Ethiack says vulnerabilities jumped 106% in a year

Ethiack said the number of cyber vulnerabilities it identified across client IT environments rose 106% over the past year, increasing from 17,500 to more than 36,000.

The Portugal-based cybersecurity group said the rise came despite only a modest increase in the number of digital assets under monitoring. Vulnerabilities per monitored asset climbed from 0.9 to 1.7 over the same period, indicating a sharper rate of exposure across the systems it tested.

The figures add to broader evidence of a shift in how attackers gain entry to organisations. Verizon’s 2026 Data Breach Investigations Report found that exploited software vulnerabilities accounted for 31% of cyber breaches, up from 20% a year earlier, overtaking stolen passwords as the most common initial access route.

Ethiack said its platform tracked more than 190,000 digital assets during the year and now monitors more than 21,000 in-scope assets each month. Its client base grew 30% as the company expanded into the UK and Switzerland.

Threat speed

Ethiack linked the increase in discovered weaknesses to both improved detection and a faster-moving threat environment. Industry research it cited said the median time between a vulnerability being disclosed and being actively exploited has fallen from 771 days in 2018 to a matter of hours.

That shift has narrowed the time available for security teams to respond once flaws are discovered. In some cases, vulnerabilities are identified and attacked before public disclosure, leaving little room for patching or other defensive action.

Jorge Monteiro, Chief Executive Officer of Ethiack, described the pace of change as the main concern for defenders.

“The most important change we’ve seen over the past year isn’t the type of vulnerabilities attackers are exploiting. It’s the speed at which they’re finding and weaponising them.

For years, organisations could assume they had days, weeks or even months to identify and remediate vulnerabilities. That assumption no longer holds. Today, attackers can use AI to identify weaknesses, generate exploits and launch attacks in a matter of hours.

Perhaps most concerning is that AI can now help attackers reverse-engineer security patches themselves. Organisations may spend weeks developing and testing a fix, only for cybercriminals to analyse the patch and use it to identify the underlying vulnerability and attack it within minutes.

The mismatch between attacker speed and defender speed is growing. Periodic security assessments and annual penetration tests were designed for a different era. Organisations now need continuous monitoring of their attack surface and validation of any vulnerabilities to keep pace with the machine speed and scale of threats,” Monteiro said.

Company growth

The business added 13 employees and six ethical hackers over the year. Founded in Portugal in 2022 by André Baptista and Monteiro, it works with organisations across Europe, including ANA, Portugal’s national airport operator.

The increase in vulnerabilities identified does not necessarily mean every client environment became less secure in absolute terms, but it does point to a larger pool of weaknesses being uncovered as attack surfaces expand and tools improve. Modern corporate systems often span cloud services, third-party software, employee devices and internet-facing applications, increasing the number of possible entry points.

For security teams, the data adds to pressure to move faster on validation and remediation. If attackers can use AI to analyse newly issued patches and infer the flaws they address, the traditional gap between patch release and practical exploitation may continue to shrink.

That trend is becoming more significant as the volume of known software flaws rises each year. The challenge for organisations is not only discovering weaknesses, but also determining which are exploitable and urgent enough to prioritise before attackers act first.