Good morning, Fargo-Moorhead. I came across a project this week that laid out, in cold numbers, something I have been trying to explain to business owners for the last year. It is called the Zero Day Clock, and it tracks one simple, scary trend: how fast criminals now break into software after a weakness in that software becomes public.

The short version is that the window used to be measured in years. Now it is measured in hours, and sometimes it is gone before it even opens. AI is the reason. Let me walk you through it in plain English, because this affects every business in town whether you think about your computers or not.

See it for yourself: the live tracker and all of the charts below are at zerodayclock.com. It is worth a look even if you only read the front page.

First, three words in normal language

You do not need to be technical to follow this, but three terms make the rest make sense.

A vulnerability is just a flaw in a piece of software. A crack in the wall. Every program has them, from Windows to your accounting software to the app that runs your thermostat.

A patch is the fix. When a software company finds a flaw, they release an update that seals the crack. Installing updates is patching. It is the digital version of a contractor coming out to fix that wall.

A zero-day is when the criminals get to the crack before anyone has released a fix. Zero days of warning. Those are the worst kind, because there is nothing to install yet.

The Zero Day Clock measures the gap between the two, the time from when a flaw is announced to when it is first used in a real attack. In the security world they call it time-to-exploit. I am going to call it your head start, because that is what it really is. It is how long you have to get the fix installed before someone comes knocking.

Your head start has collapsed

Here is the trend the project pulled from more than 3,500 real, confirmed attacks. These are not guesses, they come from tracking data kept by the U.S. government's cybersecurity agency and a research firm called VulnCheck.

In 2018, the typical head start was 771 days. Over two years. If a flaw got announced, a business had a long, comfortable runway to get the update installed before criminals figured out how to use it.

By 2021, that runway had shrunk to about three months.

By 2023, it was six days.

By 2024, it was four hours.

And in 2025, the head start disappeared for most attacks. The majority of break-ins now happen before the flaw is even publicly announced. As of this year, the project's data shows roughly 80 percent of exploited flaws are being weaponized on or before the day they go public. The warning is arriving after the attack.

Read that again, because it is the whole story. In seven years we went from a two-year head start to no head start at all.

Why did this happen? AI learned to do the hard part

For most of computing history, turning a flaw into a working break-in was slow, expert work. It took a skilled human, sometimes weeks, to study a weakness and build a reliable attack around it. That difficulty was quietly protecting all of us. It was the reason you had two years instead of two hours.

AI erased that difficulty. A few examples from the project's timeline, all real and all recent:

In 2024, a university researcher gave an AI model plain descriptions of known flaws and told it to break in on its own. It succeeded 87 percent of the time, at a cost of under nine dollars per attack. Also in 2024, Google's own AI found a brand-new flaw in one of the most widely used databases in the world, before any human had spotted it.

By early 2026, researchers were turning AI loose in swarms. One team found more than 100 usable flaws in common computer hardware drivers in 30 days, for about 600 dollars total. That works out to roughly four dollars per discovered flaw. Another built AI agents that cranked out 40 different working attacks for a single weakness, for 50 dollars.

The point is not the specific numbers. The point is the direction. Finding and weaponizing software flaws went from expensive, rare, and slow to cheap, common, and instant. When the hard part gets automated, it stops being a speed bump.

The cruel twist: the fix itself is a treasure map

Here is the part that surprised me most, and it is worth understanding because it flips the old advice on its head.

When a software company releases a patch, that update quietly reveals exactly what it is fixing. Security researchers have known this for 20 years. You can compare the software before and after the fix and see precisely where the hole was. It used to take a specialist to do that reading. Now AI can do it in minutes.

So the moment a fix goes out, AI can read it, find the exact weakness, and build an attack, often faster than a normal business can even schedule the update. The tool that is supposed to protect you also hands the attackers a map. That is why waiting even a few days now carries real risk.

What this means if you run a business here

Let me translate all of this into the only thing that matters, which is what you should do about it.

The old rhythm, where the computer guy comes by once a month and installs updates, was built for a world with a two-year head start. That world is gone. When your head start is measured in hours, a monthly patch schedule means you can be exposed for weeks at a time on a flaw that criminals are already using. The Zero Day Clock project puts it bluntly: with attacks starting within a day and the average business taking about 20 days to install a fix, most organizations are exposed for nearly the entire life of a vulnerability.

I am not telling you this to scare you into a corner. I am telling you because the fix is mostly about habits, not about buying expensive gadgets. A few things genuinely move the needle now:

Turn on automatic updates everywhere you safely can, on computers, phones, routers, and any internet-connected device in the building. Speed is the whole game now.

Know what you actually have. You cannot patch a device you forgot was on your network. That old machine in the back office running the label printer counts.

Have someone watching, not just patching. Because some attacks now arrive before any fix exists, you want a system that can spot the break-in attempt itself, not just one that installs updates after the fact.

And have an honest look at your setup by someone whose job is to think like the attacker. Most small businesses have never had that done. Given how cheap and fast attacking has become, that is a gap worth closing.

The bigger picture, and why we keep talking about this

Last week on the air we talked about how powerful the newest AI has become for building things. This is the same coin, other side. The exact capability that let my wife build an app by pointing her phone at a bookshelf is the capability that lets a criminal build a break-in for four dollars. That is not a reason to fear the technology. It is a reason to respect the speed of it and to stop running your security on a schedule built for a slower era.

The people who built the Zero Day Clock, along with some of the most respected names in security, all landed on the same conclusion this year: the attackers have already stepped into the fast, AI-driven world, and most defenders have not caught up yet. Around here, nobody is going to hand a Fargo-Moorhead small business that head start. So we are trying to close the gap the only way we can, one conversation at a time.

Want a hand with this?

If you want to see where your own business actually stands, before someone else finds the gap first, reach out to DarkHorse IT. A real security review, in plain language, no scare tactics. And if you would rather understand this stuff for yourself, our AI classes cover exactly how these tools work, for good and for bad. You can find the schedule at darkhorseit.ai/ai-classes.

We talk through this kind of thing every week. Join us Thursdays at 7:40 AM on KFGO 790 AM.