The gap between vulnerability disclosure and in-the-wild exploitation is shrinking. In 2025, over 48,000 vulnerabilities were added to CVE.org. Research shows that 1-2% of reported vulnerabilities are ever exploited in the wild, some – like React2Shell – were exploited within hours of disclosure.
That is not an incremental change. It is a fundamental shift in what defensive teams are being asked to do, and how fast they need to do it.
Traditional response workflows were built for a slower world. When teams had weeks or months between disclosure and exploitation, they could afford to work through the questions that sit between a disclosure and a decision. Is this vulnerability serious? Do we even use the affected technology? If so, where? Which systems, which teams, which parts of the business? Who needs to be involved?
That investigative work takes time. It always has. The difference is that time no longer exists.
When exploitation can begin within days of disclosure, the outcome is determined by how fast defenders can answer one question: does this affect us, right now?
The Timeline Has Changed. The Workflow Hasn’t.
When a vulnerability is disclosed, security teams face a familiar sequence: the issue is scored, relevance is assessed, the affected technology is tracked down. Teams figure out who owns what, who needs to be told, and what action is even possible. By the time that process is complete, the window to get ahead of it has often already closed.
The damage does not begin after that work is done; it accumulates during it.
This is not a failure of tools or teams. It is a mismatch between the speed of the threat and the speed of the response. The instinct to wait feels cautious. In practice, it quietly hands attackers the time they need.
Exposure is not created the moment a vulnerability is disclosed. It is created by the time spent figuring out whether it matters.
Un-actionable Intelligence is the Problem
Most security tools – including ours – notify teams when new vulnerabilities emerge. That is not the problem. The problem is that knowing a vulnerability exists is not the same as knowing whether to act.
Telling a security team that a vulnerability has been disclosed does not tell them whether it is exploitable in their specific environment, whether it is reachable from the internet, or whether attackers are actively abusing it right now in a way that applies to them. That information – which systems are affected, which business units are exposed, whether the vulnerability is genuinely reachable – is what determines whether a team can act. Without it, every disclosed vulnerability triggers an investigation rather than a response.
Of the nearly 50,000 vulnerabilities reported in 2025, only 244 were added to CISA KEV, meaning 1-2% of reported vulnerabilities are ever exploited in the wild. The volume of disclosures is not the challenge. The challenge is knowing which ones demand immediate action, and having the context to act on them before the window closes.
Un-actionable intelligence delays decisions. Every delay is time attackers can use.
What Rapid Reaction Actually Means
Rapid Reaction is not moving faster through the same steps. It means validating your actual exposure to a disclosed threat fast enough to act before exploitation reaches your environment.
That means answering, without delay:
- Are we affected, right now?
- Which systems?
- Which business units?
- Is this reachable?
- Is it being actively exploited in the wild in a way that applies to us?
When those questions are answered quickly and accurately, teams can act immediately without first having to locate the technology, identify the owners, and map the exposure themselves. That is the difference between knowing a vulnerability exists and knowing whether your organization is exposed.
watchTowr Rapid Reaction
watchTowr’s Rapid Reaction capability was built to answer those questions, not just surface the disclosure. Backed by watchTowr’s vulnerability research, Rapid Reaction validates your exposure to emerging threats before in-the-wild exploitation takes hold – identifying affected systems, business units, and assets, and giving your team the context to act immediately rather than investigate indefinitely.
Rapid Reaction closes the gap between a vulnerability being disclosed and your team knowing whether it matters to you. When new vulnerabilities emerge, organizations don’t just know what’s happening; they know if they are affected right now.
The Goal is a Faster Reaction, Not Better Reporting
watchTowr’s Preemptive Exposure Management solution is built around that outcome. It gives organizations the ability to understand their exposure as threats emerge, validate it immediately against their environment, and act before exploitation escalates.
The goal is not better reporting. It is a better, faster reaction.
To see how this works in practice, explore how the watchTowr Platform delivers Preemptive Exposure Management end-to-end – from early threat identification through to rapid validation and targeted mitigation, built to keep early warning from becoming a post-incident lesson.
Book a demo to see how watchTowr delivers rapid reaction when exploitation is already underway.
