AI's Exploit Timeline Collapse Forces Structural Budget Shift from Vulnerability Management to BAS

The source correctly identifies AI's compression of discovery-to-exploit cycles from months to hours, citing Anthropic's Mythos-driven 10,000+ critical findings and Zero Day Clock's 24-hour mean TTE. Yet it underplays the deeper economic inversion: traditional VM's reliance on CVSS triage and remediation windows assumes scarcity of attacker capability, an assumption AI has nullified by industrializing exploit generation at machine scale. Verizon's 2026 DBIR data on rising initial-access exploits and stagnant 26% patch rates reveals not just operational failure but a misallocation of security spend that ignores measurable ROI. BAS emerges as the corrective mechanism because it validates real exposure through continuous, adversary-emulating simulations rather than static scoring—directly addressing the physics mismatch where offense operates in hours and defense in weeks. Mainstream coverage misses how this accelerates a broader pattern of AI reshaping security economics, prioritizing outcome-based tools over volume-based processes. Cross-referencing AWS FortiGate campaign logs with Anthropic findings shows attackers no longer need zero-days; weak credentials suffice when automated at scale. Regulators pushing same-day patches ignore enterprise constraints like change windows and regression testing, creating compliance theater that diverts resources from adaptive defenses. The result is a forced reallocation where BAS budgets grow to quantify breach likelihood, exposing the limits of legacy VM in an AI-augmented threat landscape.