Exploits Were Never the Point
What 46 CERT-UA incident reports and 25 red team operators told us about how cyber operations actually unfold — and why the zero-day mystique keeps getting in the way
Preface
A note before we start. Denys Yashchuk and I wrote the paper this post is about in December 2025. It’s now out in the CyCon 2026 proceedings, published by the NATO CCDCOE. Half a year is a long time in this business, so let me update the picture honestly: yes, vulnerability exploitation is more frequent today, in raw absolute numbers, than it was when we ran the analysis. Mass exploitation campaigns have only accelerated. But here’s the part that matters — social engineering and living-off-the-land tradecraft have scaled up at least as fast, probably faster. Generative AI has lifted the entire tide at once: cheaper phishing, cheaper lures, cheaper reconnaissance, cheaper exploit triage, cheaper everything. When every column in the table grows together, the ratio is what tells you the story. And the ratio is exactly what our paper is about. If anything, the AI era has made the argument below more true, not less.
The narrative we set out to test
For two decades, Western thinking about offensive cyber has worshipped the exploit. The zero-day in particular has become the field’s prestige object — the thing that supposedly buys strategic surprise, the thing procurement budgets chase, the thing that shows up in every breathless headline and most academic models of “cyber power.” If you absorbed your mental model of hacking from the culture rather than from doing it, you probably believe that serious operations turn on a rare, exquisite software flaw.
Operators know better. The actual texture of an intrusion is far more boring: a stolen password, a misconfigured service, an employee who clicked, a supplier who got popped first. Exploitation in the broad sense — gaining and leveraging access by any means — is the whole game. Exploitation in the narrow sense — running code against a specific vulnerability — is one tool in a large bag, and frequently not the one reached for.
So Denys and I asked a deliberately uncomfortable question: are exploits actually as central to operational success as the narrative claims, or has their role been systematically overstated? Not “are they useful” — of course they’re useful — but how often are they necessary, and what does success without them look like? That distinction, frequency versus necessity, runs through everything that follows. Common use does not imply indispensability.
We had an unusual vantage point to answer it. russia’s war against Ukraine is the most intensely documented cyber conflict in history, and CERT-UA sits at the center of it.
Two datasets, one pattern
We built the argument on two independent sources of evidence and then checked them against each other.
The first is a structured survey of 25 red-team practitioners — people who break into networks for a living — asked to estimate how often vulnerability exploitation actually figures across each phase of an operation, from initial access through persistence, escalation, lateral movement, and effects.
The second is forensic: 46 CERT-UA incident reports covering real russian operations against Ukrainian targets, coded for whether a software exploit was confirmed at each phase, or whether access and progression came from something else.
Here is the core of what we found.
The shape is unmistakable. Whatever role exploits play, they play it almost entirely at the front door. Once an adversary is inside, the operation runs on stolen credentials, legitimate administrative tools, native protocols, and the defender’s own infrastructure. Persistence, C2, and exfiltration in our dataset were completely exploit-free. Not “mostly” — completely.
The survey data tells the same story from the operator’s side. Practitioners rated exploit use at initial access a mean of 7.6 out of 10, then watched it fall off a cliff for every subsequent phase (1.5 to 4.6). They correctly identified the pattern — heavy at the perimeter, thin everywhere after. But they overestimated the absolute rate of exploitation by 14 to 55 percentage points. Even the experts, it turns out, have internalized a bit of the mystique.
And the headline number that I keep coming back to: 35% of the operations we examined succeeded without using any software exploit at all. Not a degraded version of success. Full operational outcomes, achieved entirely through access that didn’t require a single CVE.
None of this is a Ukraine-specific artifact. The industry baselines converge on the same place. Verizon’s 2025 DBIR puts exploits at roughly 20% of breaches. Mandiant’s M-Trends finds exploitation at 33% of initial access but a vanishing 0.2% for lateral movement. CrowdStrike reports that 79% of intrusions are now malware-free. Verizon also notes that 88% of web-application breaches ride on credentials. Four datasets — a survey, a wartime incident corpus, and two global commercial telemetry reports — all pointing the same direction is about as much corroboration as this field ever offers.
What the data breaks: the model in our heads
The most influential modern framework for offensive cyber capability is Max Smeets’s PETIO — People, Exploits, Tools, Infrastructure, Organization. Its great contribution was insisting that offensive capability is organizational, not merely technical. You don’t get cyber power by hiring one brilliant exploit developer; you get it by building an institution.
We agree with that completely. Our quarrel is narrow but consequential: PETIO gives Exploits its own top-level pillar, sitting beside People and Organization as a fundamental category of capability. The evidence says that’s a category error. Exploits aren’t a foundational pillar. They’re one option inside a more basic primitive — access — alongside phishing, credential theft, supply-chain compromise, insider access, and misconfiguration abuse. Promoting exploits to their own pillar bakes the very overemphasis we’re trying to correct into the model itself.
ACORDIA: putting access at the center
So we proposed a reframing. We call it ACORDIA — seven pillars, with access rather than exploits as the core primitive:
Access (core) — every method of achieving the initial foothold. Exploits live here, as one vector among many, often not the most efficient one.
Control (core) — sustaining presence once you’re in: persistence, privilege management, lateral movement, stealth and OPSEC, overwatch. This is where operations actually live, and it runs overwhelmingly on non-exploit methods. It’s why exploitation collapses after initial access.
Analysis (core) — real-time decision support during an operation: understanding how the target’s systems, users, and defenders behave; recognising changes and anomalies; choosing methods and timing. This is the pillar prior frameworks bury inside “People” and “Tools,” and it’s the one practitioners named as the single most undervalued dimension of capability. In our data, the most successful operations weren’t distinguished by novel exploits — they were distinguished by deep understanding of target architecture and defender response.
Organisation (supporting) — workforce, training, doctrine, planning, inter-agency cooperation, deconfliction.
Research (supporting) — systematic knowledge acquisition, of which vulnerability discovery is only a slice; understanding how targets operate and how defenders react matters just as much.
Development (supporting) — engineering across all operational systems, not just exploits and implants: access and control tooling, analytical platforms, collaboration and project infrastructure.
Infrastructure (supporting) — control infrastructure (C2, staging, exfil), preparatory infrastructure (labs, target simulation), and organisational infrastructure (secure comms, data management).
The core/supporting split is the whole point. Access, Control, and Analysis are where operations are won or lost. The other four enable them. And the failure mode the framework is designed to catch is specific and common: overinvesting in supporting functions — above all, exploit research and development — while starving the core, especially Analysis. The empirical tell is operators who have access but can’t turn it into effect. Capability without effectiveness. That’s the imbalance the zero-day mystique produces at scale.
To be clear, ACORDIA does not dismiss exploits. It contextualizes them. An exploit is the right call against a hardened perimeter with no alternative, under time pressure, or for privilege escalation on a well-configured box. It’s the wrong call when detection risk exceeds the value of the access, when stability matters more than speed, when a zero-day is worth preserving for later, or when a cheaper, less sophisticated path exists. The principle is contingency: use exploits selectively, not reflexively.
What it means if you’re on offense — or defense
For offence: measure capability by access diversity, not by the size of the exploit arsenal. If a third of operations succeed with no exploit at all, then tradecraft, infrastructure, and analytical depth deserve investment at least equal to vulnerability research. A team with five ways in and the judgment to know which to use will beat a team with one elegant zero-day and no plan for the other six phases.
For defence: rebalance away from exotic exploit defences toward the unglamorous fundamentals. CISA has been saying for years that most initial access exploits “routine weaknesses” — missing MFA, default credentials, exposed services. Our CERT-UA data agrees: 58% of initial access was non-exploit, and across the industry 88% of web-app breaches are credential-driven. That means credential hygiene and behavioural detection deserve equal billing with patch management — not as a nice-to-have, but as a primary control. If you’re pouring your budget into the perimeter exploit threat while your detection can’t spot a stolen admin credential moving laterally on legitimate tools, you’ve optimised for the 21% and ignored the rest.
The honest limitations
This is one conflict, one target set, one operational tempo. CERT-UA’s corpus reflects russian wartime operations against Ukraine, which may not generalise cleanly to routine peacetime espionage or other theatres. Our survey panel, while expert, is a particular professional community. We’d want cross-national incident datasets to test whether the ~21% exploitation baseline holds against other adversaries, and longitudinal data to see how it shifts as defences mature. We say all this in the paper. The thesis is robust across four independent datasets, but it earns its confidence honestly, not by overclaiming.
Back to the AI question
Which brings me back to where I started. The instinct, in mid-2026, is to assume generative AI changes the answer — that automated vulnerability discovery and exploitation tip the balance back toward the exploit. The raw counts do go up. But automation is cheapest where the work is most repeatable, and nothing is more repeatable than crafting a convincing lure, harvesting a credential, or chaining living-off-the-land commands that never touch a CVE. AI scales the boring 79% at least as efficiently as it scales the exotic 21%. The access-centric reality of cyber operations isn’t being overturned by automation. It’s being industrialised by it.
Future cyber power will depend less on rare exploits and more on the persistent, adaptable application of access-centric tradecraft. We thought that was true in December. We’re more sure of it now.
“Rethinking Exploitation in Cyber War: Reassessing the Role of Software Exploits in Wartime Cyber Operations,” by Volodymyr Styran and Denys Yashchuk, appears in the proceedings of CyCon 2026: Securing Tomorrow (PDF), the 18th International Conference on Cyber Conflict, published by the NATO CCDCOE.
 | A guest post by
|
I like it, especially the greater focus on organizational functions rather than technical enablers. And I think including “exploit” as part of generalized “access” is smart too.
One thought I had in terms of easy-to-remember-acronyms is just swapping E for A to get….PATIO. That’s nice because the patio is the part of your house in front of the door. And it keeps the first focus on the people. Maybe R&D become part of the T. Analysis and Control (along with Admin) are core parts of O. Infra is a pretty broad category which can include structures of all kind, technical as well as social.