The angle we haven't seen discussed much: CVSS is broken now. "High attack complexity" assumes the attacker is human. When exploit chains cost $2K in API calls, every AC:H in NVD is effectively AC:L. That reshuffles most triage queues overnight.
Then there's the volume problem. GTIG tracks 60-106 zero-days exploited in the wild per year. That's the entire world's output. Mythos found 2,000+ in one run. Even with responsible disclosure timelines, the CVE pipeline is about to get hit with volume it was never built for. WAF rule engineering teams are staffed for the current rate, not for this.
We put together the data with interactive charts showing the capability curve, the price collapse, and CVE projections. Curious how people are thinking about patch lag (time between CVE publication and actual WAF coverage) because that's about to become the only metric that matters.
The angle we haven't seen discussed much: CVSS is broken now. "High attack complexity" assumes the attacker is human. When exploit chains cost $2K in API calls, every AC:H in NVD is effectively AC:L. That reshuffles most triage queues overnight.
Then there's the volume problem. GTIG tracks 60-106 zero-days exploited in the wild per year. That's the entire world's output. Mythos found 2,000+ in one run. Even with responsible disclosure timelines, the CVE pipeline is about to get hit with volume it was never built for. WAF rule engineering teams are staffed for the current rate, not for this.
We put together the data with interactive charts showing the capability curve, the price collapse, and CVE projections. Curious how people are thinking about patch lag (time between CVE publication and actual WAF coverage) because that's about to become the only metric that matters.