Cogent Research: Exploits Outpace Scanner Detection for 62% of Critical Vulnerabilities as AI Compresses Time-to-Exploit to Under 12 Hours

SAN FRANCISCO, May 27, 2026 — A new report from Cogent Security found that exploit development is accelerating faster than scanner-based detection can keep pace, creating visibility gaps for security teams during the highest-risk periods following vulnerability disclosure. 

The report, The Detection Gap: How Exploits are Outpacing Scanners, analyzed 69,159 CVEs and found that AI-assisted exploit development compressed the average time from vulnerability disclosure to a working exploit from 125.3 days in January 2025 to just 0.5 days by April 2026.

The findings point to a structural mismatch between how quickly exploits now emerge and how traditional detection systems respond.

Key findings include:

• Exploits outpace scanners for 62% of critical vulnerabilities. Among critical vulnerabilities with known exploits, 62.0% had a working exploit available before scanner detection signatures shipped.

• More than 83% of critical vulnerabilities create a visibility gap. 55.7% of critical CVEs never received scanner coverage at all, and among the 44.3% that did, 62.0% had exploits circulating before scanner detection became available. Taken together, 83.2% of critical vulnerabilities either lacked scanner coverage entirely or had exploits appear before detection shipped.

• Average time-to-exploit collapsed from 125.3 days to just 0.5 days in 16 months. In January 2025, organizations had an average of 125.3 days between disclosure and exploit availability. By April 2026, that window had shrunk to less than one day.

• More than half of all CVEs remain invisible to major scanners. Overall, 54.0% of CVEs published since January 2025 had no detection signature from Tenable, Qualys, or Rapid7.

• Scanner response times vary significantly by vendor. Median detection lag from disclosure was 0.1 days for Tenable, 2.9 days for Qualys, and 5.1 days for Rapid7.

• Critical vulnerabilities create the largest exposure windows. Exploits appeared before scanner detection for 62.5% of critical CVEs at Tenable, 64.5% at Qualys, and 73.5% at Rapid7.

The report attributes the acceleration in exploit timelines to AI-assisted exploit development. Tools built on large language models can ingest a patch diff, identify the relevant code change, and produce proof-of-concept exploit code in hours rather than weeks.

“The assumption that security teams have days or weeks to respond to a new CVE is no longer valid,” said Geng Sng, CTO and co-founder at Cogent. “We tracked over 69,000 CVEs across 16 months and watched the average time to exploit fall from over four months to less than twelve hours. Scanner vendors are not closing that gap at the same rate. When 83% of critical vulnerabilities either lack scanner coverage entirely or have exploits circulating before detection ships, organizations need to accept that their scanning infrastructure alone cannot be the starting point for response.”

The report notes that vulnerability scanners remain important for confirmed detection across large asset inventories and for validating remediation. The issue is timing. For the critical vulnerabilities that security teams care most about during active incidents, scanner coverage frequently arrives after the period of highest risk has already begun.

"When it takes five or six days for a vulnerability to show up in your scanner, you're giving attackers a week-long head start. They're reading the same disclosures we are and moving on them within hours,” said Scott Howitt, former CISO of MGM Resorts and JCPenney. “That should be a wake-up call for any security organization still treating scanner output as their first line of visibility."

The full report, including methodology, monthly trend data, and vendor-by-vendor analysis, is available at https://www.cogent.com/blog/2026-q2-detection-gap-report-findings

Methodology

Cogent Research analyzed 69,159 CVEs from public disclosure databases (NVD, MITRE CVE). Of these, 57,860 were published with CVE dates in 2025 and 2026 and form the primary analysis set. For each CVE, the team recorded timestamps for CVE publication, earliest public exploit availability (sourced from CISA KEV, Exploit-DB, and VulnCheck KEV), and detection signature publication dates for Tenable, Qualys, and Rapid7.