The recently released Cogent Q2 2026 Detection Gap Report delivers a harsh reality check: traditional vulnerability scanners are getting outpaced by exploits at a rapidly increasing rate. The data shows unequivocally that the old signature-based approach must change immediately to provide any tangible benefit to their customers.
It also validates runZero’s approach (which doesn’t rely on signature-based CVE scanning) that focuses on revealing every asset, every exposure, every gap, every attack path to give defenders a comprehensive view of their attack surface and the actionable data needed to prioritize the risks that matter most to their unique environments.
The brutal math of the detection gap #
As recently as early 2025, security teams felt they had about four months to patch a vulnerability, on average, before a working exploit emerged. This “grace period” gave vulnerability scanners time to create a signature and then roll out an update. Then it was up to the customers using these vulnerability scanners to run a new scan looking for that signature, and patch all the devices that matched the signature. While we occasionally saw exploitation frontrunning vulnerability disclosures, this was not the norm. Sadly, those days are now well and truly over.
The Cogent Research team looked at 69,159 CVE’s from January of 2025 to April of 2026 and mapped out three critical events for each one: when the CVE was published, when a working exploit became available, and finally when the other vulnerability scanning vendors (Tenable, Qualys, Rapid7) shipped a signature for that CVE.
These results should be a wakeup call to everyone:
- Since January of 2025, 55.7% of critical vulnerabilities never got a signature at all.
- Of the 44.3% of vulnerabilities that did get a signature for detection, 62% of those had exploits circulating BEFORE the signature shipped to the scanner.
- The conclusion Cogent Research came to was that of all the observed critical vulnerabilities, 83.2% weren’t covered at all by traditional scanners, or had observed exploits before scanner coverage was shipped.
This is the one sentence from the report you need to commit to memory: “Scanner coverage lags exploits, or is absent entirely, for more than four out of five critical vulnerabilities.”
Attackers leverage AI to further outpace legacy vuln scanners #
The reason why this has happened is no secret; attackers are using AI-assisted exploit development to compress the time-to-exploit window. Look at this chart Cogent Research created using those 69,159 CVE’s and the time it took for an exploit to circulate.
The report also highlights another key statistic: the median lag time to publish a signature is 2.7 days. And that’s just for the CVE’s that get a signature. Legacy scanners completely ignore 55.7% of critical CVEs because they focus only on major enterprise software, leaving a long tail of vulnerabilities without signatures in IoT devices, edge routers, and niche open-source packages.
But if scanners are losing the race, how do you defend the enterprise? Survival in this new era requires shifting from signature-dependent scanning to proactive, single-source of truth for exposure management.
runZero was designed for exactly this purpose. While legacy scanners must actively probe every device with specific CVEs in mind to see if a vulnerability exists. runZero operates on the principle that if you have a detailed, continuously updated asset inventory, you don't need to rescan the network when a new threat drops — you just need to query the data you already have.
Winning by default against modern threats #
When a critical zero-day or high-profile CVE is announced, runZero’s research team analyzes the threat to identify the exact fingerprinted characteristics of the affected software, hardware, or firmware. Instead of waiting days for a vulnerability signature, runZero pushes out an asset query that day. Organizations can instantly search their existing inventory to see exactly which devices run the vulnerable component, where they are located, and whether they are exposed to the internet.
runZero’s proprietary, non-authenticated active scanning goes way beyond CVE’s and identifies the exposures attackers can actually reach via the network. This moves you from the reactive mindset of “does this asset have a CVE” to the proactive mindset of “what assets and exposures are most likely to be attacked.” The attack path mapping that came out in the 4.9 release shows you the path of least resistance an attacker can take to your most at risk assets, illuminating segmentation failures and unintended network routes that bypass your defenses. Another new feature in runZero 4.9 allows you to identify many more potential attack targets by walking the backplane of your common protocol gateways like Modbus and BACnet. Where most scanners stop at the IP address of the gateway itself, runZero identifies every connected device behind it, and the exposures of those devices. This allows us to identify many of the exposures legacy scanners miss entirely.
Your legacy vulnerability scanners are now outclassed with modern AI accelerated threats. But you don’t have to wait for them to catch up. runZero is empowering defenders to win by default. Even against AI. Start a free trial today to know every asset on your attack surface, uncover all types of exposures, map every attack path, and validate your segmentation integrity — before the exploit drops.
