Vulnerability Deficit: Why Remediation Cannot Outrun Discovery

What's inside the whitepaper:

• The Vulnerability Deficit Equation — V(t) = V(t−1) + D(t, C(t)) − R_eff(t) + f(R(t)) + M(t) — and why every force driving discovery is compounding while every force constraining remediation is linear

• Why Anthropic's Claude Mythos model found 181 exploitable zero-days in Firefox where the previous generation found two, and what that benchmark reveals about the shape of the discovery curve — not just its current slope

• How dependency chain amplification means a single flaw three levels deep in your transitive dependencies can expose your entire application, the way Log4Shell exposed virtually every Java application on earth

• Why a 6.5x increase in remediation effort across 1.1 billion remediation records from more than 10,000 organizations produced worse outcomes — and why the CISA/Qualys data is the empirical signature of a system approaching its asymptotic limit

• How iatrogenic risk compounds the problem: at 10,000 remediations per month, patch regression introduces 100–200 new security-relevant defects, meaning increased remediation volume carries a cost that further constrains net effectiveness

• Why the exploitation window has collapsed from 771 days in 2018 to under one day in 2026 — and why for vulnerabilities on the CISA KEV list, attackers are exploiting before the vulnerability appears in any public database

• Why containment shifts the structural asymmetry from the remediation domain, where it is unwinnable, to the architectural domain, where the defender has the advantage