# Cisco Live Protect Closes the AI Exploit Gap Without a Reboot > Source: > Published: 2026-06-14 11:09:04+00:00 In 2020, attackers needed around 700 days to weaponize a published CVE. By 2025, that number was 44 days. Now, according to [Rapid7’s 2026 Global Threat Landscape Report](https://investors.rapid7.com/news/news-details/2026/Rapid7-2026-Global-Threat-Landscape-Report-Shows-Exploited-High-and-Critical-Severity-Vulnerabilities-Surged-105-as-Attack-Timelines-Collapsed/default.aspx), 28.3% of CVEs are exploited within 24 hours of disclosure — before most teams have finished reading the advisory. The monthly patch cycle was built for a world that no longer exists. At Cisco Live 2026, Cisco announced two concrete responses: a runtime shielding system called Live Protect, and a new twice-monthly advisory schedule starting in July. ## The Math That Broke Security Operations The problem is structural, not operational. Rapid7 found that exploited high and critical CVEs surged 105% year-over-year, jumping from 71 in 2024 to 146 in 2025. The median time from CVE publication to a confirmed entry in CISA’s Known Exploited Vulnerabilities list fell from 8.5 days to 5.0 days. Meanwhile, the mean time to remediate complex enterprise applications sits at five months and ten days. That gap — days to exploit, months to patch — is where breaches live. AI frontier models are now systematically scanning codebases for vulnerabilities at machine speed, surfacing bugs faster than any human team was designed to absorb. The [Cloud Security Alliance’s “Collapsing Exploit Window” whitepaper](https://labs.cloudsecurityalliance.org/research/csa-whitepaper-collapsing-exploit-window-ai-speed-vulnerabil/) frames the root cause: the monthly advisory model was built for human-speed discovery. That era is over. ## What Cisco Live Protect Actually Does Cisco Live Protect is a runtime security capability embedded in NX-OS, Cisco’s network operating system for Nexus switches. When a CVE is published, [Cisco Talos analyzes the exploit path and creates a shield](https://blogs.cisco.com/news/shields-up-cisco-live-protect-closes-vulnerability-gap-with-compensating-controls) — a targeted eBPF policy that the Isovalent Tetragon agent compiles and runs at the kernel level. The shield deploys without a reboot, without a software upgrade, and without a maintenance window. Operators get two modes. In **monitor mode**, the shield logs matching events but does nothing else — useful for assessing operational impact before committing to enforcement. In **enforce mode**, it actively blocks the exploitation path in real time. Shields can be deployed per-device via NX-OS CLI or API, or fleet-wide through Nexus Dashboard. Critically, this is not a permanent fix. Cisco Live Protect is an explicit bridge: once the permanent patch is applied through normal change-control processes, the shield auto-retires. The goal is to eliminate the window between disclosure and deployment — not to replace patching. Live Protect is available now on [Nexus 9000 series (N9000) switches](https://www.cisco.com/site/us/en/products/networking/cloud-networking/nexus-platform/live-protect/index.html). ## The Policy Change: Twice-Monthly Advisories Starting July Alongside Live Protect, [Cisco is changing how it releases security advisories](https://blogs.cisco.com/security/strengthening-the-foundation-a-predictable-customer-focused-response-to-ai-accelerated-vulnerability-discovery). Starting July 2026, Cisco PSIRT will publish on the 1st and 3rd Wednesdays of each month — a predictable twice-monthly schedule replacing the ad-hoc model that made planning difficult. Advisories will include seven days of advance notice specifying which product families are included. CVEs will be bundled by CWE category: all Input Validation fixes together, all Access Control fixes together. For ops teams, this means a workflow change. Mark the 1st and 3rd Wednesdays. Sign up for Cisco PSIRT advance notifications. The once-a-month advisory check is no longer sufficient — and given what the data shows about exploit timelines, it arguably never was. ## What This Means Monthly patch cycles are effectively dead. The Cisco Live Protect announcement is the clearest signal yet from a major network infrastructure vendor that the traditional disclosure-to-patch model cannot function at AI speed. The shielding approach is smart engineering — it buys time without introducing downtime. But it is only the first move in what needs to be a broader industry shift. Other vendors face identical pressure. The combination of scheduled, bundled advisories and runtime compensating controls is a reasonable template for what AI-era security operations must look like. If you run Nexus 9000 hardware, enable Live Protect now and start with monitor mode. If you run anything else, the question isn’t whether your vendor will follow — it’s how long before they have to.