Blog
Product
Announcing Cogent Zero Day Response and Autonomous Remediation: Vulnerability Management at the Speed of AI
Cogent’s Zero Day Response and Autonomous Remediation capabilities help security teams identify and remediate vulnerabilities at the speed of AI-driven threats.
6 min read
Today, we're launching two new capabilities for our existing customers that expand the Cogent platform: Zero Day Response, which identifies vulnerabilities in customer environments within minutes of disclosure, and Autonomous Remediation, which finds the optimal fix, assesses change impact, and executes remediation at whatever autonomy level the customer allows.
These build on the core foundations in Cogent today, where our AI agents conduct multi-step investigations to assess true business risk, determine asset ownership, and create remediation plans grounded in each customer's environment and operational constraints.
The urgency is real. Over the past two years, AI models have gotten measurably better at aiding attackers in executing sophisticated attacks faster than previously possible. Since the reveal of Anthropic Mythos, it's clear that vulnerability management programs need a step change in velocity. The average enterprise takes 60 days to close a critical vulnerability. Now, they need to do it in under a day.
Exploits now outpace scanners
In a recent study, Cogent Research found that 62.0% of critical vulnerabilities with a known exploit had that exploit circulating before any scanner released a detection signature. The average lag between CVE publication and scanner coverage was up to 5.1 days. For the vulnerabilities that matter most, the ones attackers are actively targeting, scanners are arriving after the window to fix them has already closed.
That lag is getting worse. Mean time to exploit has dropped from 23 days in 2025 to hours in 2026 as AI-assisted exploit development compresses the timeline between patch analysis and working attack code. The result is a structural detection gap that creates a window where exploits are active but your scanners can't see the affected software. During that window, your VM program is blind.
Closing the detection gap: Zero Day Response
Zero Day Response identifies exposure to new vulnerabilities in your environment within minutes of disclosure without waiting for scanner signatures. It covers formal CVE advisories, pre-CVE disclosures, and supply chain attacks.
Broad and continuously expanding threat intelligence
Cogent pulls vulnerability intelligence from multiple sources: VulnCheck NVD2, CISA KEV, CISA Alerts, OSV, GitHub Advisory Database, major vendor PSIRTs, just to name a few. New sources get added continuously.
A meaningful share of high-impact security events never receive a CVE, or receive one days after public disclosure. A researcher publishes a blog post. A proof-of-concept shows up on GitHub. A security mailing list lights up about a new bypass. Cogent's AI agents identify and triage those signals before a formal CVE exists. When multiple sources are reporting on the same vulnerability, Cogent reconciles them into a single authoritative finding.
Matches against your software inventory in minutes
When a new vulnerability drops, Cogent cross-references it against the customer's complete SBOM. Everything the customer's existing tooling already tracks. The security team sees which assets are exposed, who owns them, and what the impact looks like within minutes of disclosure, not days later when a scanning vendor ships a detection.
Contextual risk scoring
A CVSS score describes severity in the abstract. It doesn't account for whether the affected system is internet-facing, handles sensitive data, is business-critical, or sits behind existing security controls that reduce real-world exploitability.
Cogent scores every finding against the customer's actual environment. An internet-facing production server running a vulnerable package gets a different risk score than the same package on an air-gapped development workstation. The score reflects what's actually at risk, not what's theoretically severe. Cogent also monitors exploit databases and PoC repositories to score early exploitability, producing a signal hours to days ahead of EPSS or KEV updates.
Every factor that contributes to the risk and exploitability scoring is visible, along with Cogent's confidence in each one, so security teams can see exactly how their scores were determined.
Closing the remediation gap: Autonomous Remediation
Closing the detection gap gives your team days of additional lead time. But that lead time is wasted if remediation still takes weeks or months. Autonomous Remediation closes that gap by finding the optimal fix, understanding the impact before anything changes, executing safely through existing tools, and confirming the vulnerability is actually gone.
Finds the best fix and understands the impact
For every vulnerability, Cogent builds a contextualized remediation plan based on the specific asset and what will resolve the risk fastest. It groups related findings so a single action can resolve multiple vulnerabilities at once.
Before anything runs, Cogent scores each remediation option by disruption level and confidence, flagging reboot requirements, workflow interruption, and business impact. This pre-flight change impact assessment is what's been missing from auto-patching for the past decade. The ability to push a patch was never the problem. The problem was knowing whether pushing it would break something important.
Safe rollouts through your existing tools
Cogent executes through your MDM, patch management, and ITSM systems. Remediation rolls out based on your organizational preferences to minimize breaking changes.
Confirms the fix held
Most VM programs track whether a remediation action was taken. The hard part is confirming the fix actually landed, and staying on top of it when it didn't.
Confirming means re-scanning the asset, cross-referencing the results, verifying the vulnerable version is gone, and following up when it isn't. Doing that consistently across thousands of findings takes real diligence, and most teams struggle to sustain it. So findings get marked "remediated" based on the action, not the outcome, and some percentage of them quietly persist.
Cogent treats remediation as incomplete until the fix is independently confirmed through a scanner rescan or SBOM rebuild. It can then take these data points as inputs to reporting and future recommendations.
Detection and remediation as one continuous process
With today's launch, Cogent covers the full lifecycle from vulnerability disclosure to confirmed resolution as a single connected workflow, operating at the velocity VM teams need today.
Here's what that looks like in practice. A vendor advisory published at 2 AM triggers source ingestion. By 2:10 AM, affected assets are identified. The investigation agent has already pulled owner information, checked compensating controls, and scored the risk. For assets in an autonomous remediation zone, the pre-flight assessment runs and the fix begins deploying before the security team's morning standup. For assets that require human approval, the remediation plan is waiting in the queue with full context attached when the team arrives.
That scenario compounds across thousands of vulnerabilities. Over weeks and months, the backlog dynamics shift. New findings enter the queue faster through Zero Day Response, but they also leave faster through Autonomous Remediation. MTTR compresses from weeks to hours, and for straightforward cases, minutes.
Where we're headed
Most VM programs carry thousands or even millions of open findings. A large share of them don't represent meaningful risk. The exposures that matter are the ones that are exploitable, reachable, and business-critical: the findings an attacker would actually target. Cogent's goal is driving that number toward zero.
Two years ago, that would have sounded aspirational. It doesn't anymore. AI-generated exploits can weaponize a new vulnerability in hours. The detection and remediation capabilities we're launching today were built for that reality: identify exposure within minutes of disclosure, remediate autonomously where policy allows, and confirm the fix held. Each of those closes a specific gap that keeps the attack surface open longer than it needs to be.
Cogent's long-term vision is a VM program measured by how close the attack surface is to zero, not how well it manages the queue.
