When the rulebook breaks: zero-day threats in the age of AI

It’s not hyperbole. Mandiant’s M-Trends 2026 report is unambiguous: for more than half of zero-day exploits, attackers are moving for seven days before a patch exists. Not seven days after disclosure. Seven days before anyone knows there’s anything to patch. Two things happened in the same week in April 2026 that are about to make that window even wider, and they point to the same conclusion: the only defense that works is one that does not wait for signatures, scores, or patches to act.

The scorekeeper just quit

On April 15, the National Institute of Standards and Technology quietly announced it can no longer keep up with the volume of CVE submissions. Going forward, NIST will only fully enrich three categories:

• CVEs on CISA’s Known Exploited Vulnerabilities catalog
• Vulnerabilities in federal government systems
• Flaws covered by US Executive Order 14028

Everything else gets listed and marked “Not Scheduled.” No severity score. No product mapping. No patch reference.

This matters more than it sounds. When a CVE lands in your SIEM, the severity score determines how urgent the alert is. The product mapping tells your scanner which systems are exposed. The patch reference tells your team where to go. Strip all of that out and it’s just an ID your tools cannot act on.

CVE submissions are up 263% over five years, and 2026 is already running a third higher than last year. NIST enriched 45% more CVEs in 2025 than any prior year and still fell further behind. This is not a resource problem NIST can hire its way out of. It’s structural.

What this means for your team: A growing share of the CVEs hitting your SIEM will arrive with no score, no system mapping, and no action guidance. Your tools will have less signal to work with, your analysts will have more manual triage to do, and the vulnerabilities that most need your attention may be exactly the ones flying under the radar.

The capability that changes the threat calculus

Eight days before the NIST announcement, Anthropic introduced Claude Mythos Preview, a frontier AI model that had autonomously discovered thousands of zero-day vulnerabilities across every major operating system and web browser during testing. The capabilities were so significant that Anthropic chose to restrict access entirely, making the model available only to a defensive coalition of roughly fifty organizations, including AWS, Apple, Google, Microsoft, and Palo Alto Networks, through an initiative called Project Glasswing. This was not a quiet research disclosure. It was a deliberate decision to arm defenders first. 

Mythos did not cause the CVE volume NIST is struggling with. What it signals is where the threat is heading. Anthropic is not alone. Google’s DeepMind, OpenAI, and others are building comparable capabilities, and the vendors exercising restraint today will not be the last to build these tools. Threat actors do not share their release schedules.

The same AI that makes these models powerful for defenders makes them dangerous in the wrong hands. The question is not whether attackers will gain access to capabilities like Mythos. It is whether defenders can find and block the exploits first, and right now the odds are moving in the wrong direction.

This is also why AI agent risk is no longer theoretical. As organizations deploy AI agents that manage email, reply to messages, and connect to sensitive data autonomously, the attack surface expands in ways traditional controls were not built to handle. An agent interacting with a zero-day payload does not just become a victim. It can become the delivery mechanism. That is not a future problem. It is the present one.

What this means for your team: The volume of novel, signature-free exploits is about to increase significantly. Tools that rely on known threat patterns will face more misses. The gap between an exploit existing and a defense existing is widening, and your current stack may not be built for what is coming.

The window is already gone

Even before Mythos, the numbers were alarming. Microsoft patched 34 zero-days in all of 2024, then 41 in 2025, then 11 in Q1 2026 alone*. Google’s Threat Intelligence Group counted 90 exploited in the wild last year. The volume is rising and the exploitation timeline has collapsed.

The average time-to-exploit for known vulnerabilities has shrunk from around 30 days in 2022 to just five days in 2025. Nearly one-third are attacked within 24 hours of disclosure. Weekly patching cycles cannot keep pace, and that’s for the vulnerabilities we know about.

Stack the NIST enrichment gap on top and the picture gets worse: more CVEs arriving unenriched, more zero-days exploited before patches exist, and AI accelerating discovery on both sides. In 2026, vulnerability management is not slow. For a growing category of threats, it is structurally impossible.

What this means for your team: If you are relying on patch cycles and signature-based detection as your primary defense posture, you are defending against last year’s attack model. The real question is not whether your organization will face a zero-day. It already has. The question is whether you will know about it.

How to build a defense that works anyway

You cannot patch what you do not know about. The right posture is not faster patching. It is a layered, integrated defense across every entry point, with controls that share intelligence and act together. When security tools operate in silos, gaps appear. When a zero-day is being exploited within hours, those gaps are where attacks land.

Layer your email detection stack

Email delivers the widest range of attacks directly to your people, and human interaction is built in. In Forrester’s Q2 2025 Email, Messaging and Collaboration Security Wave, 63% of director-level security leaders already run two or more email security vendors. Native platform security handles commodity threats. Zero-day exploits are a different problem, specifically designed and tested to bypass the controls already in place.

A full detection stack goes beyond sender and content analysis. Signatures catch known threats. AI-powered behavioral analysis helps with impersonation and social engineering. But checking whether it is normal for someone to receive a file type does not tell you what happens when that attachment executes. That takes sandboxing at detonation, file analysis at code level, and deep URL inspection. Every layer matters, and it is only when they work together that you catch what none of them would catch alone.

Connect behavioral controls to technical controls

No CVE database covers human behavior. The most sophisticated zero-day still needs a human to open an attachment, click a link, or act on a convincing request. A defense that understands how individuals actually behave and connects those behavioral signals directly to technical controls closes a gap that no signature-based tool can.

Get visibility into your agent risk

AI agents operating in your environment are not just productivity tools. They are new attack vectors. Visibility into what agents are running, what data they can reach, and what risk they carry is now a core security requirement, not an advanced capability.

What Mimecast’s integrated platform is built for

This is the threat model Mimecast’s integrated platform is designed for: not a collection of point tools, but a unified defense that shares intelligence across every layer and responds automatically when a threat is detected.

Our email security delivers a full detection stack, with behavioral AI, sandboxing, code-level file analysis, and deep URL inspection working together as a single layer. When a zero-day exploit is detected, the response is automatic across your connected security stack through API integrations. Your tools act together rather than waiting for manual coordination.

Because our detection is behavior-based rather than signature-based, the NIST enrichment gap matters less for organizations running Mimecast. We are not waiting for a CVE score to trigger a response. We are detecting anomalous behavior before the CVE exists.

Our human risk capabilities connect behavioral signals directly to technical controls, so the human layer becomes part of your defense rather than the gap in it.

And for agent risk: Mimecast’s Agent Risk Center gives security teams visibility into every agent in their environment, what data it can reach, what actions it can take, and what risk it carries. Not as a roadmap item, but as a capability built for the threat model we are describing right now.

The threat is accelerating. The question is whether your defense is built for threats that do not wait to be known before they strike.

See what’s already been in your environment

Connect to your M365 environment in minutes with Mimecast’s risk-free proof of value. See 30 days of threats your current security missed. No impact on mail flow. No commitment.

Start Your Risk-Free Proof of Value →

Google Zero-Day 2025 Review 

*Microsoft Patching stats consolidated from Bleeping Computers Patch Tuesday Zero-Day reporting