Attackers have reduced the time to develop an exploit for a known vulnerability from 125 days to a mere half a day, thanks to the use of AI-assisted development, leaving vulnerability scanners struggling to keep pace, new research has found.
Cogent Research analyzed 69,159 common vulnerabilities and exposures (CVEs) and found that in January 2025, attackers needed 125.3 days to develop a method for exploiting them, according to a report published today. By April 2026, threat actors reduced that time to just 0.5 days by using AI, thus creating significant visibility gaps for security teams during the highest-risk periods following vulnerability disclosure, according to Cogent.
This milestone was achieved using widely available large language models (LLMS) that can read a patch diff — a set of code changes published when a software vulnerability gets fixed — and produce a proof-of-concept (PoC) exploit, Geng Sng, co-founder and chief technology officer (CTO) of Cogent Security, tells Dark Reading. “Our data captures what’s already happening with the current generation of AI tooling, not frontier models,” he says.
However, the 0.5 days to exploit finding will be old hat once Anthropic’s Claude Mythos — which can develop “working exploits at the level of an experienced security researcher” and already is striking fear in global markets — becomes widely available, he says.
“Multiple researchers have put Mythos-class capability proliferation at six to 12 months out,” Sng says. “When that happens, the exploit-speed compression we measured won’t be the ceiling. It’ll be the baseline.”
Analysis Shows ‘Visibility Gap’
Cogent’s research had other troubling findings for security teams that rely on scanner detection to help them identify threats to their environments. This type of detection involves identifying and monitoring automated tools that probe networks or systems for vulnerabilities, a process that is crucial for organizations to get ahead of potential threats before they compromise systems.
To achieve its findings, Cogent analyzed 69,159 CVEs from public disclosure databases, including the National Vulnerability Database and MITRE CVE. The primary analysis set analyzed included 57,860 CVEs published in 2025 and 2026, for which Cogent recorded timestamps for CVE publications. The researchers also looked up detection signature publication dates for the top three commercial scanning technologies: Tenable, Qualys, and Rapid7.
The analysis found that 83.2% of critical vulnerabilities created what Cogent called a “visibility gap” for defenders. More than half of critical CVEs, or 55.7%, never received detection coverage from major scanners at all. Of the remaining vulnerabilities that did receive signatures, 62% already had exploits circulating before detection became available, according to the findings.
Scanners, Not Orgs, Falter at Detection
“Most security teams already know their scan cycles are too slow, and many are working to move from monthly or weekly scans to something closer to continuous,” Sng acknowledges. However, Cogent’s research indicates the visibility gaps stem not from organizations’ slow cycles but the detection capabilities of the aforementioned scanning vendors analyzed by the researchers, he says.
Research found that 54% of all CVEs published since January 2025 lacked detection signatures from any of these vendors. Among those scanners, response times also varied, with median detection lag after disclosure measured 0.1 days for Tenable, 2.9 days for Qualys, and 5.1 days for Rapid7.
Critical vulnerabilities were also the most likely to be exploited before detection signatures shipped, affecting 62.5% of critical CVEs at Tenable, 64.5% at Qualys, and 73.5% at Rapid7, according to the report.
Eric Doerr, chief product officer at Tenable, addressed the research, noting that not all vulnerabilities are exploited in the wild or carry the same risks. “At Tenable, we help our customers prioritize and remediate the exposures — vulnerabilities, misconfigurations, excessive permissions, exposed secrets and toxic combinations — that matter most,” he says.
Similarly, Saeed Abbassi, head of the Qualys Research Threat Unit, says that by design, Qualys does not create detections for every CVE. “Our coverage is intentionally risk- and applicability-driven,” he says. “We prioritize high-confidence, actionable detections across technologies that matter most to customers, supported by multi-modal detection methods including agents, scanners, and advanced exploit validation techniques.”
Rapid7 did not immediately respond to Dark Reading’s request for comment Wednesday.
Prepare Now for AI-Driven Exploit Flurry
AI-assisted exploit development already is on the radar of security teams, and they are shifting to new strategies to defend against its ever-quickening pace. Indeed, industry organizations are warning defenders to buckle up for a post-Mythos exploit flurry.
One of defenders’ new strategies is using software inventory analysis as “an early warning layer,” with checks every morning to see whether newly disclosed CVEs affect software versions running in their environment, Sng says. Doing this means they can “start mitigation before their scanner even knows the vulnerability exists,” he says.
However, an even broader change among security teams that organizations would be wise to adopt is building a parallel detection path using software inventory data, software bill of materials (SBOM) matching, and threat intelligence feeds that can surface affected assets within minutes of disclosure, Sng tells Dark Reading. “Scanners remain the right tool for confirming detection at scale and validating remediation, but they can’t be the starting line for response anymore,” he says.
Cogent also recommended that organizations map their software inventory continuously and correlate it against new disclosures the moment they publish, as this is the only effective detection method that works when no scanner signature exists yet.
“The organizations in the best position right now are the ones that can answer ‘Are we running affected software?’ within minutes of a new CVE, independent of whether their scanner vendor has shipped a plug-in for it,” Sng tells Dark Reading.

Comments are closed