AI-Assisted Exploit Development Outpaces Detection TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityFeeding Frenzy: 'Megalodon' Malware Infects Thousands of GitHub ReposFeeding Frenzy: 'Megalodon' Malware Infects Thousands of GitHub ReposbyRob WrightMay 26, 20264 Min ReadApplication SecurityShai-Hulud Hackers TeamPCP: Lucky or Skilled?Shai-Hulud Hackers TeamPCP: Lucky or Skilled?byAlexander CulafiMay 26, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite PapersHeard It From a CISOReporters' NotebookPartner PerspectivesMeet the EditorsAdvertise With Us About UsDark Reading Resource LibraryThreat IntelligenceVulnerabilities & ThreatsApplication SecurityCybersecurity OperationsNewsAI-Assisted Exploit Development Outpaces Scanner DetectionAttackers are using AI to dramatically reduce the time they need to develop a working exploit for a CVE, according to new research.Elizabeth Montalbano,Contributing WriterMay 27, 20264 Min ReadSource: Tiny Ivan via Alamy Stock PhotoAttackers have reduced the time to develop an exploit for a known vulnerability from 125 days to a mere half a day, thanks to the use of AI-assisted development, leaving vulnerability scanners struggling to keep pace, new research has found.Cogent Research analyzed 69,159 common vulnerabilities and exposures (CVEs) and found that in January 2025, attackers needed 125.3 days to develop a method for exploiting them, according to a report published today. By April 2026, threat actors reduced that time to just 0.5 days by using AI, thus creating significant visibility gaps for security teams during the highest-risk periods following vulnerability disclosure, according to Cogent.This milestone was achieved using widely available large language models (LLMS) that can read a patch diff — a set of code changes published when a software vulnerability gets fixed — and produce a proof-of-concept (PoC) exploit, Geng Sng, co-founder and chief technology officer (CTO) of Cogent Security, tells Dark Reading. "Our data captures what's already happening with the current generation of AI tooling, not frontier models," he says.Related:State Cyber Leaders Beg Congress for More Funding, SupportHowever, the 0.5 days to exploit finding will be old hat once Anthropic's Claude Mythos — which can develop "working exploits at the level of an experienced security researcher" and already is striking fear in global markets — becomes widely available, he says."Multiple researchers have put Mythos-class capability proliferation at six to 12 months out," Sng says. "When that happens, the exploit-speed compression we measured won't be the ceiling. It'll be the baseline."Analysis Shows 'Visibility Gap'Cogent's research had other troubling findings for security teams that rely on scanner detection to help them identify threats to their environments. This type of detection involves identifying and monitoring automated tools that probe networks or systems for vulnerabilities, a process that is crucial for organizations to get ahead of potential threats before they compromise systems.To achieve its findings, Cogent analyzed 69,159 CVEs from public disclosure databases, including the National Vulnerability Database and MITRE CVE. The primary analysis set analyzed included 57,860 CVEs published in 2025 and 2026, for which Cogent recorded timestamps for CVE publications. The researchers also looked up detection signature publication dates for the top three commercial scanning technologies: Tenable, Qualys, and Rapid7.The analysis found that 83.2% of critical vulnerabilities created what Cogent called a "visibility gap" for defenders. More than half of critical CVEs, or 55.7%, never received detection coverage from major scanners at all. Of the remaining vulnerabilities that did receive signatures, 62% already had exploits circulating before detection became available, according to the findings.Related:Chinese APTs Share Linux Backdoor in Central Asia Telco AttacksScanners, Not Orgs, Falter at Detection"Most security teams already know their scan cycles are too slow, and many are working to move from monthly or weekly scans to something closer to continuous," Sng acknowledges. However, Cogent's research indicates the visibility gaps stem not from organizations' slow cycles but the detection capabilities of the aforementioned scanning vendors analyzed by the researchers, he says.Research found that 54% of all CVEs published since January 2025 lacked detection signatures from any of these vendors. Among those scanners, response times also varied, with median detection lag after disclosure measured 0.1 days for Tenable, 2.9 days for Qualys, and 5.1 days for Rapid7. Critical vulnerabilities were also the most likely to be exploited before detection signatures shipped, affecting 62.5% of critical CVEs at Tenable, 64.5% at Qualys, and 73.5% at Rapid7, according to the report. Dark Reading contacted the three vendors mentioned in the report, none of which responded to a request for comment at press time.Related:Verizon DBIR: Enterprises Face a Dangerous Vulnerability GlutPrepare Now for AI-Driven Exploit FlurryAI-assisted exploit development already is on the radar of security teams, and they are shifting to new strategies to defend against its ever-quickening pace. Indeed, industry organizations are warning defenders to buckle up for a post-Mythos exploit flurry.One of defenders' new strategies is using software inventory analysis as "an early warning layer," with checks every morning to see whether newly disclosed CVEs affect software versions running in their environment, Sng says. Doing this means they can "start mitigation before their scanner even knows the vulnerability exists," he says.However, an even broader change among security teams that organizations would be wise to adopt is building a parallel detection path using software inventory data, software bill of materials (SBOM) matching, and threat intelligence feeds that can surface affected assets within minutes of disclosure, Sng tells Dark Reading. "Scanners remain the right tool for confirming detection at scale and validating remediation, but they can't be the starting line for response anymore," he says.Cogent also recommended that organizations map their software inventory continuously and correlate it against new disclosures the moment they publish, as this is the only effective detection method that works when no scanner signature exists yet."The organizations in the best position right now are the ones that can answer 'Are we running affected software?' within minutes of a new CVE, independent of whether their scanner vendor has shipped a plug-in for it," Sng tells Dark Reading.About the AuthorElizabeth MontalbanoContributing WriterElizabeth Montalbano is freelance writer, editor, and  journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician.See more from Elizabeth MontalbanoWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyEssential News & Insights from Black Hat USA 2025How Enterprises Are Harnessing Emerging Technologies in CybersecurityAccess More ResearchWebinarsBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackDefending in the Shadow Era: When the CVE Feed Goes DarkBuilding SecOps That Make the Most of Every DollarAI-Powered Credential Security: Intelligence Without ExposureAI-Powered Cybersecurity for Resource-Constrained OrganizationsMore WebinarsEditor's ChoiceCybersecurity Operations20 Leaders Who Built the CISO Era: 2 Decades of Change20 Leaders Who Built the CISO Era: 2 Decades of ChangebyDark Reading Editorial TeamMay 12, 202641 Min ReadApplication SecurityIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightbyJai VijayanMay 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackThurs, June 25, 2026, at 1pm ESTDefending in the Shadow Era: When the CVE Feed Goes DarkTues, June 16, 2026 at 1pm ESTBuilding SecOps That Make the Most of Every DollarThurs, July 9, 2026 at 1pm ESTAI-Powered Credential Security: Intelligence Without ExposureWed, June 17, 2026, at 1pm ESTAI-Powered Cybersecurity for Resource-Constrained OrganizationsThurs, June 18, 2026, at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

Attackers are leveraging artificial intelligence to significantly accelerate the process of developing working exploits for known vulnerabilities, creating substantial visibility gaps for cybersecurity defenses. Research conducted by Cogent analyzed 69,159 common vulnerabilities and exposures (CVEs) and found that the time required for threat actors to develop an exploit has dropped dramatically. In January 2025, attackers required approximately 125.3 days to develop an exploit for a vulnerability. By April 2026, utilizing large language models (LLMs) to process patch differences and generate proof-of-concept exploits, threat actors reduced this development time to just half a day. This rapid exploit capability, demonstrated by the use of AI tooling, poses a significant challenge to security teams, as it can create exploitable windows immediately following vulnerability disclosure.

The emergence of advanced AI models, such as Anthropic's Claude Mythos, which possess the capability to develop working exploits at the level of experienced security researchers, suggests that this exploit-speed compression may become the new baseline rather than a temporary advantage. This shift invalidates traditional security response models that rely on time-consuming patching and detection cycles.

Furthermore, the analysis revealed profound deficiencies in the efficacy of traditional scanner-based detection methods. Cogent determined that 83.2 percent of critical vulnerabilities generated a "visibility gap" for defenders targeting these environments. More critically, over half of these critical CVEs, specifically 55.7 percent, never received detection coverage from major commercial scanners. Even for the vulnerabilities that did receive detection signatures, 62 percent already had exploits circulating before those signatures were made available. The variance in detection lag among scanning technologies was also notable, with median detection times ranging from 0.1 days for Tenable to 5.1 days for Rapid7 following disclosure.

This research indicates that the visibility gaps are not primarily caused by slow organizational scanning cycles, but rather by the inherent limitations in the detection capabilities of the scanning vendors themselves. To effectively counter this evolving threat landscape, security teams are advised to implement alternative detection strategies that operate independently of scanner signatures. One recommended approach involves establishing software inventory analysis as an early warning layer, requiring daily checks to ascertain if newly disclosed CVEs affect software versions running in the environment, allowing for mitigation to begin before scanners recognize the vulnerability.

More comprehensively, the research calls for organizations to build parallel detection paths utilizing software inventory data, Software Bill of Materials (SBOM) matching, and threat intelligence feeds. This strategy is intended to surface affected assets within minutes of a disclosure, regardless of whether a specific scanner has released a corresponding plug-in. The core principle is that the most effective detection method operates when no scanner signature exists, meaning organizations must be able to answer whether they are running affected software within minutes of a new CVE, independent of vendor response times.