Sergej Epp

Last week I launched ZeroDayClock.com. It went viral. Here's why: One graph. One question. In 2018, attackers needed 2.3 YEARS to weaponize a vulnerability. In 2026, they need 1.6 DAYS. What this means for all of us 🧵

You can now train @physical_int style robots in 1 day for only $5k. Anvil’s devkits have all the hardware, software, controls, cameras, and more ready-to-go. (1/5)

🔴 zerodayclock.com 📉 The Collapse → zerodayclock.com/collapse 📢 Call to Action → zerodayclock.com/call-to-action ✍️ Signatories → zerodayclock.com/signatories

Last week I launched ZeroDayClock.com. It went viral. Here's why: One graph. One question. In 2018, attackers needed 2.3 YEARS to weaponize a vulnerability. In 2026, they need 1.6 DAYS. What this means for all of us 🧵

That's why we built the Zero Day Clock. This isn't about selling anything. It's about making this data impossible to ignore - for CISOs, boards, researchers, and policy makers. If you need one slide for your board, this is it. Backed by Schneier, Adkins, Moss, Evron, Venables.

Five things to change. Today. → Software liability. Builders pay, not victims → Secure by design. Enforced, not suggested → Patch in hours. Monthly cycles are dead → Unleash defensive AI. Regulate insecure software. → Assume breach. Build to be replaced, not patched

This isn't a tech problem. It's a market failure. The people who build insecure software don't pay when it gets hacked. Users do. Hospitals do. Governments do. No industry in 150 years fixed safety voluntarily. Not aviation. Not pharma. Software isn't special. It's just late.

AI helps attackers more than defenders. Here's why. Offense: did the exploit work? Yes or no. Instant. AI learns at machine speed. Defense: is this secure? Maybe. Check in 3 months. AI scales with cheap verification. Offense has the cheapest verifier. Game over.

Is Patch Tuesday is now the most dangerous day of the month? When a vendor ships a fix, AI reverse-engineers it, finds the exact flaw, and writes an exploit - in hours? The defense creates the offense. Every patch is now an exploit blueprint.

Only 2% of all vulnerabilities get exploited today. Sounds manageable - until you remember why: exploits used to be expensive to build. At $4 per exploit, that 2% won't stay 2% for long. 50,000+ CVEs a year. Do the math.

67.2% of exploited vulnerabilities in 2026 are zero-days - weaponized before or on the day of disclosure. In 2018 it was 16.1%. There is no patch. There is no warning. The attack IS the disclosure.

Exploit generation now costs less than lunch. 40 exploits for 1 bug → $50 100 kernel vulns in 30 days → $600 Cost per bug → $4 Anyone with a cloud account can now do what took a government lab a year. The barrier to offensive cyber just collapsed.

AI just broke the disclosure model. Anthropic pointed Claude at codebases tested for decades. Millions of hours of fuzzing by humans. It found 500+ high-severity zero-days. Their own red team: "90-day disclosure windows may not survive this." The old rules are gone.

The collapse is exponential. 2018 → 2.3 years 2021 → 10.8 months 2023 → 4.9 months 2024 → 56 days 2025 → 23 days 2026 → 1.6 days This isn't a trend line. It's a cliff.

What are we measuring? TTE = Time-to-Exploit. The gap between when a software flaw is disclosed and when attackers have a working weapon for it. How much time do defenders have to fix it before the bad guys show up? It used to be years. Now it's hours.

Meet Corridor: the security layer for AI coding. Now generally available. @CorridorSecure is the first security tool that moves at the speed you build – enforcing security guardrails in real time. Get two weeks free, with plans starting at $20/month.

🤔 unit42.paloaltonetworks.com/thor-plugx-var…

Hahaha 😄 ... who made this?