RKe#pVo3rOtP

R@eDpZoKrMtK

RGePp0o4rWtJ

The Detection Gap: How Exploits are Outpacing Scanners

Cogent Research analyzed 69,159 CVEs to measure the gap between initial disclosure, when exploits appear and when scanners add detection support. The findings show a structural mismatch that is growing as exploit timelines compress faster than scanner vendors can respond.

Key findings

  • Average time-to-exploit dropped from 125.3 days to 0.5 days between January 2025 and April 2026

  • 62% of critical CVEs with a known exploit had that exploit circulating before any scanner shipped a detection signature

  • Over 54% of all CVEs published since January 2025 have no detection signature from Tenable, Qualys, or Rapid7

  • Median scanner detection lag is 2.7 days from CVE publication, with vendor-level differences ranging from 0.1 days (Tenable) to 5.1 days (Rapid7)

  • 83.2% of critical vulnerabilities either never received scanner coverage or had exploits circulating before coverage shipped

What's covered

The full analysis includes monthly time-to-exploit trends, vendor-by-vendor scanner response times, detection coverage rates by severity level, and a methodology section detailing data sources and calculations.



When it takes five or six days for a vulnerability to show up in your scanner, you're giving attackers a week-long head start. This should be a wake-up call for any security organization still treating scanner output as their first line of visibility.”

Scott Howitt

Former CISO (JCPenney, UKG, MGM)

When it takes five or six days for a vulnerability to show up in your scanner, you're giving attackers a week-long head start. This should be a wake-up call for any security organization still treating scanner output as their first line of visibility.”

Scott Howitt

Former CISO (JCPenney, UKG, MGM)