party code: the JavaScript libraries, the SaaS plugins, the vendor integrations that businesses bolt on without thinking twice.

Your cloud provider's defenses are solid. The door you left open with unpatched third-party software is not.

What Actually Needs to Happen

Google Cloud Security, Mandiant, and MIT Sloan researchers all converge on the same answer: automated, AI-powered defenses. Human reaction time can't compete with 22-second attack sequences. You need systems that detect and respond without waiting for a person to notice something is wrong.

Beyond technology, MIT Sloan recommends three structural pillars: automated security hygiene, autonomous defensive systems, and executive-level oversight with real-time intelligence feeds. That last part matters — this can't live only in the IT department anymore.

What Comes Next

AI-powered cyberattacks aren't coming. They're here. State actors from China, North Korea, and Russia are using generative AI to write exploits, build malware, and run disinformation operations at industrial scale. The time businesses have to respond after a vulnerability drops is measured in hours, not weeks.

Every day a business runs unpatched third-party software is a day it's handing criminals a key. The question isn't whether your organization will be targeted. It's whether you'll notice before the 22 seconds are up.