TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Threat Intelligence AI-Assisted Exploit Development Outpaces Scanner Detection AI-Assisted Exploit Development Outpaces Scanner Detection by Elizabeth Montalbano May 27, 2026 4 Min Read Application Security Feeding Frenzy: 'Megalodon' Malware Infects Thousands of GitHub Repos Feeding Frenzy: 'Megalodon' Malware Infects Thousands of GitHub Repos by Rob Wright May 26, 2026 4 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America See All The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Heard It From a CISO Reporters' Notebook Partner Perspectives Meet the Editors Advertise With Us About Us Dark Reading Resource Library Threat Intelligence Vulnerabilities & Threats Application Security Cybersecurity Operations News AI-Assisted Exploit Development Outpaces Scanner Detection Attackers are using AI to dramatically reduce the time they need to develop a working exploit for a CVE, according to new research. Elizabeth Montalbano , Contributing Writer May 27, 2026 4 Min Read Source: Tiny Ivan via Alamy Stock Photo Attackers have reduced the time to develop an exploit for a known vulnerability from 125 days to a mere half a day, thanks to the use of AI-assisted development, leaving vulnerability scanners struggling to keep pace, new research has found. Cogent Research analyzed 69,159 common vulnerabilities and exposures (CVEs) and found that in January 2025, attackers needed 125.3 days to develop a method for exploiting them, according to a report published today. By April 2026, threat actors reduced that time to just 0.5 days by using AI, thus creating significant visibility gaps for security teams during the highest-risk periods following vulnerability disclosure, according to Cogent. This milestone was achieved using widely available large language models (LLMS) that can read a patch diff — a set of code changes published when a software vulnerability gets fixed — and produce a proof-of-concept (PoC) exploit, Geng Sng, co-founder and chief technology officer (CTO) of Cogent Security, tells Dark Reading. "Our data captures what's already happening with the current generation of AI tooling, not frontier models," he says. Related: State Cyber Leaders Beg Congress for More Funding, Support However, the 0.5 days to exploit finding will be old hat once Anthropic's Claude Mythos — which can develop "working exploits at the level of an experienced security researcher" and already is striking fear in global markets — becomes widely available, he says. "Multiple researchers have put Mythos-class capability proliferation at six to 12 months out," Sng says. "When that happens, the exploit-speed compression we measured won't be the ceiling. It'll be the baseline." Analysis Shows 'Visibility Gap' Cogent's research had other troubling findings for security teams that rely on scanner detection to help them identify threats to their environments. This type of detection involves identifying and monitoring automated tools that probe networks or systems for vulnerabilities, a process that is crucial for organizations to get ahead of potential threats before they compromise systems. To achieve its findings, Cogent analyzed 69,159 CVEs from public disclosure databases, including the National Vulnerability Database and MITRE CVE. The primary analysis set analyzed included 57,860 CVEs published in 2025 and 2026, for which Cogent recorded timestamps for CVE publications. The researchers also looked up detection signature publication dates for the top three commercial scanning technologies: Tenable, Qualys, and Rapid7. The analysis found that 83.2% of critical vulnerabilities created what Cogent called a "visibility gap" for defenders. More than half of critical CVEs, or 55.7%, never received detection coverage from major scanners at all. Of the remaining vulnerabilities that did receive signatures, 62% already had exploits circulating before detection became available, according to the findings. Related: Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks Scanners, Not Orgs, Falter at Detection "Most security teams already know their scan cycles are too slow, and many are working to move from monthly or weekly scans to something closer to continuous," Sng acknowledges. However, Cogent's research indicates the visibility gaps stem not from organizations' slow cycles but the detection capabilities of the aforementioned scanning vendors analyzed by the researchers, he says. Research found that 54% of all CVEs published since January 2025 lacked detection signatures from any of these vendors. Among those scanners, response times also varied, with median detection lag after disclosure measured 0.1 days for Tenable, 2.9 days for Qualys, and 5.1 days for Rapid7. Critical vulnerabilities were also the most likely to be exploited before detection signatures shipped, affecting 62.5% of critical CVEs at Tenable, 64.5% at Qualys, and 73.5% at Rapid7, according to the report. Dark Reading contacted the three vendors mentioned in the report, none of which responded to a request for comment at press time. Related: Verizon DBIR: Enterprises Face a Dangerous Vulnerability Glut Prepare Now for AI-Driven Exploit Flurry AI-assisted exploit development already is on the radar of security teams, and they are shifting to new strategies to defend against its ever-quickening pace . Indeed, industry organizations are warning defenders to buckle up for a post-Mythos exploit flurry . One of defenders' new strategies is using software inventory analysis as "an early warning layer," with checks every morning to see whether newly disclosed CVEs affect software versions running in their environment, Sng says. Doing this means they can "start mitigation before their scanner even knows the vulnerability exists," he says. However, an even broader change among security teams that organizations would be wise to adopt is building a parallel detection path using software inventory data, software bill of materials (SBOM) matching, and threat intelligence feeds that can surface affected assets within minutes of disclosure, Sng tells Dark Reading. "Scanners remain the right tool for confirming detection at scale and validating remediation, but they can't be the starting line for response anymore," he says. Cogent also recommended that organizations map their software inventory continuously and correlate it against new disclosures the moment they publish, as this is the only effective detection method that works when no scanner signature exists yet. "The organizations in the best position right now are the ones that can answer 'Are we running affected software?' within minutes of a new CVE, independent of whether their scanner vendor has shipped a plug-in for it," Sng tells Dark Reading. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is freelance writer, editor, and journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician. See more from Elizabeth Montalbano Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Credential Security: Intelligence Without Exposure AI-Powered Cybersecurity for Resource-Constrained Organizations More Webinars Editor's Choice Cybersecurity Operations 20 Leaders Who Built the CISO Era: 2 Decades of Change 20 Leaders Who Built the CISO Era: 2 Decades of Change by Dark Reading Editorial Team May 12, 2026 41 Min Read Application Security It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight by Jai Vijayan May 12, 2026 5 Min Read Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilit