Cogent Research: Exploits Outpace Scanner Detection for 62% of Critical Vulnerabilities as AI Compresses Time-to-Exploit to Under 12 Hours

New analysis of 69,000+ CVEs finds average time from disclosure to exploit collapsed from 125.3 days to 0.5 days in 16 months, creating growing visibility gaps for security teams

SAN FRANCISCO, May 27, 2026 /PRNewswire/ -- A new report from Cogent Security found that exploit development is accelerating faster than scanner-based detection can keep pace, creating visibility gaps for security teams during the highest-risk periods following vulnerability disclosure.

The report, The Detection Gap: How Exploits are Outpacing Scanners, analyzed 69,159 CVEs and found that AI-assisted exploit development compressed the average time from vulnerability disclosure to a working exploit from 125.3 days in January 2025 to just 0.5 days by April 2026.

The findings point to a structural mismatch between how quickly exploits now emerge and how traditional detection systems respond.

Key findings include:

The report attributes the acceleration in exploit timelines to AI-assisted exploit development. Tools built on large language models can ingest a patch diff, identify the relevant code change, and produce proof-of-concept exploit code in hours rather than weeks.

"The assumption that security teams have days or weeks to respond to a new CVE is no longer valid," said Geng Sng, CTO and co-founder at Cogent. "We tracked over 69,000 CVEs across 16 months and watched the average time to exploit fall from over four months to less than twelve hours. Scanner vendors are not closing that gap at the same rate. When 83% of critical vulnerabilities either lack scanner coverage entirely or have exploits circulating before detection ships, organizations need to accept that their scanning infrastructure alone cannot be the starting point for response."

The report notes that vulnerability scanners remain important for confirmed detection across large asset inventories and for validating remediation. The issue is timing. For the critical vulnerabilities that security teams care most about during active incidents, scanner coverage frequently arrives after the period of highest risk has already begun.

"When it takes five or six days for a vulnerability to show up in your scanner, you're giving attackers a week-long head start. They're reading the same disclosures we are and moving on them within hours," said Scott Howitt, former CISO of MGM Resorts and JCPenney. "That should be a wake-up call for any security organization still treating scanner output as their first line of visibility."

The full report, including methodology, monthly trend data, and vendor-by-vendor analysis, is available at https://www.cogent.com/blog/2026-q2-detection-gap-report-findings

Methodology

Cogent Research analyzed 69,159 CVEs from public disclosure databases (NVD, MITRE CVE). Of these, 57,860 were published with CVE dates in 2025 and 2026 and form the primary analysis set. For each CVE, the team recorded timestamps for CVE publication, earliest public exploit availability (sourced from CISA KEV, Exploit-DB, and VulnCheck KEV), and detection signature publication dates for Tenable, Qualys, and Rapid7.

About Cogent

Cogent is an applied AI lab whose agents detect and fix security vulnerabilities faster than attackers can exploit them. The Cogent platform identifies exposure to new vulnerabilities within minutes, builds contextualized remediation plans, and executes fixes at whatever level of autonomy the customer allows, from human-approved to fully autonomous. Fortune 500 security teams using Cogent have reduced the exposure window for critical vulnerabilities by 97 percent. Built by researchers and operators from Google DeepMind, Abnormal Security, and Coinbase, Cogent is backed by Greylock Partners and Bain Capital Ventures. Learn more at cogent.com.

SOURCE Cogent Security