ByteSizedSecurity Cybersecurity Insights & Analysis
Vulnerabilities 5 min read Updated

AI Exploits: Your Scanners Are Blind

Marc David
Marc David Senior Security Engineer · CISSP
AI Vulnerabilities Security Awareness
AI Exploits: Your Scanners Are Blind

AI Is Helping Hackers Build Exploits in Hours. Your Scanner Hasn’t Noticed Yet.

TL;DR: New research from Cogent analyzed 69,159 CVEs and found AI-assisted exploit development has collapsed the time from vulnerability disclosure to working exploit from 125 days to under 12 hours. Meanwhile, 62% of critical vulnerabilities already have exploits circulating before scanners release detection signatures, and 55.7% of critical CVEs never get scanner coverage at all. If your security strategy starts and ends with vulnerability scanning, you have a serious blind spot.


In January 2025, it took attackers an average of 125.3 days to develop a working exploit after a vulnerability was publicly disclosed. By April 2026, the number dropped to 0.5 days.

Not 50 days. Not 5 days. Half a day.

Here’s what happens when large language models enter the exploit development workflow. AI tools now ingest a patch diff, identify the relevant code change, and produce proof-of-concept exploit code in hours rather than weeks. The skills and time required to weaponize a vulnerability have been compressed to a fraction of what they used to be.

And the tools doing this aren’t custom-built by nation-state actors. They’re built on widely available LLMs. The barrier to entry for writing exploit code has dropped significantly.

The Scanner Problem

Most organizations rely on vulnerability scanners from vendors like Tenable, Qualys, and Rapid7 as their first line of defense. These scanners work by matching known vulnerability signatures against your environment. No signature? No detection.

Cogent Security’s new report, “The Detection Gap: How Exploits Are Outpacing Scanners,” analyzed 69,159 CVEs from January 2025 through April 2026 and found a structural mismatch between how fast exploits now emerge and how the detection systems most enterprises depend on respond in practice.

Here are the numbers worth knowing:

  • 83.2% of critical vulnerabilities created a “visibility gap” where defenders had no detection coverage during the highest-risk window after disclosure
  • 55.7% of critical CVEs never received detection coverage from any major scanner vendor. At all.
  • Among the critical vulnerabilities receiving scanner signatures, 62% already had exploits circulating before those signatures shipped
  • Median detection lag after disclosure: 0.1 days for Tenable, 2.9 days for Qualys, 5.1 days for Rapid7
  • 54% of all CVEs published since January 2025 lacked detection signatures from any vendor

As Cogent’s CTO Geng Sng put it: “The assumption that security teams have days or weeks to respond to a new CVE is no longer valid.”

Why This Matters for You

If you’re a security professional, this changes your operational reality. You no longer have a comfortable window between disclosure and exploitation. The old playbook of “wait for the scan, prioritize the findings, schedule the patch” assumes a threat environment moving at human speed.

This environment no longer exists.

If you’re a business leader, this is a risk management problem. Your security team’s scanning infrastructure alone is no longer a reliable starting point for vulnerability response. An attacker with access to an LLM and a patch diff from a public advisory has everything they need to build a working exploit before your scanner even knows the vulnerability exists.

If you’re a developer, this means the code you ship gets scrutinized faster than ever. A vulnerability in your application gets weaponized within hours of disclosure. Secure coding practices and fast patching aren’t optional.

What You Should Be Doing Instead

Scanners aren’t useless. They still catch a lot. But treating them as the foundation of your vulnerability management program is increasingly risky. Here’s what Cogent and other researchers recommend:

  1. Map your software inventory continuously. Know exactly what’s running in your environment. When a new CVE drops, you need to know within minutes whether you’re exposed, not after a scheduled scan runs next Tuesday.

  2. Correlate against new disclosures in real time. Don’t wait for scanner signatures. Monitor CVE feeds, vendor advisories, and NVD data directly. Match disclosures against your software bill of materials (SBOM) as they’re published.

  3. Assume the exploit exists. For critical and high-severity vulnerabilities, operate under the assumption a working exploit is available within hours of disclosure. Your response timeline needs to match.

  4. Reduce your mean time to remediate. The average enterprise still takes 60 days to close a critical vulnerability. When exploits appear in hours, 60 days is an eternity. Prioritize automating your vulnerability management — manual patching cycles can’t keep pace with AI-accelerated exploits.

  5. Layer your defenses. Compensating controls like WAFs, network segmentation, endpoint detection, and runtime protection buy you time when patching isn’t possible right away. Don’t rely on a single control.

The Bigger Picture

This isn’t a story about scanners being bad. It’s a story about the speed of threats outpacing the speed of traditional defense.

AI is reshaping the attacker’s toolkit. Exploit development once requiring deep technical expertise and weeks of manual work is now assisted (and accelerated) by the same LLM technology helping developers write code faster. The democratization of offensive capability is happening in real time.

The defenders who adapt will be the ones who stop treating vulnerability management as a periodic scan-and-patch cycle and start treating it as a continuous, real-time operation. The data from Cogent’s research makes one thing clear. The window between “vulnerable” and “exploited” is closing fast.

Your response needs to be faster than the exploit. If it isn’t, the scanner won’t save you.

For a real-world example of what happens when patching falls behind, see how an unpatched React app gave attackers full access to LexisNexis. And for the career implications of AI reshaping security, read how AI is driving cybersecurity hiring demand — defenders who understand these tools are in high demand.


Source: Cogent Research, “The Detection Gap: How Exploits Are Outpacing Scanners,” May 2026 (https://www.darkreading.com/threat-intelligence/ai-assisted-exploit-development-scanner-detection)

Share This Article

Comments