CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 27, 2026

AI-Assisted Exploit Development Outpaces Scanner Detection

Dark Reading Archived May 27, 2026 ✓ Full text saved

Attackers are using AI to dramatically reduce the time they need to develop a working exploit for a CVE, according to new research.

Full text archived locally
✦ AI Summary · Claude Sonnet


    THREAT INTELLIGENCE VULNERABILITIES & THREATS APPLICATION SECURITY CYBERSECURITY OPERATIONS NEWS AI-Assisted Exploit Development Outpaces Scanner Detection Attackers are using AI to dramatically reduce the time they need to develop a working exploit for a CVE, according to new research. Elizabeth Montalbano,Contributing Writer May 27, 2026 4 Min Read SOURCE: TINY IVAN VIA ALAMY STOCK PHOTO Attackers have reduced the time to develop an exploit for a known vulnerability from 125 days to a mere half a day, thanks to the use of AI-assisted development, leaving vulnerability scanners struggling to keep pace, new research has found. Cogent Research analyzed 69,159 common vulnerabilities and exposures (CVEs) and found that in January 2025, attackers needed 125.3 days to develop a method for exploiting them, according to a report published today. By April 2026, threat actors reduced that time to just 0.5 days by using AI, thus creating significant visibility gaps for security teams during the highest-risk periods following vulnerability disclosure, according to Cogent. This milestone was achieved using widely available large language models (LLMS) that can read a patch diff — a set of code changes published when a software vulnerability gets fixed — and produce a proof-of-concept (PoC) exploit, Geng Sng, co-founder and chief technology officer (CTO) of Cogent Security, tells Dark Reading. "Our data captures what's already happening with the current generation of AI tooling, not frontier models," he says. Related:State Cyber Leaders Beg Congress for More Funding, Support However, the 0.5 days to exploit finding will be old hat once Anthropic's Claude Mythos — which can develop "working exploits at the level of an experienced security researcher" and already is striking fear in global markets — becomes widely available, he says. "Multiple researchers have put Mythos-class capability proliferation at six to 12 months out," Sng says. "When that happens, the exploit-speed compression we measured won't be the ceiling. It'll be the baseline." Analysis Shows 'Visibility Gap' Cogent's research had other troubling findings for security teams that rely on scanner detection to help them identify threats to their environments. This type of detection involves identifying and monitoring automated tools that probe networks or systems for vulnerabilities, a process that is crucial for organizations to get ahead of potential threats before they compromise systems. To achieve its findings, Cogent analyzed 69,159 CVEs from public disclosure databases, including the National Vulnerability Database and MITRE CVE. The primary analysis set analyzed included 57,860 CVEs published in 2025 and 2026, for which Cogent recorded timestamps for CVE publications. The researchers also looked up detection signature publication dates for the top three commercial scanning technologies: Tenable, Qualys, and Rapid7. The analysis found that 83.2% of critical vulnerabilities created what Cogent called a "visibility gap" for defenders. More than half of critical CVEs, or 55.7%, never received detection coverage from major scanners at all. Of the remaining vulnerabilities that did receive signatures, 62% already had exploits circulating before detection became available, according to the findings. Related:Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks Scanners, Not Orgs, Falter at Detection "Most security teams already know their scan cycles are too slow, and many are working to move from monthly or weekly scans to something closer to continuous," Sng acknowledges. However, Cogent's research indicates the visibility gaps stem not from organizations' slow cycles but the detection capabilities of the aforementioned scanning vendors analyzed by the researchers, he says. Research found that 54% of all CVEs published since January 2025 lacked detection signatures from any of these vendors. Among those scanners, response times also varied, with median detection lag after disclosure measured 0.1 days for Tenable, 2.9 days for Qualys, and 5.1 days for Rapid7.  Critical vulnerabilities were also the most likely to be exploited before detection signatures shipped, affecting 62.5% of critical CVEs at Tenable, 64.5% at Qualys, and 73.5% at Rapid7, according to the report. Dark Reading contacted the three vendors mentioned in the report, none of which responded to a request for comment at press time. Related:Verizon DBIR: Enterprises Face a Dangerous Vulnerability Glut Prepare Now for AI-Driven Exploit Flurry AI-assisted exploit development already is on the radar of security teams, and they are shifting to new strategies to defend against its ever-quickening pace. Indeed, industry organizations are warning defenders to buckle up for a post-Mythos exploit flurry. One of defenders' new strategies is using software inventory analysis as "an early warning layer," with checks every morning to see whether newly disclosed CVEs affect software versions running in their environment, Sng says. Doing this means they can "start mitigation before their scanner even knows the vulnerability exists," he says. However, an even broader change among security teams that organizations would be wise to adopt is building a parallel detection path using software inventory data, software bill of materials (SBOM) matching, and threat intelligence feeds that can surface affected assets within minutes of disclosure, Sng tells Dark Reading. "Scanners remain the right tool for confirming detection at scale and validating remediation, but they can't be the starting line for response anymore," he says. Cogent also recommended that organizations map their software inventory continuously and correlate it against new disclosures the moment they publish, as this is the only effective detection method that works when no scanner signature exists yet. "The organizations in the best position right now are the ones that can answer 'Are we running affected software?' within minutes of a new CVE, independent of whether their scanner vendor has shipped a plug-in for it," Sng tells Dark Reading. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is freelance writer, editor, and  journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Cybersecurity for Resource-Constrained Organizations AI-Powered Credential Security: Intelligence Without Exposure More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi MAR 06, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST AI-Powered Cybersecurity for Resource-Constrained Organizations THURS, JUNE 18, 2026, AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUNE 17, 2026, AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    May 27, 2026
    Archived
    May 27, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗