Sergej Epp

Last week I launched ZeroDayClock.com. It went viral. Here's why: One graph. One question. In 2018, attackers needed 2.3 YEARS to weaponize a vulnerability. In 2026, they need 1.6 DAYS. What this means for all of us 🧵

Friday afternoon @gadievron says "I'm working on a CISO community document for Monday. Want to collaborate? Releasing Monday." I said "Sure." (I have a problem with that word.) @AnthropicAI had dropped Mythos on Monday. @cloudsa is running an emergency CISO Zoom on Tuesday. @SANSInstitute was already building BugBusters this Thursday with Ed Skoudis, Joshua Wright, and Chris Elgee. The entire community was asking the same question: what do we actually DO about this? Three nights later we have a 30-page strategy briefing with 60+ contributors. "Sure" turned into barely sleeping Friday, Saturday, Sunday while @gadievron and @rmogull dragged this thing into existence. (My son checked to see if I was still breathing around hour 40. I think he was mostly concerned about if Uber Eats delivered Five Guys yet.) The contributing authors list reads like someone raided a cybersecurity hall of fame: Jen Easterly, Bruce Schneier, Chris Inglis, @philvenables, Heather Adkins @argvee, @RGB_Lights, @sounilyu, @jimreavis, Katie Moussouris @k8em0, Jon Stewart, Maxim Kovalsky, David Scott Lewis, Joshua Saxe, John Yeoh, Ramy Houssaini and James Lyne. Every single one said yes within hours. Cloud Security Alliance @cloudsa, @SANSInstitute, [un]prompted, @OWASPGenAISec -- four organizations that don't usually build things together at this speed. This is the start. SANS reviewers who showed up: Chris Cochran @chrishvm, @edskoudis, Viswanath S Chirravuri @vchirrav, @bettersafetynet, Ciaran Martin Thursday @edskoudis, @joswr1ght, and @chriselgee stop talking and start showing. Live AI-assisted vulnerability discovery against real code. No slides about the future. Terminals and bugs. (The kind of demo where something breaks and that IS the point.) Full reviewer list is in the doc. If you know someone on it, send them a note. They earned it. But an even bigger thank you -- seriously -- from the entire cyber security community needs to go to @gadievron for once again bringing the avengers together -- like in Endgame (is that what Mythos is?) -- and you all know the scene -- but we need someone to create the meme with Gadi Evron with his shield and Mjölnir saying "Avengers..... assemble!" because that is exactly what he does. A lot it seems. Read it: labs.cloudsecurityalliance.org/mythos-ciso Going to sleep now. Setting my alarm for Thursday. (Not joking.) #CyberSecurity #AISecurity #SANSInstitute

An Expedited Strategy Briefing on Mythos, Glasswing, and building a security program for what comes next, by 250 CISOs, and the wider community. It is still a draft, with some design incomplete, but we felt it was imperative to release. Link: labs.cloudsecurityalliance.org/mythos-ciso/

Zero stolen credentials to full AWS admin. Eight minutes. CVE to exploitation used to take 18 months. Now it's under a day. A SOC analyst isn't losing because they lack tools. They're losing because the loop is too slow. #cloudsecurity #CISO @EppSecurity @sysdig

You can now train @physical_int style robots in 1 day for only $5k. Anvil’s devkits have all the hardware, software, controls, cameras, and more ready-to-go. (1/5)

🔴 zerodayclock.com 📉 The Collapse → zerodayclock.com/collapse 📢 Call to Action → zerodayclock.com/call-to-action ✍️ Signatories → zerodayclock.com/signatories

Last week I launched ZeroDayClock.com. It went viral. Here's why: One graph. One question. In 2018, attackers needed 2.3 YEARS to weaponize a vulnerability. In 2026, they need 1.6 DAYS. What this means for all of us 🧵

That's why we built the Zero Day Clock. This isn't about selling anything. It's about making this data impossible to ignore - for CISOs, boards, researchers, and policy makers. If you need one slide for your board, this is it. Backed by Schneier, Adkins, Moss, Evron, Venables.

Five things to change. Today. → Software liability. Builders pay, not victims → Secure by design. Enforced, not suggested → Patch in hours. Monthly cycles are dead → Unleash defensive AI. Regulate insecure software. → Assume breach. Build to be replaced, not patched

This isn't a tech problem. It's a market failure. The people who build insecure software don't pay when it gets hacked. Users do. Hospitals do. Governments do. No industry in 150 years fixed safety voluntarily. Not aviation. Not pharma. Software isn't special. It's just late.

AI helps attackers more than defenders. Here's why. Offense: did the exploit work? Yes or no. Instant. AI learns at machine speed. Defense: is this secure? Maybe. Check in 3 months. AI scales with cheap verification. Offense has the cheapest verifier. Game over.

Is Patch Tuesday is now the most dangerous day of the month? When a vendor ships a fix, AI reverse-engineers it, finds the exact flaw, and writes an exploit - in hours? The defense creates the offense. Every patch is now an exploit blueprint.

Only 2% of all vulnerabilities get exploited today. Sounds manageable - until you remember why: exploits used to be expensive to build. At $4 per exploit, that 2% won't stay 2% for long. 50,000+ CVEs a year. Do the math.

67.2% of exploited vulnerabilities in 2026 are zero-days - weaponized before or on the day of disclosure. In 2018 it was 16.1%. There is no patch. There is no warning. The attack IS the disclosure.

Exploit generation now costs less than lunch. 40 exploits for 1 bug → $50 100 kernel vulns in 30 days → $600 Cost per bug → $4 Anyone with a cloud account can now do what took a government lab a year. The barrier to offensive cyber just collapsed.

AI just broke the disclosure model. Anthropic pointed Claude at codebases tested for decades. Millions of hours of fuzzing by humans. It found 500+ high-severity zero-days. Their own red team: "90-day disclosure windows may not survive this." The old rules are gone.

The collapse is exponential. 2018 → 2.3 years 2021 → 10.8 months 2023 → 4.9 months 2024 → 56 days 2025 → 23 days 2026 → 1.6 days This isn't a trend line. It's a cliff.

What are we measuring? TTE = Time-to-Exploit. The gap between when a software flaw is disclosed and when attackers have a working weapon for it. How much time do defenders have to fix it before the bad guys show up? It used to be years. Now it's hours.