When Time-to-Exploit Goes Negative: Rethinking Defense for Irish Critical Infrastructure

The Numbers Don't Lie—And They're Alarming

When we analyzed Ireland's critical national infrastructure (CNI) through an intelligence lens, the findings were sobering. Of 222 CNI organizations examined, 98—nearly 44%—have exposed known vulnerabilities. 

We then analyzed whether these open doors were being actively exploited by threat actors. Ireland is home to 15,776 attack origins, and 85% of them are the very same IPs and networks in CNI organizations with those exposed known vulnerabilities.  These aren't theoretical weaknesses but evidence of actual and significant breaches.

Ireland's Digital Attack Surface: A Target-Rich Environment (September 2025)

Data analyzed in September 2025 shows the scope of Ireland's exposure:

• 349,946 exposed IPs and networks (3.62% of total infrastructure)
• 509,378 instances of known vulnerabilities
• 6,336 unique CVEs affecting systems nationwide
• 14,235 affected IP addresses and networks

This isn't distributed evenly. Critical sectors bear disproportionate risk:

Government Infrastructure:

• 37 exposed private services
• 13 exposed conduits
• 10 obsolete services
• 214 unmitigated CVEs

Education Sector:

• 383 exposed private services
• 34 exposed conduits
• 111 obsolete services
• 1,442 unmitigated CVEs

Dublin has high concentrations of vulnerabilities across the education, energy, transportation, telecom, and hosting sectors, which is expected given its large population. However, despite Dublin accounting for the largest share, significant vulnerabilities are still widely distributed throughout the rest of Ireland.

Threat Velocity Is Accelerating

Vulnerability exposure is not only rising, but threat actors are exploiting these weaknesses at a much faster rate. This is reflected in a 35% increase in attack origins in Ireland—from 11,701 in 2024 to 15,776 in 2025.

Threat Intelligence Has the Answer

Data about the vulnerabilities found in Irish Critical Infrastructure is gleaned from threat intelligence. In the last two years, the sophistication and scale of global threat intelligence has exploded:

• 400 threat intelligence producers feeding data streams
• 5,000 distinct threat actor groups tracked globally
• 6,000 malware families in active circulation
• 888 billion threat contexts analyzed in just the first half of 2025

Intelligence production has reached unprecedented scale. In 2023, we tracked 1,624 feed sources. By the end of 2025, that number will reach 3,512. More critically, producers are moving to real-time delivery—meaning the window between threat emergence and exploitation is collapsing.

Time-to-Exploit Is Now Negative

Google reports that the time-to-exploit dropped to –1 day in 2024, meaning vulnerabilities are being targeted before public disclosure. Centripetal’s 2024 CVE analysis further shows two exploitation waves—around 40 days before disclosure and again about 10 days prior—based on retroactive timelines of infrastructure and TTPs. Together, these findings show that exposed vulnerabilities are being breached rapidly and efficiently by threat actors. In this environment, reactive security isn't just inadequate—it's obsolete.

What Attackers Are Doing

The data shows that 85% of IPs and networks with known vulnerabilities are already breached by threat actors and being exploited to launch attacks. An analysis of attack vectors originating in Ireland reveals where adversaries are focusing their efforts:

• 63.37% Reconnaissance — Mapping networks, identifying targets, gathering intelligence
• 10.52% Command and Control — Establishing persistent access
• 9.32% Other Risks — Emerging and uncategorized threats
• 7.63% Botnet Activity — Distributed attack infrastructure
• 6.5% Defense Evasion — Techniques to avoid detection

This distribution tells a story: attackers are patient, methodical, and focused on persistence. They're not smashing through the front door—they're mapping every window, testing every lock, and waiting for the right moment.

How Threat Actors Have Evolved

Modern threat actors are fundamentally different from their predecessors:

• Mission-driven: They have clear objectives and sophisticated strategies
• Organized and modernized: Criminal enterprises are well-organized and can operate in a corporate-like structure
• Impact-focused: Targeting critical infrastructure for maximum disruption
• Greater subtlety: Designed for undetected persistence, not noisy disruption
• Opportunistic at scale: Using AI and automation to detect and exploit gaps faster than humans can patch them

This isn't the work of lone hackers in basements. These are well-funded, highly capable adversaries operating with near-military precision.

The Strategic Choice: Reactive or Proactive?

Ireland's critical infrastructure stands at a crossroads. The question isn't whether another major incident will occur—it's whether organizations will be ready when it does.

The Calm Before the Storm—Reactive: Wait for alerts. Respond to incidents. Patch known vulnerabilities after exploitation. Accept that threats will reach your network and hope your detection catches them before significant damage occurs.

Staying Ahead of the Storm—Proactive: Prevent threats before they enter your network. Leverage real-time threat intelligence at scale. Block known bad actors automatically while expert analysts hunt the sophisticated threats. Reduce your attack surface before adversaries can map it.

The Path Forward: Intelligence-Powered Prevention

The data is clear: reactive security cannot keep pace with the current threat landscape. When 44% of critical infrastructure has known vulnerabilities, when attack originators increase 35% year-over-year, and when time-to-exploit is negative, detection alone isn't enough.

Ireland's CNI organizations, and all organizations dealing with the relentless pace of today’s threats, can opt for intelligence-powered prevention that:

• Operates at scale: Processing billions of threat indicators in real time
• Acts automatically: Blocking known threats before they touch the network
• Adapts continuously: Learning from threat actor behavior as it evolves
• Provides expert backup: Human intelligence analyzing the sophisticated threats that evade automation

Data Science and AI: The Equalizer

Threat actors are beginning to use AI to scale their operations. Defenders must do the same. Predictive intelligence powered by data science can identify emerging threats, map attack patterns, and forecast adversary behavior before campaigns fully materialize.

This isn't science fiction. The technology exists. And, the threat intelligence exists. The question is whether organizations will deploy it before the next headline-making breach.

No More Time to Wait

With 98 of Ireland's 222 critical infrastructure organizations showing exposed vulnerabilities, the margin for error has evaporated. The threat landscape isn't just growing—it's accelerating and evolving in real time.

Organizations face a choice: remain in the calm before the storm, reacting to each new incident, or move proactively to stay ahead of threats that are already at the gates.

The intelligence is clear. The risks are documented. The path forward is proven.

The only question left is: which side of that 44% vulnerability statistic do you want to be on when the next wave hits?