From 0-Day to N-Hour: Why Is AI Reducing Response Time and What Does This Mean for Organizational Security?

The day before yesterday, on June 8, 2026, Anthropic published a report Measuring LLMs' impact on N-day exploits, which analyzed how advanced AI models can accelerate the creation of exploits for N-Day vulnerabilities, i.e. vulnerabilities already known and patched by vendors but still present in outdated systems.

The report's most important conclusion is very practical: the time required to develop a working exploit can be reduced from weeks to hours. This means organizations cannot treat the release of a security patch as the beginning of a long and uneventful update process. In many cases, the moment a patch is released can also be the start of a race between administrators and attackers.

This report was the direct inspiration for this post. We want to clarify the concepts of 0-Day, N-Day, and N-Hour and demonstrate why regular vulnerability scanning, risk prioritization, and rapid mitigation are becoming fundamental components of an organization's cyber resilience.

0-Day, N-Day, N-Hour – what do these terms mean?

0-Day Vulnerability This is a vulnerability that the software vendor isn't yet aware of, or for which there isn't a publicly available patch. Attackers have an advantage because administrators and security teams don't have a ready-made patch or full information on how to effectively fix the problem.

N-Day Vulnerability This is a publicly known vulnerability—usually described in a security bulletin, CVE, or vendor advisory. A patch exists, but not all systems have been updated yet. This period between the release of a patch and its implementation in an organization is often called the "patch gap.".

N-Hour This concept accurately captures the new scale of risk. As AI models can analyze patches, compare code versions or binaries, and help create proofs of concept and exploits faster and faster, the real security window may no longer be measured in days. Increasingly, we need to think in hours.

Why are N-Day vulnerabilities so dangerous?

In the case of an N-Day vulnerability, an attacker doesn't have to start from scratch. The security patch itself can be a clue. They can compare the vulnerable version with the patched version, verify what exactly the vendor changed, and then reproduce the bug logic.

This process is often called "patch diffing." Until recently, it required significant experience, time, and specialized reverse engineering skills. This left defenders with a margin of error: even if a patch was released, developing a working exploit wasn't always quick.

According to Anthropic, this margin is rapidly shrinking.

What did the Anthropic report show?

Anthropic analyzed the impact of large language models on developing exploits for the N-Day vulnerability. Tests included Firefox/SpiderMonkey vulnerabilities and Windows kernel vulnerabilities.

In Firefox, the models received public information from the patch, a test environment, and a vulnerable and patched version. They didn't receive hidden information from internal bug reports. Despite this, Claude Mythos Preview was able to generate multiple working proofs of concept and then progress from failure to a working exploit that allowed code execution.

In the case of Windows, the task was more challenging, as the models operated on binaries, decompilations, and public information from security bulletins. Here, too, Anthropic demonstrated that the models could significantly accelerate the process from patch analysis to a working privilege escalation chain.

The report's key takeaway isn't "AI uncovers all vulnerabilities." It's more like: AI lowers cost and shortens time to weaponize known vulnerabilities.

This is a very important difference.

What does this mean for companies and public institutions?

For administrators, IT departments and those responsible for cybersecurity, this means a change in approach to vulnerability management.

In practice, it's no longer sufficient to assume that "we'll update systems at the next maintenance window." If the patch addresses a vulnerability that could be exploited in a real attack, this delay could mean that the organization remains vulnerable even when an exploit is already available or can be quickly developed.

Environments where updates are difficult, postponed, or require lengthy reconciliations are particularly vulnerable:

• production and OT systems,
• network devices,
• medical systems,
  legacy business applications,
• servers exposed to the Internet,
• systems requiring high availability,
• environments with incomplete inventory of resources.

The longer the time from the publication of a patch to its implementation, the greater the chance that the N-Day vulnerability will become a real attack vector.

Vulnerability scanning as part of daily cyber hygiene

The conclusion from the Anthropic report isn't just that patching should be done faster. First, you need to know where the vulnerability exists.

In many organizations, the problem is not a lack of goodwill, but a lack of visibility:

• which systems are active,
• what software versions are installed,
• which services are exposed to the network,
• where there are known vulnerabilities,
• which of them are critical,
• which have exploits available,
• which should be removed first.

Therefore, vulnerability management should be an ongoing process, not a one-time audit.

Where does OpenVAS Enterprise come in?

OpenVAS Enterprise is a vulnerability scanning and management solution that helps organizations identify known weaknesses in their IT infrastructure. It detects vulnerable services, misconfigurations, outdated software versions, and vulnerabilities that can be exploited by attackers.

In practice, OpenVAS Enterprise supports several key activities:

1. Regular infrastructure scanning
   An organization may periodically check servers, network devices, services and systems for known vulnerabilities.
2. Risk prioritization
   Not every vulnerability has the same security impact. OpenVAS Enterprise helps assess the severity of vulnerabilities and pinpoint which issues require urgent attention.
3. Verification after updates
   After implementing the patches, it is worth checking whether the vulnerability has actually been removed and whether there are no unpatched systems left in the environment.
4. Support for IT and security teams
   Scan reports can be the basis for planning administrative work, discussions with suppliers, audits, security procedures and documenting corrective actions.
5. Reducing the patch gap„
   The sooner an organization detects that a vulnerability exists in its environment, the sooner it can remediate it, limit exposure, or implement a workaround.

Not every vulnerability can be patched immediately

In business practice, updating isn't always possible immediately. Sometimes the system is critical to production, the application developer requires testing, the device operates in an OT environment, or the service window is limited.

Therefore, mitigation doesn't always mean just installing a patch. It can also include:

• restricting access to a vulnerable service,
• configuration change,
• network segmentation,
• disabling unused functions,
• applying rules on the firewall or IPS system,
• MFA enforcement,
• increased monitoring,
• temporary isolation of the system,
• update at the next possible service window.

The key is to make informed and data-driven decisions. Without vulnerability scanning, organizations often don't know if a problem affects them, where it occurs, or how urgent a response is.

The most important conclusion

The Anthropic report shows that AI can significantly accelerate the development of exploits for known vulnerabilities. This means organizations shouldn't treat N-Day vulnerabilities as a "late-day" problem.

In a world where an exploit can be created in hours, it becomes imperative to reduce response times on the defense side.

This doesn't mean every patch can be implemented immediately. Instead, it does mean that organizations should constantly understand what vulnerabilities exist in their environment, which ones are the highest priority, and what mitigation actions can be taken before a vulnerability is exploited.

Therefore, a continuous vulnerability management process is becoming increasingly important:

• regular infrastructure scanning,
• identification of vulnerable systems,
• risk prioritization,
• rapid implementation of fixes where possible,
• applying mitigation where patching takes time,
• verification of the effectiveness of corrective actions.

0-Day attracts attention, but it's the known N-Day vulnerabilities that often pose a real and immediate problem for organizations. And with the development of AI, we'll increasingly be talking not about N-Day, but about N-Hour.

This is why regular vulnerability scanning using solutions such as OpenVAS Enterprise should be treated not as a one-time project, but as a permanent element of maintaining IT security.

If you want to check which vulnerabilities exist in your infrastructure and how to plan their mitigation, UpGreat can help with auditing, vulnerability scanning, and implementing a vulnerability management process based on OpenVAS Enterprise.

Please contact us – make an appointment, call us, write an email to the address biuro@upgreat.com.pl or fill out the form.After the conversation, we will prepare a proposal for you.

We invite!