Cogent: AI Exploit Developer Threats Outpace Scanner Detection On Critical Vulnerabilities
Cybersecurity companies are known for their generally unswerving predeliction for market surveys; they use analysis reports as a sort of “look, see, we told you” messaging system to alert the enterprise technology community as to where new vulnerabilities are surfacing most prevalently and as a means of validating their position as a protection platform and toolset.
So then, when it comes to new research from AI-native enterprise security company Cogent, should we give its latest market analysis any credence? Let’s dive in, cautiously.
Accelerating Exploit Development
Cogent’s new report, The Detection Gap: How Exploits Are Outpacing Scanners, suggests that exploit development is accelerating faster than scanner-based detection can keep pace.
In an analysis of 69,159 CVEs, the team found that AI-assisted exploit development compressed the average time from vulnerability disclosure to a working exploit from 125.3 days in January 2025 to just 0.5 days by April 2026.
According to Vineet Edupuganti, CEO and co-founder, Cogent Security, the assumption that security teams have days or weeks to respond to a new CVE is no longer valid.
Growth of ‘AI Exploit Developers’
“The findings point to a ‘structural mismatch’ between how quickly exploits now emerge and how traditional detection systems respond,” said Edupuganti. “When we looked at the data across January 2025 through April 2026, the trend was clear. Exploit developers, many of them now using AI tooling, are consistently moving faster than the detection infrastructure enterprises depend on. Scanners were built for a threat environment that moved at human speed. That environment no longer exists.”
Key stats from Cogent include a suggestion that, among critical vulnerabilities with known exploits, 62.0% had a working exploit available before scanner detection signatures shipped.
- More than 83% of critical vulnerabilities create a visibility gap.
- Some 55.7% of critical CVEs never received scanner coverage at all.
- Among the 44.3% that did, 62.0% had exploits circulating before scanner detection became available.
- In total, 83.2% of critical vulnerabilities either lacked scanner coverage entirely or had exploits appear before detection shipped.
More than half of all CVEs remain invisible to major scanners. Overall, 54.0% of CVEs published since January 2025 had no detection signature from Tenable, Qualys, or Rapid7.
The report attributes the acceleration in exploit timelines to AI-assisted exploit development. Tools built on large language models can ingest a patch diff (a text file showing the exact “before and after” changes between two versions of source code, typically generated using the diff utility), identify the relevant code change, and produce proof-of-concept exploit code in hours rather than weeks.
The report notes that vulnerability scanners remain important for confirmed detection across large asset inventories and for validating remediation. The issue is timing. For the critical vulnerabilities that security teams care most about during active incidents, scanner coverage frequently arrives after the period of highest risk has already begun.
What Users Think
Cogent tells us that its user base is aware of the risks, but feels like it has not always been able to “put a number on” in terms of quantification in this space. Users note that they have been “watching exploit turnaround times shrink” in real time, all while the core detection stack has remained largely unchanged.
Cogent users have also said that, seeing that more than 83% of critical vulnerabilities either lack scanner coverage (or have exploits available before detection arrives) is a real reinforcement for organizations to identify likely exposure immediately after disclosure rather than waiting for scanner coverage.
In a connected news item, Cogent also this month launched two new platform capabilities designed to collapse the time between vulnerability disclosure and confirmed remediation.
Zero Day Response & Autonomous Remediation
Zero Day Response identifies exposure within minutes of public disclosure without waiting for scanner signatures. Autonomous Remediation determines the right fix, assesses business impact before execution, and confirms the vulnerability is actually resolved.
The releases arrive as AI-assisted exploit development compresses attacker timelines faster than most security programs can keep pace.
“The math on vulnerability management has changed,” said Vineet Edupuganti, co-founder and CEO of Cogent. “When a new CVE can be weaponized in hours, a four-day detection cycle and a 60-day remediation cycle carry a different kind of risk than they did two years ago. We built these capabilities to help security teams run their vulnerability management programs 100 times faster, because that’s what matching the speed of AI-equipped attackers actually requires.”
Zero Day Response identifies new vulnerabilities across an enterprise within minutes of initial disclosure. It ingests intelligence from dozens of sources and cross-references new disclosures against a customer’s full software inventory to rapidly discover where they exist.
Coverage includes formal CVE advisories and pre-CVE disclosures, so when a researcher publishes a proof-of-concept on GitHub before a formal CVE exists, Cogent’s AI agents identify and triage the signal automatically. Every finding is scored against the customer’s actual environment rather than abstract severity ratings.
Pre-flight Impact Assessment
Autonomous Remediation determines the fastest path to resolution for each vulnerability, whether that’s a patch, an upgrade, or a configuration change. Before anything executes, the system runs a pre-flight impact assessment, flagging disruption risk, reboot requirements, and business impact.
Users set policies that control how much autonomy the AI gets: full human approval for critical production systems, semi-autonomous operation for moderate-risk environments, and fully autonomous execution for lower environments. Remediation is treated as incomplete until the fix is independently confirmed.
In summary – and taking the fact that a vendor that styles itself as an AI security specialist is most likely to try and point to the emerging fear factor surrounding AI-driven developer exploits – it feels like AI-equipped exploit developer tooling has collapsed the window from CVE disclosure to weaponised proof-of-concept into a very short space of time.
Every developer working in security now faces attackers operating at machine speed. Sleep well, everyone.
