Software flaws are an easy route for attackers to gain access to systems, especially when many firms are slow to patch. It’s therefore no surprise that vulnerability exploitation was the leading cause of incidents in 2025, accounting for 40% of cases, according to IBM X-Force.  

The 44% year on year rise in attacks of this nature was partly fuelled by artificial intelligence (AI), which allows attackers to scan for flaws more quickly than firms can fix them.  

Verizon also found that the exploitation of vulnerabilities had surged. Its 2025 report showed a 34% year on year increase, to 20% of breaches, almost matching credentials abuse at 22%. 

“IBM noted that attackers are not reinventing playbooks, they’re just accelerating them with AI tooling,” Jeff Watkins, chief AI officer of AI consultancy NorthStar Intelligence, says. 

Targeting Vulnerabilities  

Attackers have always targeted software vulnerabilities on a network perimeter because they’re “easy to find, can be targeted at scale, and can provide the most damaging highly privileged access if exploited,” says Luke Fardell, lead cyber analyst within cyber underwriting at Tokio Marine Kiln. 

AI hasn't fundamentally changed how vulnerabilities are exploited, but it has “massively accelerated the timeline,” according to Matt Conlon, CEO and co-founder, Cytidel. “What used to take weeks of research can now be done in hours, with AI tools allowing attackers to automate much of the research, discovery and attack planning that would previously have required significant manual effort.” 

Modern AI models can debug and write code far faster than a human, Fardell explains. “This acceleration allows attackers to mass test potential weaknesses and rapidly automate the creation of tailored exploits, giving defenders far less time to patch and protect exposed systems.” 

AI helps accuracy and automation in chaining vulnerabilities, Jon France, chief information security officer, ISC2 tells SC Media UK.  “AI tools can correlate subtle weaknesses across systems and use them in combination,” France says. “This tactic is something that previously required a highly skilled human operator, making exploitation more efficient and more accessible as the barrier to entry for sophisticated attacks is dropping.” 

The Scale of the Problem 

Ai is creating a clear problem for defending against attacks. The risk is exacerbated by the fact that many firms’ vulnerability management programmes are not keeping up.  

Vulnerability management programmes are still necessary, but they need modernisation for “the AI age”, says Cytidel’s Conlon. “Security teams are overwhelmed by the volume of alerts they receive every day, and this is only set to grow.” 

Most large organisations now operate mature vulnerability management programmes, but their effectiveness hinges on one key factor: Patching speed, says Tokio Marine Kiln’s Fardell. “Traditional patching cycles are increasingly incompatible with the rapid exploit development made possible by AI driven threat actors. This puts significant pressure on IT and security teams to test and deploy patches before attackers can weaponise the vulnerability.” 

Verizon’s Data Breach Investigation Report showed that organisations took a median of 32 days to remediate edge-device vulnerabilities in 2025. “But cybercriminals exploited vulnerabilities within a median of five days,” says NorthStar Intelligence’s Watkins. “That is a large gap, and one that attackers are now exploiting at scale with minimal cost to themselves.” 

Adding to the threat, many businesses still don’t have a complete, accurate asset inventory, meaning that their vulnerability data is incomplete, ISC2’s France says. “If you don’t know what systems, apps, devices and libraries are in your environment, vulnerability management may be sub optimal.” 

Modern Vulnerability Management Challenges  

The biggest problem organisations face is the sheer number of alerts and vulnerability report tickets from scanners, penetration tests, or bug bounty programs, says Shlomie Liberow, founder, Aisy. “This noise overwhelms security teams, burning them out trying to figure out what reports actually need to be acted on.” 

Only 18% of critical vulnerabilities are truly worth prioritising, he says. “Yet teams spend 130 hours per week monitoring threats, and over 20 minutes of manual effort per vulnerability. Lots of tools promise to help you prioritise, but even if you can cut your ticket queue down from 100,000 tickets to 10,000, there are still more vulnerabilities than can be handled by internal teams.” 

The attack surface and speed of attack has expanded beyond what most legacy processes can cope with. Cloud services, APIs, SaaS platforms, third‑party integrations and now AI agents mean you’re no longer dealing with a well-defined perimeter, says ISC2’s France. “Instead, you’re dealing with a digital ecosystem that changes every day.” 

Third‑party risk makes this even harder, says France. “Your exposure is now tied directly to the security posture of every supplier you rely on. Attackers know this, and they increasingly target upstream or downstream partners.” 

Vulnerability Management Tips  

As AI continues to fuel risks, some changes to your vulnerability management programme will help boost defences. Despite the growing complexity of cyber threats, attackers still rely heavily on traditional methods, particularly exploiting known vulnerabilities, says Tokio Marine Kiln’s Fardell. “Empowering teams to make rapid, informed decisions when new threats emerge is essential,” he says. 

Clear asset inventories are crucial, according to Andy Swift, cyber security assurance technical director at Six Degrees. “If you don't know what you have or where it is, how are you going to patch any vulnerabilities? Reducing exposed services and maintaining disciplined code reviews will do more for risk reduction than chasing every alert produced by a scanning tool ever will.” 

Start with your critical systems and progress rather than “trying to boil the ocean”, advises NorthStar Intelligence’s Watkins. “This requires that you know what you own and manage that’s exposed – i.e. public-facing – what has compensating controls, what risk sits with third parties and which fixes or pieces of tooling will reduce risk the fastest.” 

Meanwhile, strong processes, clear controls and well‑skilled teams are important – alongside a well-integrated and operated toolset, says ISC2’s France. “Your people and your governance model are what ultimately determine whether vulnerability management reduces risk or simply generates noise.” 

The advice for UK businesses, as noted by the NCSC’s vulnerability management guidance, is to update by default, says Watkins. “Identify assets, prioritise and make non-patching a business risk decision.” 

Cyber Essentials is a useful baseline because it requires high-risk or critical updates to be applied within 14 days, says Watkins. “This is still slower than the five days quoted earlier, but still represents a significant improvement over the median 32 days we’re currently seeing.” 

Kate O'Flaherty Cybersecurity and privacy journalist