The 48-Hour Window: How AI Turned Cyber Defence Into a Race Against Time

Maritime operators face a brutal new reality: attackers can now weaponise vulnerabilities faster than most organisations can detect them. The old playbook won’t work anymore.

In 2018, the average time from vulnerability disclosure to active exploitation was 63 days. Security teams had weeks to assess, test, and patch. By 2024, that window had collapsed to five days. Today, up to 60% of newly disclosed vulnerabilities are weaponised within 48 hours, and AI-driven reconnaissance tools are targeting systems within 15 minutes of a flaw being detected¹. For maritime operators managing complex ship-to-shore IT and OT environments, this is an operational crisis that demands a fundamentally different approach to cyber defence.

Maritime cyber incidents more than doubled in 2025, with 828 recorded attacks representing a 103% year-on-year increase¹. Ransomware accounted for 372 cases, with average incident costs exceeding $550,000 and ransom payments averaging $3.2 million¹. Attackers are now using generative AI to automate reconnaissance, repackage mature malware kits, and evade signature-based detection at machine speed. What used to take skilled operators days can now be executed in minutes.

A regulatory reckoning

This acceleration is colliding with a regulatory environment tightening across every major maritime jurisdiction. The EU has proposed a new Maritime Cyber Code to the IMO, co-sponsored by 27 member states and targeting approval by 2028². The US Coast Guard’s MTSA cybersecurity plan submission deadline arrives in July 2027, with the training deadline already passed in January 2026³. TMSA 3 Element 13, IACS UR E26/E27, and the EU’s NIS2 Directive all converge on the same reality: organisations must prove continuous visibility, control, and resilience across vessels, ports, and shore-based systems.

The gap between regulatory expectation and operational capability has never been wider. Only 13% of maritime organisations have full OT visibility, while a third have none whatsoever⁴. IT and OT systems remain siloed. Patching cycles are measured in quarters, not hours. And the primary attack vector — on-premises servers sitting in engine rooms and technical spaces — persists despite clear evidence these environments are indefensible against modern ransomware.

From reactive defence to managed exposure

Every maritime cybersecurity dashboard tracks the same metric: mean time to detect and respond to an incident. It is the wrong number. If you are measuring how fast you respond to an attack, you have already lost. The metric that matters now is time to exposure closure: how quickly you can identify a vulnerability, assess whether it is being actively exploited, and remediate it before an attacker finds it.

Most organisations still operate on quarterly patching cycles. That rhythm made sense when the exploitation window was measured in months. It is structurally inadequate when attackers are moving hourly. The shift to Managed Exposure Defence means moving from incident response to continuous exposure management: identifying every asset across your ship-to-shore environment, distinguishing genuine risk from noise, and automating remediation at the speed the threat landscape demands. It requires real-time visibility into both IT and OT systems, exploitability-based prioritisation rather than severity scores alone, and an architecture that eliminates the attack surface rather than just hardening it.

What distinguishes organisations managing this transition successfully is not budget. It is architecture. The operators moving fastest are shifting to cloud-native platforms that remove servers from vessels entirely, integrating OT-specific controls such as OPSWAT, and treating exposure management as a continuous discipline rather than a quarterly exercise.

The orchestrator role

Insight acts as the orchestrator of these capabilities. We integrate Microsoft and AWS cloud security, OPSWAT’s OT protection, HPE and Dell’s infrastructure platforms, and our own exposure management and Hardware-@-Sea capabilities into a unified ship-to-shore defence architecture. Operators get a single view of their entire technology estate, a consistent approach to vulnerability prioritisation, and the ability to remediate at the speed the threat landscape demands, whether the asset is onboard a vessel or sitting in a data centre.

Your 2027 cyber roadmap

Four priorities stand out. First, achieve complete, real-time visibility into every IT and OT asset across your fleet. Second, move from severity-based patching to exploitability-based prioritisation, correlating vulnerability data with real-world exploitation patterns. Third, question whether your current architecture is defensible: cloud-native platforms eliminate local data storage, shipboard patching complexity, and the primary ransomware target. Finally, engage partners who can integrate across the full stack rather than assembling a patchwork of point solutions that will fragment as the threat landscape evolves.

The 48-hour exploitation window is not a temporary spike. It is the new baseline. The path forward requires architectural courage and partners who can orchestrate complex, multi-vendor environments into coherent solutions. Insight has been navigating these waters with operators across cruise, shipping, and offshore for two years. If your organisation is facing the 48-hour window and wondering how to close it, let’s talk. The clock is already running.

About the author

Steve Hemmings is Client CTO at Insight, where he leads complex technology transformations for enterprise and public sector clients across the UK and EMEA. A tenured enterprise architect with deep experience spanning cybersecurity, hybrid infrastructure, cloud platforms, and operational technology, Steve works at the intersection of strategy and delivery, helping organisations move beyond compliance into scalable, governed resilience. His current focus includes maritime cyber architecture, ship-to-shore security, and the operational challenges facing digitally maturing industries.

Insight sources:

¹ CYTUR, 2026 Maritime Cyber Threat White Paper
² EU Council, FAL 50 Maritime Cyber Code Proposal, March 2026
³USCG Final Rule (90 FR 6298): MTSA Cybersecurity Regulations
⁴Cydome, Maritime OT Cybersecurity Report 2025–2026
⁵Insight, From Skills Shortage to Strategy Breakdown: Maritime Cybersecurity at a Crossroads  https://uk.insight.com/en_GB/insight-on/cybersecurity/cybersecurity-in-maritime.html

Continue the conversation

Our latest research explores the state of cybersecurity across the maritime sector, where the industry stands, what is holding it back, and what the path to operational resilience looks like.

↓ Download the Insight EMEA Maritime Cybersecurity report

Recent news

From strategic workshops to scalable solutions, we're ready to help you accelerate transformation and realise the full value of your data and Al investments.