Jira tickets used to sit open for years. A medium-severity vulnerability, flagged by a routine scan, could be assigned to an engineer who had bigger fires to fight. It had largely been that way for years: patch the criticals, manage the highs, let the mediums age. When it came to CVEs (Common Vulnerabilities and Exposures), a publicly available list of known cybersecurity flaws in software and hardware, nobody was going to weaponize one rated 5.4.
But in today’s world, that’s no longer true.
“In 2020, [if] there was a CVE reported and a security hole, it would take more than a year until there was a public exploit,” said Shimon Tolts, CEO and co-founder of Tel Aviv-based cloud security startup Copperhelm. “Nowadays, with Claude and OpenAI and other players, the time has shrunk from one year to one day. So now you treat every CVE, every security issue that you have, as immediately exploitable.”
The data confirms what Tolts describes. The mean time between a vulnerability being discovered and its exploitation has dropped from nearly a year in 2021 to just over a day in 2026, with industry projections suggesting the window will shrink to one hour by 2027. Rapid7’s 2026 Global Threat Landscape Report found that what once unfolded over weeks now materializes in days (and in some cases, minutes), with the median time between vulnerability publication and inclusion on CISA’s Known Exploited Vulnerabilities catalog falling from 8.5 days to five.
The implications invalidate an entire category of enterprise risk management.
For decades, security teams built their workflows around severity scores. The National Vulnerability Database, operated by the National Institute of Standards and Technology (NIST), classified every disclosed flaw as ‘critical’, ‘high’, ‘medium', or ‘low’ - and organizations built their response hierarchies accordingly. Fix the criticals immediately, schedule the highs, and then defer the rest.
That model is now under institutional strain: CVE submissions surged 263% between 2020 and 2025, and starting April 15, 2026, NIST announced it would only prioritize enrichment for a narrow subset of vulnerabilities, such as those already on CISA’s exploited list, those affecting federal systems, or those covered by Executive Order 14028.
This would leave the majority of newly disclosed flaws without severity scores. “You’ll no longer be able to use the old risk management methodology of saying ‘I’m only going to fix criticals’,” Tolts explained. “Because you’re not going to have a severity anymore.”
The shift has a compounding effect. AI models are not only accelerating exploitation timelines, but they are also discovering vulnerabilities at a rate that human analysts cannot process. NIST enriched nearly 42,000 CVEs in 2025, 45% more than any prior year, and forecasts from the Forum of Incident Response and Security Teams projected a record 50,000 additional CVEs to be reported in 2026 (these figures do not yet account for the accelerating contribution of AI-powered vulnerability discovery tools like Claude Mythos and GPT-5.4-Cyber).
Every day, the cyber world is facing more vulnerabilities, faster exploitation, and fewer severity scores to guide triage. But security teams are still largely operating through manual workflows designed for a different era.
Copperhelm’s answer is autonomous investigation and remediation, already backed by a $7 million seed round led by TLV Partners and deployed in Fortune 500 environments. The platform uses a proprietary “Context Lake” to structure cloud data across environments, enabling AI agents to continuously monitor infrastructure, investigate threats, and execute real-time remediation without manual handoffs.
Tolts describes the practical effect in terms his customers already understand: one client arrived with 10 million open vulnerabilities and two home-made severity categories above “critical” — labels they had invented themselves because the official scale had run out of runway.
“Your window of response has shrunk, and you need to autonomously take care of it,” Tolts said. “It’s no longer the case where you can just open a Jira ticket and wait for some engineer to fix it in one year or one month, because now you’re gonna get exploited very, very fast.”











