AI-Assisted Exploit Development Outpaces Scanner Detection
Dark ReadingArchived May 27, 2026✓ Full text saved
Attackers are using AI to dramatically reduce the time they need to develop a working exploit for a CVE, according to new research.
Full text archived locally
✦ AI Summary· Claude Sonnet
THREAT INTELLIGENCE
VULNERABILITIES & THREATS
APPLICATION SECURITY
CYBERSECURITY OPERATIONS
NEWS
AI-Assisted Exploit Development Outpaces Scanner Detection
Attackers are using AI to dramatically reduce the time they need to develop a working exploit for a CVE, according to new research.
Elizabeth Montalbano,Contributing Writer
May 27, 2026
4 Min Read
SOURCE: TINY IVAN VIA ALAMY STOCK PHOTO
Attackers have reduced the time to develop an exploit for a known vulnerability from 125 days to a mere half a day, thanks to the use of AI-assisted development, leaving vulnerability scanners struggling to keep pace, new research has found.
Cogent Research analyzed 69,159 common vulnerabilities and exposures (CVEs) and found that in January 2025, attackers needed 125.3 days to develop a method for exploiting them, according to a report published today. By April 2026, threat actors reduced that time to just 0.5 days by using AI, thus creating significant visibility gaps for security teams during the highest-risk periods following vulnerability disclosure, according to Cogent.
This milestone was achieved using widely available large language models (LLMS) that can read a patch diff — a set of code changes published when a software vulnerability gets fixed — and produce a proof-of-concept (PoC) exploit, Geng Sng, co-founder and chief technology officer (CTO) of Cogent Security, tells Dark Reading. "Our data captures what's already happening with the current generation of AI tooling, not frontier models," he says.
Related:State Cyber Leaders Beg Congress for More Funding, Support
However, the 0.5 days to exploit finding will be old hat once Anthropic's Claude Mythos — which can develop "working exploits at the level of an experienced security researcher" and already is striking fear in global markets — becomes widely available, he says.
"Multiple researchers have put Mythos-class capability proliferation at six to 12 months out," Sng says. "When that happens, the exploit-speed compression we measured won't be the ceiling. It'll be the baseline."
Analysis Shows 'Visibility Gap'
Cogent's research had other troubling findings for security teams that rely on scanner detection to help them identify threats to their environments. This type of detection involves identifying and monitoring automated tools that probe networks or systems for vulnerabilities, a process that is crucial for organizations to get ahead of potential threats before they compromise systems.
To achieve its findings, Cogent analyzed 69,159 CVEs from public disclosure databases, including the National Vulnerability Database and MITRE CVE. The primary analysis set analyzed included 57,860 CVEs published in 2025 and 2026, for which Cogent recorded timestamps for CVE publications. The researchers also looked up detection signature publication dates for the top three commercial scanning technologies: Tenable, Qualys, and Rapid7.
The analysis found that 83.2% of critical vulnerabilities created what Cogent called a "visibility gap" for defenders. More than half of critical CVEs, or 55.7%, never received detection coverage from major scanners at all. Of the remaining vulnerabilities that did receive signatures, 62% already had exploits circulating before detection became available, according to the findings.
Related:Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks
Scanners, Not Orgs, Falter at Detection
"Most security teams already know their scan cycles are too slow, and many are working to move from monthly or weekly scans to something closer to continuous," Sng acknowledges. However, Cogent's research indicates the visibility gaps stem not from organizations' slow cycles but the detection capabilities of the aforementioned scanning vendors analyzed by the researchers, he says.
Research found that 54% of all CVEs published since January 2025 lacked detection signatures from any of these vendors. Among those scanners, response times also varied, with median detection lag after disclosure measured 0.1 days for Tenable, 2.9 days for Qualys, and 5.1 days for Rapid7.
Critical vulnerabilities were also the most likely to be exploited before detection signatures shipped, affecting 62.5% of critical CVEs at Tenable, 64.5% at Qualys, and 73.5% at Rapid7, according to the report. Dark Reading contacted the three vendors mentioned in the report, none of which responded to a request for comment at press time.
Related:Verizon DBIR: Enterprises Face a Dangerous Vulnerability Glut
Prepare Now for AI-Driven Exploit Flurry
AI-assisted exploit development already is on the radar of security teams, and they are shifting to new strategies to defend against its ever-quickening pace. Indeed, industry organizations are warning defenders to buckle up for a post-Mythos exploit flurry.
One of defenders' new strategies is using software inventory analysis as "an early warning layer," with checks every morning to see whether newly disclosed CVEs affect software versions running in their environment, Sng says. Doing this means they can "start mitigation before their scanner even knows the vulnerability exists," he says.
However, an even broader change among security teams that organizations would be wise to adopt is building a parallel detection path using software inventory data, software bill of materials (SBOM) matching, and threat intelligence feeds that can surface affected assets within minutes of disclosure, Sng tells Dark Reading. "Scanners remain the right tool for confirming detection at scale and validating remediation, but they can't be the starting line for response anymore," he says.
Cogent also recommended that organizations map their software inventory continuously and correlate it against new disclosures the moment they publish, as this is the only effective detection method that works when no scanner signature exists yet.
"The organizations in the best position right now are the ones that can answer 'Are we running affected software?' within minutes of a new CVE, independent of whether their scanner vendor has shipped a plug-in for it," Sng tells Dark Reading.
About the Author
Elizabeth Montalbano
Contributing Writer
Elizabeth Montalbano is freelance writer, editor, and journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
AI-Powered Cybersecurity for Resource-Constrained Organizations
AI-Powered Credential Security: Intelligence Without Exposure
More Webinars
You May Also Like
THREAT INTELLIGENCE
Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish
by Jai Vijayan
MAR 17, 2026
THREAT INTELLIGENCE
Iran's Cyber-Kinetic War Doctrine Takes Shape
by Alexander Culafi
MAR 06, 2026
THREAT INTELLIGENCE
React2Shell Exploits Flood the Internet as Attacks Continue
by Rob Wright
DEC 12, 2025
THREAT INTELLIGENCE
Chinese Gov't Fronts Trick the West to Obtain Cyber Tech
by Nate Nelson, Contributing Writer
OCT 06, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
Webinars
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
THURS, JUNE 25, 2026, AT 1PM EST
Defending in the Shadow Era: When the CVE Feed Goes Dark
TUES, JUNE 16, 2026 AT 1PM EST
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
AI-Powered Cybersecurity for Resource-Constrained Organizations
THURS, JUNE 18, 2026, AT 1PM EST
AI-Powered Credential Security: Intelligence Without Exposure
WED, JUNE 17, 2026, AT 1PM EST
More Webinars
BLACK HAT USA | MANDALAY BAY, LAS VEGAS
The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.
GET YOUR PASS