In 2018, the median attacker took 771 days to weaponize a newly disclosed vulnerability. That window built an entire industry. We had time to triage, patch, and deploy. Detection was the right control because the clock was on our side.
In 2026, the median time-to-exploit has flipped sign. Attackers are operationalizing flaws roughly a week before the CVE is even published.
For anyone who has built a real-time data system, that sentence should make the room go quiet. When the interval between a stimulus and your reaction to it goes negative, your control loop is no longer in control. The controller is reacting to events that have already finished. No amount of compute at the controller fixes that. The only fix is architectural: move the control point closer to the action.
That is what is happening to cybersecurity right now, and I want to be honest about my role in it.
See also: Beyond Cybercriminals: Insider Threats and Data Vulnerabilities Within the AI Industry
The math has changed
I led Splunk from 2015 to 2022. I am responsible for as much detection-era infrastructure in the Fortune 500 as almost anyone alive. The argument I am about to make runs against my own history.
Three forces are now compounding against the detect-and-patch model.
One. AI has industrialized discovery. In April 2026, a frontier model found 181 exploitable zero-days in a major browser in a single research run. The prior generation of the same model found two. A 90x productivity jump in one quarter, from general-purpose reasoning applied to a search problem. Discovery now scales with whatever compute an attacker is willing to rent.
Two. The exploit window inverted. Discover, disclose, patch, deploy was the sequence the detection era was built around. With the median exploit time now arriving before disclosure, the sequence is overrun at step one.
Three. Supply-chain velocity. Modern enterprise software is 80 to 90 percent third-party code, often five to seven levels deep. The post-Mythos wave of compromises in March, April, and May shared one architectural pattern: a legitimate package, a trusted channel, an unbounded reach.
More compute will not save remediation
The most important empirical finding in the field this year comes from an analysis of 1.1 billion remediation records across more than 10,000 organizations. Teams that increased remediation effort by 6.5x produced worse outcomes. The share of critical vulnerabilities still unpatched at seven days went up, not down.
That is not a budget problem. It is structural. Patching needs impact assessment, cross-team coordination, regression testing, and a production change window. You cannot scale that pipeline with GPUs. You can only scale it with people, and the attacker curve is steeper than any payroll can match.
In real-time systems terms, remediation throughput is bounded by human latency while the attacker input rate keeps climbing.
When you move the control point
Every era of security gets defined by where the enforcement point sits. Era one put it at the perimeter. Era two layered detection across the environment. Era three, the Containment Era, puts it at every workload.
The implication for a real-time architecture is significant. A central detection plane is a batch model dressed up in streaming language. Events flow in, baselines analyze, decisions emit, action follows. Even at millisecond latency, the action point is still remote from the workload. By the time you act, the attacker has already finished the operation you were trying to interrupt.
Containment inverts that. Every workload enforces its own outbound policy. When a workload is compromised, the architecture bounds what it can reach and send, before any downstream decision is made. Blast radius is set before the incident.
In March 2026, a Fortune 500 customer of ours stopped a live supply-chain exfiltration from thousands of compromised pods with no human in the response loop. The detection systems saw the activity but were not the control. The architecture had already capped the radius at a single pod. The thousand-pod lateral path closed before any analyst saw an alert.
The metric that actually matters now
Detection still matters. Patching still matters. Both are hygiene. The question is where the marginal dollar goes.
Time-to-detect and time-to-respond were the right measures when the exploit window was years long. With the window now negative, those numbers describe something useful only after the fact. The metric that decides whether an incident becomes a breach is blast radius. How much can a compromised workload reach, and how much can it send, before any human or any model is involved?
If you are evaluating your 2026 architecture, three questions belong on your team’s whiteboard this week. Does enforcement govern every path a workload can take, including Kubernetes pods and east-west traffic? If a workload were compromised right now, would the architecture stop the exfiltration, or would you find a log of it tomorrow? Is your containment independent of your detection stack?
The honest line
I spent close to a decade at Splunk arguing that the answer to a faster attacker was a faster, smarter detection layer. I still believe detection is necessary. It is no longer sufficient. When prevention fails, and detection is too slow, containment decides whether the incident becomes a breach.
The real-time discipline has always understood that you control a fast system by moving the controller toward the work. Cybersecurity is finally catching up with that idea. The organizations that thrive over the next decade will be the ones that measure their defensive posture by what an attacker can reach, not by how fast they can be told it happened.