Zero-Day & Exploit Intelligence
LiveTTE Metrics Comparison
Three different TTE calculations based on exploit source types
From Vulnerability to Exploitation
TTE (Time-to-Exploit) measures the gap between CVE disclosure and confirmed exploitation
TTE Metrics Comparison Over Time
Comparing median TTE across different exploit source combinations
Zero-Day Rate
% of exploited CVEs where exploitation occurred before or on disclosure day (TTE ≤ 0)
Exploit Rate
% of all published CVEs confirmed exploited in the wild, versus total CVE volume
Time-to-Exploit Milestones
When mean time-to-exploit crosses each threshold
TTE Methodology
How Phoenix Security computes Time-to-Exploit, based on the zerodayclock.com methodology.
What is TTE?
Time-to-Exploit (TTE) measures the elapsed time between when a vulnerability is publicly disclosed and when a confirmed exploit becomes available. A negative TTE means the vulnerability was exploited before public disclosure - a true zero-day.
TTE = (t_exploit - t_disclosure) / 24 - measured in days
Three TTE Metrics
We compute three different TTE metrics based on different exploit source combinations to provide a comprehensive view:
Sources: CISA KEV, VulnCheck KEV, Shadowserver
What it measures: Confirmed in-the-wild exploitation. This is the primary metric showing when vulnerabilities are actually being exploited by attackers. Uses honeypot data (Shadowserver) and official KEV catalogs.
Interpretation: Lower values indicate faster weaponization. Negative values indicate zero-days.
Sources: TTE + Google Project Zero, ZDI Advisories
What it measures: Includes zero-day tracking programs that specifically monitor vulnerabilities exploited before disclosure. ZDI and Google 0-Day track ITW (in-the-wild) zero-days.
Interpretation: Often shows negative median values because these sources focus on zero-days. Higher zero-day rate than TTE.
Sources: TTE + GitHub PoC repositories
What it measures: Exploit availability rather than confirmed exploitation. GitHub PoCs represent when exploit code becomes publicly available, which may be before or after actual attacks.
Interpretation: Typically shows higher values than TTE because PoCs are often created after CVE disclosure. Lower zero-day rate.
Corruption Filtering
Even trusted sources contain data artifacts. Before computing TTE, we apply two filters:
- Pre-2010 timestamps dropped. Exploit dates before 2010-01-01 are database defaults (epoch, year 0001) rather than real observations.
- TTE less than -180 days dropped. When a CVE is retroactively assigned to a vulnerability that was exploited years earlier, it produces an artificially extreme negative TTE. We cap at -180 days to remove these while preserving real zero-day campaigns (typically -30 to -90 days).
Statistical Approach
After filtering, TTE values are grouped by year and two central tendency measures are computed:
- Median TTE: The middle value when all TTE values for a year are sorted. Robust against outliers but can be insensitive to real shifts in the tails of the distribution.
- 10% Trimmed Mean: Sort all TTE values, remove the bottom 5% and top 5%, then average the remaining 90%. This reduces the impact of extreme outliers while remaining more sensitive to real trends than the median.
Zero-Day Classification & Prediction Model
- Zero-day: When TTE <= 0 (exploit predates or matches disclosure), the CVE is classified as a zero-day.
- Zero-Day Rate: Percentage of exploited CVEs that are zero-days. Calculated as
zero_day_count / total_exploited * 100 - Exploit Rate: Percentage of all published CVEs that are confirmed exploited. Calculated as
exploited_count / total_cves_published * 100 - Prediction model: An exponential decay function
TTE(year) = a * e^(-b*(year-2018))is fit to yearly median TTEs using least-squares regression. This model projects when mean TTE will cross one-week, one-day, one-hour, and one-minute thresholds.
Data Sources
Understanding the Values
| Value | Meaning | Risk Level |
|---|---|---|
TTE < 0 |
Zero-day: Exploited before public disclosure | Critical |
TTE = 0-7d |
N-day: Exploited within first week | High |
TTE = 7-30d |
Rapid exploitation within first month | Medium |
TTE > 30d |
Long-tail: Exploitation after first month | Lower |
| CVE / Product | Published | First Sighting | CVSS | Severity | TTE | Sources | Intel |
|---|
| CVE / Product | Disclosure | CVSS | Source | Vendor | Details |
|---|