Unauthorized parties have reduced the time needed to develop a validation method for known vulnerabilities including 125 days and a mere half a day. This compression relies on AI-assisted development, leaving traditional vulnerability scanners struggling to maintain pace, according to new research.
Cogent Research analyzed 69,159 common vulnerabilities and exposures (CVEs). Their report found that in January 2025, unauthorized parties needed an average of 125.3 days to develop a method to validate and utilize these vulnerabilities. By April 2026, malicious actors reduced that time to 0.5 days using AI. According to Cogent, this creates significant visibility gaps for security teams during the highest-risk periods following vulnerability disclosure.
This shift involves widely available large language models (LLMs) that can read a patch diff, the specific code changes published when a software vulnerability gets fixed—and produce a proof-of-concept (PoC). Geng Sng, co-founder and chief technology officer (CTO) of Cogent Security, tells Dark Reading, "Our data captures what's already happening with the current generation of AI tooling, not frontier models."
Sng notes that the 0.5-day finding will likely serve as a baseline rather than a ceiling once models like Anthropic's Claude Mythos become widely available. Mythos is documented as capable of generating functional PoCs at the level of experienced security researchers and is prompting significant adjustments in global markets.
"Multiple researchers have put Mythos-class capability proliferation at six to 12 months out," Sng says. "When that happens, the exploit-speed compression we measured won't be the ceiling. It'll be the baseline."
Analysis reveals a visibility gap
Cogent's research outlines structural limitations for security teams relying primarily on automated scanner detection to identify risks in their environments. These tools identify and monitor systems for vulnerabilities, a process crucial for organizations seeking to manage potential threats before unauthorized access occurs.
To compile these findings, Cogent analyzed 69,159 CVEs from public disclosure databases, including the National Vulnerability Database and MITRE CVE. The primary analysis set included 57,860 CVEs published in 2025 and 2026, recording timestamps for CVE publications. The researchers also tracked detection signature publication dates for three commercial scanning technologies: Tenable, Qualys, and Rapid7.
The analysis found that 83.2% of critical vulnerabilities created what Cogent terms a "visibility gap" for defenders. More than half of critical CVEs, or 55.7%, never received detection coverage from major scanners. Of the remaining vulnerabilities that did receive signatures, 62% already had PoC methods circulating before detection became available.
Understanding scanner detection timelines
"Most security teams already know their scan cycles are too slow, and many are working to move including monthly or weekly scans to something closer and continuous," Sng acknowledges. However, Cogent's research indicates these visibility gaps stem largely from the detection capabilities and release cycles of the scanning vendors analyzed, rather than internal organizational delays.
The data showed that 54% of all CVEs published since January 2025 lacked detection signatures from any of the three vendors. Among those scanners, response times varied. Median detection lag after disclosure measured 0.1 days for Tenable, 2.9 days for Qualys, and 5.1 days for Rapid7.
Critical vulnerabilities were also the most likely to be targeted before detection signatures shipped, affecting 62.5% of critical CVEs at Tenable, 64.5% at Qualys, and 73.5% at Rapid7.
Eric Doerr, chief product officer at Tenable, notes that not all vulnerabilities are utilized in the wild or carry the same risks. "At Tenable, we help our customers prioritize and remediate the exposures. vulnerabilities, misconfigurations, excessive permissions, exposed secrets and toxic combinations — that matter most," he says.
Similarly, Saeed Abbassi, head of the Qualys Research Threat Unit, explains that Qualys does not create detections for every CVE by design. "Our coverage is intentionally risk- and applicability-driven," he says. "We prioritize high-confidence, actionable detections across technologies that matter most to customers, supported by multi-modal detection methods including agents, scanners, and advanced exploit validation techniques."
Rapid7 did not immediately respond to Dark Reading's request for comment Wednesday.
Preparing for AI-accelerated vulnerability cycles
AI-assisted PoC development is a recognized variable for security teams, and organizations are shifting to new strategies to maintain defensive readiness. Industry groups advise defenders to prepare for an increase in rapid vulnerability validation following the wider release of models like Mythos.
One strategy involves using software inventory analysis as an early warning layer, checking daily to see whether newly disclosed CVEs affect software versions running in the environment. This practice allows teams to start mitigation before a vulnerability scanner identifies the issue, Sng says.
For a more comprehensive approach, security teams can build a parallel detection path using software inventory data, software bill of materials (SBOM) matching, and threat intelligence feeds. These tools surface affected assets within minutes of disclosure. "Scanners remain the right tool for confirming detection at scale and validating remediation, but they can't be the starting line for response anymore," he says.
Cogent recommends that organizations map their software inventory continuously and correlate it against new disclosures the moment they publish. This functions as an effective detection method when no scanner signature exists.
"The organizations in the best position right now are the ones that can answer 'Are we running affected software?' within minutes of a new CVE, independent of whether their scanner vendor has shipped a plug-in for it," Sng says.
About the author: Elizabeth Montalbano is a contributing writer and journalist with 30 years of professional experience and a master's degree from Arizona State University. She covers enterprise technology, cybersecurity, business, and culture.