62% of Critical Vulnerabilities Have Exploits Circulating Before Scanners Can Detect Them

Eighteen months ago, security teams had roughly four months between a new CVE and a working exploit. As of April 2026, that window is ten hours.

We wanted to understand what that compression means for the detection tools most organizations depend on: vulnerability scanners. So the Cogent Research team analyzed 69,159 CVEs published between January 2025 and April 2026, tracking three timestamps for each one: when the CVE was published, when a working exploit became available, and when the major scanner vendors (Tenable, Qualys, and Rapid7) shipped detection signatures. 

The findings are not encouraging for teams that rely on scanner output as their primary visibility into new threats.

Key Findings

Exploits outpace scanners for 62% of critical vulnerabilities

Scanner coverage lags exploit availability, or is absent entirely, for more than four out of five critical vulnerabilities. Since January 2025, 55.7% of critical vulnerabilities never received a scanner detection signature. Of the 44.3% that scanners can detect, 62.0% had exploits circulating before scanner coverage shipped. Taken together, 83.2% of critical vulnerabilities either never had scanner coverage or were exploitable before coverage arrived.

Average time to exploit collapsed from 125 days to under one day

Average time to exploit collapsed from 125 days to under one day in 16 months. In January 2025, the average time between CVE publication and the first public exploit was 125.3 days. By April 2026, that number fell to 0.5 days. The decline was not gradual. Exploit timelines compressed by roughly half between January and March 2025, then continued falling through 2025 and 2026 as AI-assisted exploit development tools improved.

Scanner detection times vary widely, but all lag behind exploits

Across scanners, the median time between CVE publication and detection signature availability is 2.7 days, but scanner response times vary dramatically by vendor. The median lag time ranges from 0.1 days for Tenable to 2.9 days for Qualys to 5.1 days for Rapid7. Even the fastest scanner, Tenable, still has 62.5% of critical exploited CVEs where the exploit appeared first.

Time-to-Exploit Is Collapsing

In January 2025, a security team had an average of 125.3 days between a CVE being published and a working exploit appearing. By April 2026, that window had compressed to half a day.

That trajectory is driven by AI-assisted exploit development. Tools built on large language models can ingest a patch diff, identify the security-relevant code change, and produce proof-of-concept exploit code in hours rather than the weeks a human researcher would need.

The decline was not smooth. Monthly averages fluctuated throughout 2025, dropping from 125.3 days in January to 51.5 in March, rising back to 70.1 in April, and then gradually trending downward through the fall. The volatility reflects how a small number of high-profile CVEs with rapid exploits can pull a monthly average in either direction.

The sustained compression in late 2025 and early 2026 is the more important signal. The four most recent months in the dataset (January to April 2026) show averages declining from 26.3 to 0.5 days.

R1e4pGoBrLtS

Download the full report

Download the PDF to get the full analysis and methodology.

R1e0pUoPrAtQ

Download the full report

Download the PDF to get the full analysis and methodology.

R8e8p8oQrWt4

Download the full report

Download the PDF to get the full analysis and methodology.

Scanner Response Times Vary by Vendor

Across all scanners, detection signatures ship with a median lag of 2.7 days but scanner vendors do not all respond at the same speed, and the differences are substantial.

Tenable publishes detection signatures with a median lag of 0.1 days from CVE disclosure. Qualys responds in a median of 2.9 days. Rapid7 takes 5.1 days. The spread between fastest and slowest is roughly 50x.

These numbers measure median lag, meaning half of each vendor's detections are published faster and half are published slower. For the CVEs where any vendor is slower than its median, the detection window stretches further. 

And even Tenable's speed advantage at the median does not prevent the majority of critical exploited CVEs from circulating before its detections ship. Median response time and exploit-race outcomes measure different things. A vendor can be fast on average and still lose the race on the specific CVEs where exploits arrive fastest.

Most Critical CVEs Have Exploits Before Scanners Support Detection

The exploit-before-detection problem is most acute at the critical severity level, where the stakes are highest: 62.0% of critical vulnerabilities with a known exploit had that exploit circulating before any scanner released a detection signature.

For critical-severity CVEs, every scanner we measured was beaten by exploit availability the majority of the time: Tenable at 62.5%, Qualys at 64.5%, and Rapid7 at 73.5%. Security teams running any of these scanners had no way to detect the vulnerability during the period when a working exploit was already available.

The pattern shifts at lower severity levels. For high-severity CVEs, Tenable was beaten 33.9% of the time, compared to 61.2% for Qualys and 49.2% for Rapid7. For medium-severity CVEs, the numbers drop further: 25.6% for Tenable, 50.0% for Qualys, and 23.8% for Rapid7.

The severity gradient matters for two reasons. First, critical CVEs are where exploits are developed fastest because they offer the most valuable access to attackers. The same AI-assisted tools that compress exploit timelines are being applied first to the vulnerabilities with the highest payoff. Second, critical CVEs are the ones security teams track most closely and are most likely to be asked about by leadership during an active incident. These are the exact CVEs where scanner coverage arrives too late.

Scanners Lack Coverage for Most Vulnerabilities

Overall, 54.0% of CVEs published since January 2025 have no detection signature from any of the three scanners analyzed. For these vulnerabilities, no amount of scanning will surface them in an organization's environment, regardless of scan frequency or scanner configuration.

The coverage gap is worst at the extremes of the severity scale. 55.7% of critical CVEs lack scanner coverage. For low-severity CVEs, 70.7% have no detection signature. High and medium severity CVEs fall between those bounds at 50.3% and 53.3% respectively.

Scanner vendors prioritize detection for vulnerabilities in widely deployed enterprise software where customer overlap is highest. That leaves a long tail of uncovered CVEs: IoT and SOHO router firmware that rarely appears in enterprises (approximately 40% of uncovered critical CVEs), niche open-source packages with small install bases (approximately 30%), and legacy vulnerabilities that received CVE numbers retroactively in 2025 but were never backfilled with detection signatures (approximately 25%).

What This Means for Security Teams

The four charts in this post describe a structural mismatch. Exploit timelines are compressing. Scanner response times are not compressing at the same rate, and differ significantly by vendor. For most critical CVEs with active exploits, security teams relying on scanner output alone have no visibility during the period of highest risk.

Security teams that want to close this gap need a detection mechanism that does not depend on scanner signature availability. Software inventory analysis, SBOM correlation, and threat intelligence matching can identify likely affected assets within minutes of a vulnerability disclosure, using the software versions already documented in asset management systems.

This approach trades the precision of a scanner check for speed: it may include false positives that a scanner would later exclude, but it eliminates the multi-day window during which the organization has no visibility at all.