That is the specific problem Cogent has built its two new platform capabilities to solve and the launch arrives at a moment when the mathematics of vulnerability management have shifted far enough from their historical baseline that the gap between attacker capability and defender response has become a structural risk rather than an acceptable lag.

Time to exploit has compressed from nine months in 2022 to hours in 2026. The average enterprise still takes 60 days to close a critical vulnerability. The distance between those two numbers is not an efficiency problem. It is the attack surface that AI-assisted exploit development has made available to every threat actor with access to the tools that are now commercially available in underground markets.

Why the Vulnerability Management Math Has Changed

The Cogent launch framing that the math on vulnerability management has changed deserves examination beyond the headline statistics because the change is structural rather than incremental, and understanding why clarifies what the response needs to look like.

Traditional vulnerability management was designed for a threat environment where the exploitation window was measured in weeks to months. A vulnerability would be disclosed. Researchers and security vendors would develop detection signatures. Attackers would develop exploit code. The enterprise would run a scan, identify affected systems, prioritise by CVSS score, open remediation tickets, and work through the queue. The cycle was slow and manual, but the exploitation timeline was slow enough that moving through a 60-day remediation queue for critical vulnerabilities was, while imperfect, broadly defensible.

AI-assisted exploit development has invalidated that timing assumption at every step of the chain. The same AI tools that security researchers use to accelerate vulnerability analysis are available to threat actors who use them to compress the time between CVE disclosure and working exploit code from weeks to hours. The 2022 baseline of nine months average time-to-exploit was already pressuring traditional vulnerability management timelines. The 2026 reality of hours-to-exploit makes those timelines indefensible for any organisation that operates under meaningful threat pressure.

The scanner signature lag compounds the problem in a specific way. Scanners detect vulnerabilities by matching observed system characteristics against known signatures signatures that vulnerability researchers and scanner vendors develop after a CVE is published and after they have had time to analyse the affected software and build detection logic. That development process takes days even when executed quickly. For the vulnerabilities that attackers prioritise the ones with high impact, exploitable remotely, present in widely deployed software the 5.1-day average scanner lag documented in Cogent’s research means that the highest-priority vulnerabilities are the ones least likely to be detected during the window when exposure is most acute.

Vineet Edupuganti, Cogent’s co-founder and CEO, characterised the consequence directly: when a new CVE can be weaponised in hours, a four-day detection cycle and a 60-day remediation cycle carry a different kind of risk than they did two years ago. That is not an argument for marginal improvement. It is an argument for an order-of-magnitude change in how fast detection and remediation need to operate and the 100x speed improvement Cogent describes for its customers reflects that order-of-magnitude ambition rather than incremental optimisation.

Zero Day Response Detection Before the Scanner Has Coverage

The first of Cogent’s two new capabilities addresses the front end of the vulnerability management timeline the detection gap that exists between disclosure and scanner coverage.

Zero Day Response identifies new vulnerabilities across an enterprise within minutes of initial disclosure. The mechanism is fundamentally different from signature-based scanning because it does not wait for a signature to be developed. Instead of scanning systems against a database of known vulnerability patterns, it ingests intelligence from multiple sources formal CVE advisories, pre-CVE disclosures, vendor security advisories, and supply chain attack notifications and cross-references new disclosures against the customer’s complete software inventory in real time.

The cross-reference approach is what enables the speed advantage over traditional scanning. A scanner that needs to match a system observation against a vulnerability signature requires the signature first. An inventory-based approach that matches a newly disclosed vulnerability description against a known-good software inventory can identify exposure as soon as the disclosure exists before any signature has been developed, before any scanner has been updated, and before the 5.1-day average lag window has opened.

Every finding is scored against the customer’s actual environment rather than abstract CVSS severity ratings which addresses a second significant limitation of traditional vulnerability management. CVSS scores reflect the theoretical severity of a vulnerability in isolation. They do not reflect whether the affected software is present in the customer’s environment, whether the affected version is deployed on internet-facing systems or internal infrastructure, whether compensating controls exist, or whether the specific vulnerability class is relevant to the customer’s threat model. Scoring against the actual environment produces prioritisation that reflects genuine risk rather than theoretical severity directing remediation effort where exposure is real rather than where CVSS scores are highest.

The coverage extension to pre-CVE disclosures and supply chain attacks addresses the disclosure channels that formal CVE tracking misses. Vulnerabilities that are disclosed through vendor advisory channels before receiving CVE assignment, and supply chain compromise notifications that indicate compromised dependencies rather than traditional software vulnerabilities, represent real exposure that appears in the intelligence signals that Cogent ingests before they appear in the CVE database that scanner-based approaches depend on.

Autonomous Remediation From Detection to Confirmed Fix

The second capability addresses the back end of the vulnerability management timeline the remediation execution gap that keeps the 60-day average alive even after vulnerabilities are detected and prioritised.

Autonomous Remediation builds a contextualised remediation plan for each vulnerability based on the specific asset and the fix that will resolve the risk fastest. The contextualisation is the element that distinguishes this from automated patch deployment tools that apply fixes uniformly regardless of the specific environment characteristics that make the same patch appropriate for one system and disruptive for another.

Before any remediation action executes, the system runs a pre-flight impact assessment that flags disruption risk, reboot requirements, and business impact for the specific asset in the specific environment. A patch that requires a reboot behaves differently on a development server than on a production database with active transaction load. A configuration change that closes a vulnerability in a standalone application may break integrations in a complex microservices environment. The pre-flight assessment surfaces these considerations before execution giving security teams the information they need to decide whether autonomous execution is appropriate for the specific remediation action in the specific context.

The policy control model reflects a sophisticated understanding of the risk tolerance variation that exists within enterprise environments. Security teams can configure the level of autonomy the AI applies based on system criticality: full human approval for critical production systems where unexpected disruption carries significant business consequences, and fully autonomous execution for lower-priority environments where speed matters more than caution. That policy flexibility allows organisations to get the speed benefits of autonomous remediation in the environments where speed is the priority, while maintaining human oversight in the environments where the consequences of an unexpected disruption justify the approval overhead.

The confirmation requirement is the element that distinguishes genuine remediation from remediation theatre. Autonomous Remediation treats a remediation as incomplete until the fix is independently confirmed verifying that the vulnerability is actually resolved rather than treating a successful patch deployment as synonymous with successful vulnerability closure. Patches that deploy without closing the underlying vulnerability, configuration changes that address the symptom without the root cause, and mitigations that reduce but do not eliminate exposure are all identified through the confirmation process rather than being counted as closed in the remediation queue.

The 2 AM Advisory Scenario – What Connected Detection and Remediation Actually Enables

Cogent’s description of the connected detection-to-remediation flow deserves attention because it illustrates what the combined capability actually changes about how security programs operate against the current threat timeline.

A vendor advisory published at 2 AM the scenario Cogent uses to illustrate the capability is not an unusual occurrence. Vendors publish security advisories outside business hours, vulnerability researchers disclose findings on their own schedules, and the threat actors monitoring the same disclosure channels are not operating on a Monday-through-Friday nine-to-five cadence.

Under traditional vulnerability management, a 2 AM advisory enters a queue. The security team reviews it in the morning. The affected systems are identified through the next scheduled scan. The vulnerability is scored and prioritised. A remediation ticket is created. The ticket works through the remediation queue. The vulnerability is closed sometime within the 60-day average window during which the exploit that may have existed before the advisory was published has been available to attackers continuously.

Under Cogent’s connected flow, the advisory triggers automatic ingestion, cross-reference against the software inventory, exposure identification, risk scoring against the actual environment, remediation plan development, pre-flight impact assessment, and for systems configured for autonomous execution remediation deployment and confirmation before the security team’s morning standup. The security team begins their day with visibility into what was disclosed, what was exposed, and what has already been addressed rather than with a disclosure they need to evaluate and a remediation process they need to initiate.

Across thousands of findings over weeks and months, the compression of mean time to remediate from weeks to minutes is not a single-event performance achievement. It is a sustained change in the security program’s baseline response posture operating systematically at a speed that matches the compressed attacker timelines rather than the historical timelines that the traditional remediation queue was designed for.

The Business Case for 100x Speed Improvement

Vulnerability management program owners making the case for investment in capabilities that compress remediation timelines face a specific challenge: the cost of moving faster is visible and immediate, while the cost of moving at current speed is probabilistic and deferred.

Cogent’s research provides the quantification that makes the probabilistic cost concrete. A 62% probability that a critical vulnerability with a known exploit is being actively targeted before any scanner detects it is not a tail risk scenario. It is the expected condition for most of the vulnerabilities that matter most. A 5.1-day scanner lag combined with a 60-day remediation cycle creates a 65-day window of exposure for the average critical vulnerability 65 days during which the exploit that attackers have and scanners cannot detect could be used against any organisation that has not independently identified and closed the exposure.

The business impact quantification that Cogent’s pre-flight assessment produces before remediation execution provides the complementary economic argument not just the cost of remaining exposed, but the disruption risk associated with moving faster. Organisations that have historically moved slowly on remediation often do so because the risk of unexpected disruption from aggressive patching is visible and attributable to the security team, while the risk of remaining vulnerable is less visible until exploitation occurs. The pre-flight impact assessment makes both sides of that risk trade-off visible before action enabling informed decisions about remediation timing rather than defaulting to slow remediation as a way of managing disruption risk.

What This Signals for the Vulnerability Management Market

The Cogent launch is a product announcement, but it carries a market signal that vulnerability management program owners and security leaders should examine beyond the specific capabilities being introduced.

The vulnerability management market has been built around a detection-first model where scanners identify exposure and human-speed remediation processes close it. That model was adequate for the threat environment it was designed for. The AI-assisted exploit development that has compressed attacker timelines to hours has made it inadequate not gradually but abruptly enough that 2022 baselines are genuinely obsolete as reference points for what acceptable vulnerability management performance looks like.

The capability direction that Cogent’s launch reflects AI-native detection that does not depend on scanner signatures, autonomous remediation that executes without human processing at every step, and confirmation that verifies actual vulnerability closure rather than counting deployment success is the direction that the threat environment is demanding from vulnerability management programs regardless of which vendor delivers it.

Organisations that are evaluating their vulnerability management program against 2022 performance baselines treating 60-day remediation cycles as acceptable for critical vulnerabilities and scanner-based detection as sufficient for identifying exposure are measuring their program against a threat environment that no longer exists. The attacker timeline that their program needs to beat is hours, not months. The detection lag they are accepting is 5.1 days during the window of highest exploitation probability.

The math has changed. The programs that do not change with it are accepting a level of exposure that the previous math did not create.

Research and Intelligence Sources: Cogent Security

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com