Sources: Mandiant M-Trends 2019-2026 and Google Threat Intelligence Group time-to-exploit analyses (cohort TTE: 63d in 2018-19, 44d in 2020, 32d in 2021-22, 5d in 2023, −1d in 2024, estimated −7d in 2025; negative values mean the median exploited vulnerability was attacked before a patch was publicly available); Edgescan Vulnerability Statistics Reports 2019-2026 (high/critical MTTR for the web application/API layer, varying roughly 48-76 days year over year with full-stack and device/network slices sitting in a similar band; 54.81 days reported for 2025); Anthropic Claude Mythos Preview System Card and accompanying cybersecurity capabilities post, April 2026 (the orange star at the 2026 column marks Mythos: autonomous CVE-to-working-exploit demonstrated in hours under controlled conditions — it sits near zero only because hours is roughly zero days, and is a different metric than the in-the-wild TTE line, shown as a capability marker rather than a measurement on the same series). 2026 projections: TTE −10 days, extrapolated from the Mandiant trend and corroborated by the Sysdig Zero Day Clock (median TTE crossed the 1-week negative mark in 2026), CrowdStrike Global Threat Report 2026 (42% of exploited CVEs hit before public disclosure), and Rapid7 2026 Global Threat Landscape Report (mean time-to-KEV-inclusion 28.5 days for high/critical, down from 61.0); MTTR projected flat at 55 days based on Edgescan's 2026 report (54.81d for 2025) and the May 2026 Edgescan analysis framing remediation as an unchanged execution gap. Both 2026 points are extrapolations, not measurements. The crossover around 2020 marks the point at which median TTE first dropped below MTTR; the asymmetry has widened sharply since.